about summary refs log tree commit diff
path: root/src/libstore
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-05-30T15·40+0200
committerEelco Dolstra <edolstra@gmail.com>2017-05-30T15·40+0200
commitacc889c82179e96537ebe1494ec13b9536d579ca (patch)
treeeeff56d8de6984cdbfe8dd661de9fb6d14c1d8a8 /src/libstore
parent53a16441878ebd4a5ac6ef8a95a649bfd521da3d (diff)
Darwin sandbox: Use sandbox-defaults.sb
Issue #759.

Also, remove nix.conf from the sandbox since I don't really see a
legitimate reason for builders to access the Nix configuration.
Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/build.cc6
-rw-r--r--src/libstore/local-store.cc2
-rw-r--r--src/libstore/local.mk14
-rw-r--r--src/libstore/sandbox-defaults.sb (renamed from src/libstore/sandbox-defaults.sb.in)9
4 files changed, 17 insertions, 14 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 46ce562f798e..92471b228d00 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2656,9 +2656,9 @@ void DerivationGoal::runChild()
                 sandboxProfile += "(deny default (with no-log))\n";
             }
 
-            /* Disallow creating setuid/setgid binaries, since that
-               would allow breaking build user isolation. */
-            sandboxProfile += "(deny file-write-setugid)\n";
+            sandboxProfile +=
+#include "sandbox-defaults.sb.gen.hh"
+                ;
 
             /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
                to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index 5b03e86f3eaa..a226e0110af1 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -320,7 +320,7 @@ void LocalStore::openDB(State & state, bool create)
     /* Initialise the database schema, if necessary. */
     if (create) {
         const char * schema =
-#include "schema.sql.hh"
+#include "schema.sql.gen.hh"
             ;
         db.exec(schema);
     }
diff --git a/src/libstore/local.mk b/src/libstore/local.mk
index ffdb55abc65b..7bc69f65d800 100644
--- a/src/libstore/local.mk
+++ b/src/libstore/local.mk
@@ -34,12 +34,16 @@ libstore_CXXFLAGS = \
  -DSANDBOX_SHELL="\"$(sandbox_shell)\"" \
  -DLSOF=\"$(lsof)\"
 
-$(d)/local-store.cc: $(d)/schema.sql.hh
+$(d)/local-store.cc: $(d)/schema.sql.gen.hh
 
-%.sql.hh: %.sql
-	$(trace-gen) sed -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $< > $@ || (rm $@ && exit 1)
+$(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh
 
-clean-files += $(d)/schema.sql.hh
+%.gen.hh: %
+	echo 'R"foo(' >> $@.tmp
+	cat $< >> $@.tmp
+	echo ')foo"' >> $@.tmp
+	mv $@.tmp $@
+
+clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh
 
 $(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644))
-$(eval $(call install-file-in, $(d)/sandbox-defaults.sb, $(datadir)/nix, 0644))
diff --git a/src/libstore/sandbox-defaults.sb.in b/src/libstore/sandbox-defaults.sb
index b5e80085fbe2..6bd15603e796 100644
--- a/src/libstore/sandbox-defaults.sb.in
+++ b/src/libstore/sandbox-defaults.sb
@@ -28,15 +28,10 @@
 (allow file-read-metadata
        (literal "/var")
        (literal "/tmp")
-       ; symlinks
-       (literal "@sysconfdir@")
-       (literal "@sysconfdir@/nix")
-       (literal "@sysconfdir@/nix/nix.conf")
        (literal "/etc/resolv.conf")
        (literal "/private/etc/resolv.conf"))
 
 (allow file-read*
-       (literal "/private@sysconfdir@/nix/nix.conf")
        (literal "/private/var/run/resolv.conf"))
 
 ; some builders use filehandles other than stdin/stdout
@@ -61,3 +56,7 @@
 
 ; allow local networking
 (allow network* (local ip) (remote unix-socket))
+
+; Disallow creating setuid/setgid binaries, since that
+; would allow breaking build user isolation.
+(deny file-write-setugid)