about summary refs log tree commit diff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libstore/build.cc64
1 files changed, 31 insertions, 33 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 32325a6b1bcf..1dee1ca2cd65 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1921,35 +1921,35 @@ void DerivationGoal::startBuilder()
         for (auto & i : closure)
             dirsInChroot[i] = i;
 
-        if(!SANDBOX_ENABLED) {
-          string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES));
-          PathSet allowedPaths = tokenizeString<StringSet>(allowed);
-
-          /* This works like the above, except on a per-derivation level */
-          Strings impurePaths = tokenizeString<Strings>(get(drv->env, "__impureHostDeps"));
-
-          for (auto & i : impurePaths) {
-              bool found = false;
-              /* Note: we're not resolving symlinks here to prevent
-                 giving a non-root user info about inaccessible
-                 files. */
-              Path canonI = canonPath(i);
-              /* If only we had a trie to do this more efficiently :) luckily, these are generally going to be pretty small */
-              for (auto & a : allowedPaths) {
-                  Path canonA = canonPath(a);
-                  if (canonI == canonA || isInDir(canonI, canonA)) {
-                      found = true;
-                      break;
-                  }
-              }
-              if (!found)
-                  throw Error(format("derivation '%1%' requested impure path ‘%2%’, but it was not in allowed-impure-host-deps (‘%3%’)") % drvPath % i % allowed);
-
-              dirsInChroot[i] = i;
-          }
-        } else {
-          additionalSandboxProfile = get(drv->env, "__sandboxProfile");
+#if SANDBOX_ENABLED
+        additionalSandboxProfile = get(drv->env, "__sandboxProfile");
+#else
+        string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES));
+        PathSet allowedPaths = tokenizeString<StringSet>(allowed);
+
+        /* This works like the above, except on a per-derivation level */
+        Strings impurePaths = tokenizeString<Strings>(get(drv->env, "__impureHostDeps"));
+
+        for (auto & i : impurePaths) {
+            bool found = false;
+            /* Note: we're not resolving symlinks here to prevent
+               giving a non-root user info about inaccessible
+               files. */
+            Path canonI = canonPath(i);
+            /* If only we had a trie to do this more efficiently :) luckily, these are generally going to be pretty small */
+            for (auto & a : allowedPaths) {
+                Path canonA = canonPath(a);
+                if (canonI == canonA || isInDir(canonI, canonA)) {
+                    found = true;
+                    break;
+                }
+            }
+            if (!found)
+                throw Error(format("derivation '%1%' requested impure path ‘%2%’, but it was not in allowed-impure-host-deps (‘%3%’)") % drvPath % i % allowed);
+
+            dirsInChroot[i] = i;
         }
+#endif
 
 #if CHROOT_ENABLED
         /* Create a temporary directory in which we set up the chroot
@@ -2527,17 +2527,15 @@ void DerivationGoal::runChild()
             debug("Generated sandbox profile:");
             debug(sandboxProfile);
 
-            char *tmpProfile = strdup((format("%1%/nix-sandboxXXXXXX.sb") % globalTmpDir).str().c_str());
-            int profileFd = mkstemps(tmpProfile, 3);
-            closeOnExec(profileFd);
-            writeFull(profileFd, sandboxProfile);
+            Path tmpProfile = createTempDir() + "/profile.sb";
+            writeFile(tmpProfile, sandboxProfile);
 
             builder = "/usr/bin/sandbox-exec";
             args.push_back("sandbox-exec");
             args.push_back("-f");
             args.push_back(tmpProfile);
             args.push_back("-D");
-            args.push_back((format("_GLOBAL_TMP_DIR=%1%") % globalTmpDir).str());
+            args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
             args.push_back(drv->builder);
         } else {
             builder = drv->builder.c_str();