about summary refs log tree commit diff
path: root/src/libstore
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-05-30T11·43+0200
committerEelco Dolstra <edolstra@gmail.com>2017-05-30T11·47+0200
commitd798349ede3d6eb6e92a2e4f95f6b2179407ceb9 (patch)
treed4a61e86e2d11031d65073612278ab518004d5a9 /src/libstore
parentff6becafa8efc2f7e6f2b9b889ba4adf20b8d524 (diff)
canonicalisePathMetaData(): Remove extended attributes / ACLs
EAs/ACLs are not part of the NAR canonicalisation. Worse, setting an
ACL allows a builder to create writable files in the Nix store. So get
rid of them.

Closes #185.
Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/local-store.cc22
1 files changed, 22 insertions, 0 deletions
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index 3ac23ec268ff..5b03e86f3eaa 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -27,6 +27,7 @@
 #include <sys/statvfs.h>
 #include <sys/mount.h>
 #include <sys/ioctl.h>
+#include <sys/xattr.h>
 #endif
 
 #include <sqlite3.h>
@@ -407,6 +408,27 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe
     if (!(S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) || S_ISLNK(st.st_mode)))
         throw Error(format("file ‘%1%’ has an unsupported type") % path);
 
+#if __linux__
+    /* Remove extended attributes / ACLs. */
+    ssize_t eaSize = llistxattr(path.c_str(), nullptr, 0);
+
+    if (eaSize < 0) {
+        if (errno != ENOTSUP)
+            throw SysError("querying extended attributes of ‘%s’", path);
+    } else if (eaSize > 0) {
+        std::vector<char> eaBuf(eaSize);
+
+        if ((eaSize = llistxattr(path.c_str(), eaBuf.data(), eaBuf.size())) < 0)
+            throw SysError("querying extended attributes of ‘%s’", path);
+
+        for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1)))
+            if (lremovexattr(path.c_str(), eaName.c_str()) == -1)
+                throw SysError("removing extended attribute ‘%s’ from ‘%s’", eaName, path);
+
+        assert(llistxattr(path.c_str(), nullptr, 0) == 0);
+    }
+#endif
+
     /* Fail if the file is not owned by the build user.  This prevents
        us from messing up the ownership/permissions of files
        hard-linked into the output (e.g. "ln /etc/shadow $out/foo").