diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2017-05-30T15·40+0200 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2017-05-30T15·40+0200 |
commit | acc889c82179e96537ebe1494ec13b9536d579ca (patch) | |
tree | eeff56d8de6984cdbfe8dd661de9fb6d14c1d8a8 /src/libstore | |
parent | 53a16441878ebd4a5ac6ef8a95a649bfd521da3d (diff) |
Darwin sandbox: Use sandbox-defaults.sb
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
Diffstat (limited to 'src/libstore')
-rw-r--r-- | src/libstore/build.cc | 6 | ||||
-rw-r--r-- | src/libstore/local-store.cc | 2 | ||||
-rw-r--r-- | src/libstore/local.mk | 14 | ||||
-rw-r--r-- | src/libstore/sandbox-defaults.sb (renamed from src/libstore/sandbox-defaults.sb.in) | 9 |
4 files changed, 17 insertions, 14 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 46ce562f798e..92471b228d00 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2656,9 +2656,9 @@ void DerivationGoal::runChild() sandboxProfile += "(deny default (with no-log))\n"; } - /* Disallow creating setuid/setgid binaries, since that - would allow breaking build user isolation. */ - sandboxProfile += "(deny file-write-setugid)\n"; + sandboxProfile += +#include "sandbox-defaults.sb.gen.hh" + ; /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */ diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 5b03e86f3eaa..a226e0110af1 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -320,7 +320,7 @@ void LocalStore::openDB(State & state, bool create) /* Initialise the database schema, if necessary. */ if (create) { const char * schema = -#include "schema.sql.hh" +#include "schema.sql.gen.hh" ; db.exec(schema); } diff --git a/src/libstore/local.mk b/src/libstore/local.mk index ffdb55abc65b..7bc69f65d800 100644 --- a/src/libstore/local.mk +++ b/src/libstore/local.mk @@ -34,12 +34,16 @@ libstore_CXXFLAGS = \ -DSANDBOX_SHELL="\"$(sandbox_shell)\"" \ -DLSOF=\"$(lsof)\" -$(d)/local-store.cc: $(d)/schema.sql.hh +$(d)/local-store.cc: $(d)/schema.sql.gen.hh -%.sql.hh: %.sql - $(trace-gen) sed -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $< > $@ || (rm $@ && exit 1) +$(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh -clean-files += $(d)/schema.sql.hh +%.gen.hh: % + echo 'R"foo(' >> $@.tmp + cat $< >> $@.tmp + echo ')foo"' >> $@.tmp + mv $@.tmp $@ + +clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh $(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644)) -$(eval $(call install-file-in, $(d)/sandbox-defaults.sb, $(datadir)/nix, 0644)) diff --git a/src/libstore/sandbox-defaults.sb.in b/src/libstore/sandbox-defaults.sb index b5e80085fbe2..6bd15603e796 100644 --- a/src/libstore/sandbox-defaults.sb.in +++ b/src/libstore/sandbox-defaults.sb @@ -28,15 +28,10 @@ (allow file-read-metadata (literal "/var") (literal "/tmp") - ; symlinks - (literal "@sysconfdir@") - (literal "@sysconfdir@/nix") - (literal "@sysconfdir@/nix/nix.conf") (literal "/etc/resolv.conf") (literal "/private/etc/resolv.conf")) (allow file-read* - (literal "/private@sysconfdir@/nix/nix.conf") (literal "/private/var/run/resolv.conf")) ; some builders use filehandles other than stdin/stdout @@ -61,3 +56,7 @@ ; allow local networking (allow network* (local ip) (remote unix-socket)) + +; Disallow creating setuid/setgid binaries, since that +; would allow breaking build user isolation. +(deny file-write-setugid) |