nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-09 12:06:01 +01:00
Code Activity

Make sure settings.sandboxedPaths is closed outside DerivationBuilder

Browse source 
This is a nicer separation of concerns --- `DerivationBuilder` just
mounts the extra paths you tell it too, and the outside world is
responsible for making sure those extra paths make sense.

Since the closure only depends on global settings, and not
per-derivation information, we also have the option of moving this up
further and caching it across all local builds. (I only just realized
this after having done this refactor. I am not doing that change at this
time, however.)
This commit is contained in:
John Ericson 2025-08-20 17:52:07 -04:00
parent 08e42e20fa
commit 4c76db8e7c
3 changed files with 27 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/libstore/build/derivation-building-goal.cc
View file

@ -677,9 +677,26 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
auto * localStoreP = dynamic_cast<LocalStore *>(&worker.store); auto * localStoreP = dynamic_cast<LocalStore *>(&worker.store);
assert(localStoreP); assert(localStoreP);
decltype(DerivationBuilderParams::defaultPathsInChroot) defaultPathsInChroot = settings.sandboxPaths.get();
decltype(DerivationBuilderParams::finalEnv) finalEnv; decltype(DerivationBuilderParams::finalEnv) finalEnv;
decltype(DerivationBuilderParams::extraFiles) extraFiles; decltype(DerivationBuilderParams::extraFiles) extraFiles;
/* Add the closure of store paths to the chroot. */
StorePathSet closure;
for (auto & i : defaultPathsInChroot)
try {
if (worker.store.isInStore(i.second.source))
worker.store.computeFSClosure(worker.store.toStorePath(i.second.source).first, closure);
} catch (InvalidPath & e) {
} catch (Error & e) {
e.addTrace({}, "while processing sandbox path '%s'", i.second.source);
throw;
}
for (auto & i : closure) {
auto p = worker.store.printStorePath(i);
defaultPathsInChroot.insert_or_assign(p, ChrootPath{.source = p});
}
try { try {
if (drv->structuredAttrs) { if (drv->structuredAttrs) {
auto json = drv->structuredAttrs->prepareStructuredAttrs( auto json = drv->structuredAttrs->prepareStructuredAttrs(
@ -748,6 +765,7 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
*drvOptions, *drvOptions,
inputPaths, inputPaths,
initialOutputs, initialOutputs,
std::move(defaultPathsInChroot),
std::move(finalEnv), std::move(finalEnv),
std::move(extraFiles), std::move(extraFiles),
}); });

8
src/libstore/include/nix/store/build/derivation-builder.hh
View file

@ -59,6 +59,12 @@ struct DerivationBuilderParams
const BuildMode & buildMode; const BuildMode & buildMode;
/**
* Extra paths we want to be in the chroot, regardless of the
* derivation we are building.
*/
PathsInChroot defaultPathsInChroot;
struct EnvEntry struct EnvEntry
{ {
/** /**
@ -96,6 +102,7 @@ struct DerivationBuilderParams
const DerivationOptions & drvOptions, const DerivationOptions & drvOptions,
const StorePathSet & inputPaths, const StorePathSet & inputPaths,
std::map<std::string, InitialOutput> & initialOutputs, std::map<std::string, InitialOutput> & initialOutputs,
PathsInChroot defaultPathsInChroot,
std::map<std::string, EnvEntry, std::less<>> finalEnv, std::map<std::string, EnvEntry, std::less<>> finalEnv,
StringMap extraFiles) StringMap extraFiles)
: drvPath{drvPath} : drvPath{drvPath}
@ -105,6 +112,7 @@ struct DerivationBuilderParams
, inputPaths{inputPaths} , inputPaths{inputPaths}
, initialOutputs{initialOutputs} , initialOutputs{initialOutputs}
, buildMode{buildMode} , buildMode{buildMode}
, defaultPathsInChroot{std::move(defaultPathsInChroot)}
, finalEnv{std::move(finalEnv)} , finalEnv{std::move(finalEnv)}
, extraFiles{std::move(extraFiles)} , extraFiles{std::move(extraFiles)}
{ {

18
src/libstore/unix/build/derivation-builder.cc
View file

@ -836,29 +836,13 @@ PathsInChroot DerivationBuilderImpl::getPathsInSandbox()
{ {
/* Allow a user-configurable set of directories from the /* Allow a user-configurable set of directories from the
host file system. */ host file system. */
PathsInChroot pathsInChroot = settings.sandboxPaths.get(); PathsInChroot pathsInChroot = defaultPathsInChroot;
if (hasPrefix(store.storeDir, tmpDirInSandbox())) { if (hasPrefix(store.storeDir, tmpDirInSandbox())) {
throw Error("`sandbox-build-dir` must not contain the storeDir"); throw Error("`sandbox-build-dir` must not contain the storeDir");
} }
pathsInChroot[tmpDirInSandbox()] = {.source = tmpDir}; pathsInChroot[tmpDirInSandbox()] = {.source = tmpDir};
/* Add the closure of store paths to the chroot. */
StorePathSet closure;
for (auto & i : pathsInChroot)
try {
if (store.isInStore(i.second.source))
store.computeFSClosure(store.toStorePath(i.second.source).first, closure);
} catch (InvalidPath & e) {
} catch (Error & e) {
e.addTrace({}, "while processing sandbox path '%s'", i.second.source);
throw;
}
for (auto & i : closure) {
auto p = store.printStorePath(i);
pathsInChroot.insert_or_assign(p, ChrootPath{.source = p});
}
PathSet allowedPaths = settings.allowedImpureHostPrefixes; PathSet allowedPaths = settings.allowedImpureHostPrefixes;
/* This works like the above, except on a per-derivation level */ /* This works like the above, except on a per-derivation level */