diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/libstore/build.cc | 64 |
1 files changed, 31 insertions, 33 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 32325a6b1bcf..1dee1ca2cd65 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1921,35 +1921,35 @@ void DerivationGoal::startBuilder() for (auto & i : closure) dirsInChroot[i] = i; - if(!SANDBOX_ENABLED) { - string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES)); - PathSet allowedPaths = tokenizeString<StringSet>(allowed); - - /* This works like the above, except on a per-derivation level */ - Strings impurePaths = tokenizeString<Strings>(get(drv->env, "__impureHostDeps")); - - for (auto & i : impurePaths) { - bool found = false; - /* Note: we're not resolving symlinks here to prevent - giving a non-root user info about inaccessible - files. */ - Path canonI = canonPath(i); - /* If only we had a trie to do this more efficiently :) luckily, these are generally going to be pretty small */ - for (auto & a : allowedPaths) { - Path canonA = canonPath(a); - if (canonI == canonA || isInDir(canonI, canonA)) { - found = true; - break; - } - } - if (!found) - throw Error(format("derivation '%1%' requested impure path ‘%2%’, but it was not in allowed-impure-host-deps (‘%3%’)") % drvPath % i % allowed); - - dirsInChroot[i] = i; - } - } else { - additionalSandboxProfile = get(drv->env, "__sandboxProfile"); +#if SANDBOX_ENABLED + additionalSandboxProfile = get(drv->env, "__sandboxProfile"); +#else + string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES)); + PathSet allowedPaths = tokenizeString<StringSet>(allowed); + + /* This works like the above, except on a per-derivation level */ + Strings impurePaths = tokenizeString<Strings>(get(drv->env, "__impureHostDeps")); + + for (auto & i : impurePaths) { + bool found = false; + /* Note: we're not resolving symlinks here to prevent + giving a non-root user info about inaccessible + files. */ + Path canonI = canonPath(i); + /* If only we had a trie to do this more efficiently :) luckily, these are generally going to be pretty small */ + for (auto & a : allowedPaths) { + Path canonA = canonPath(a); + if (canonI == canonA || isInDir(canonI, canonA)) { + found = true; + break; + } + } + if (!found) + throw Error(format("derivation '%1%' requested impure path ‘%2%’, but it was not in allowed-impure-host-deps (‘%3%’)") % drvPath % i % allowed); + + dirsInChroot[i] = i; } +#endif #if CHROOT_ENABLED /* Create a temporary directory in which we set up the chroot @@ -2527,17 +2527,15 @@ void DerivationGoal::runChild() debug("Generated sandbox profile:"); debug(sandboxProfile); - char *tmpProfile = strdup((format("%1%/nix-sandboxXXXXXX.sb") % globalTmpDir).str().c_str()); - int profileFd = mkstemps(tmpProfile, 3); - closeOnExec(profileFd); - writeFull(profileFd, sandboxProfile); + Path tmpProfile = createTempDir() + "/profile.sb"; + writeFile(tmpProfile, sandboxProfile); builder = "/usr/bin/sandbox-exec"; args.push_back("sandbox-exec"); args.push_back("-f"); args.push_back(tmpProfile); args.push_back("-D"); - args.push_back((format("_GLOBAL_TMP_DIR=%1%") % globalTmpDir).str()); + args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir); args.push_back(drv->builder); } else { builder = drv->builder.c_str(); |