nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-21 09:49:36 +01:00
Code Activity

libstore: Don't default build-dir to temp-dir, store setting

Browse source 
If a build directory is accessible to other users it is possible to
smuggle data in and out of build directories. Usually this is only
a build purity problem, but in combination with other issues it can
be used to break out of a build sandbox. to prevent this we default
to using a subdirectory of nixStateDir (which is more restrictive).

(cherry picked from pennae Lix commit 55b416f6897fb0d8a9315a530a9b7f0914458ded)
(store setting done by roberth)
This commit is contained in:
eldritch horrors 2025-03-30 16:45:34 +02:00 committed by Jörg Thalheim
parent 9af4c267c6
commit 88b7db1ba4
11 changed files with 62 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/libstore/local-store.cc
View file

@ -77,6 +77,18 @@ std::string LocalStoreConfig::doc()
;
}
Path LocalBuildStoreConfig::getBuildDir() const
{
if (settings.buildDir.get().has_value()) {
return *settings.buildDir.get();
}
if (buildDir.get().has_value()) {
return *buildDir.get();
}
return stateDir.get() + "/builds";
}
ref<Store> LocalStore::Config::openStore() const
{
return make_ref<LocalStore>(ref{shared_from_this()});