nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-11 13:06:01 +01:00
Code Activity

Copy the output of fixed-output derivations before registering them

Browse source 
It is possible to exfiltrate a file descriptor out of the build sandbox
of FODs, and use it to modify the store path after it has been
registered.
To avoid that issue, don't register the output of the build, but a copy
of it (that will be free of any leaked file descriptor).
This commit is contained in:
Théophane Hufschmitt 2024-02-13 08:28:02 +01:00
parent 4645652975
commit 244f3eee0b
3 changed files with 18 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/libutil/file-system.cc
View file

@ -628,6 +628,11 @@ void copy(const fs::directory_entry & from, const fs::path & to, bool andDelete)
}
}
void copyFile(const Path & oldPath, const Path & newPath, bool andDelete)
{
return copy(fs::directory_entry(fs::path(oldPath)), fs::path(newPath), andDelete);
}
void renameFile(const Path & oldName, const Path & newName)
{
fs::rename(oldName, newName);