From f46e329a1332738694973d67d70dc5e32c5eda40 Mon Sep 17 00:00:00 2001 From: Daniel Peebles Date: Thu, 15 Jan 2015 02:49:21 -0500 Subject: Make inputs writeable in the sandbox (builds still can’t actually write due to user permissions) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/libstore/build.cc | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'src/libstore') diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 5285d39df2d6..e0398e2fb4a3 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2271,8 +2271,13 @@ void DerivationGoal::runChild() } sandboxProfile += ")\n"; - /* Our inputs (transitive dependencies and any impurities computed above) */ - sandboxProfile += "(allow file-read* process-exec\n"; + /* Our inputs (transitive dependencies and any impurities computed above) + Note that the sandbox profile allows file-write* even though it isn't seemingly necessary. First of all, nix's standard user permissioning + mechanism still prevents builders from writing to input directories, so no security/purity is lost. The reason we allow file-write* is that + denying it means the `access` syscall will return EPERM instead of EACCESS, which confuses a few programs that assume (understandably, since + it appears to be a violation of the POSIX spec) that `access` won't do that, and don't deal with it nicely if it does. The most notable of + these is the entire GHC Haskell ecosystem. */ + sandboxProfile += "(allow file-read* file-write* process-exec\n"; for (auto & i : dirsInChroot) { if (i.first != i.second) throw SysError(format("can't map '%1%' to '%2%': mismatched impure paths not supported on darwin")); -- cgit 1.4.1