mirror of
https://github.com/NixOS/nix.git
synced 2025-12-16 14:01:05 +01:00
Merge pull request #13801 from obsidiansystems/move-sandbox-path-closure-code
Make sure `settings.sandboxedPaths` is closed outside `DerivationBuilder`
This commit is contained in:
John Ericson
GitHub
commit
e2b984704a
3 changed files with 27 additions and 17 deletions
|
|
@ -677,9 +677,26 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
|
||||||
auto * localStoreP = dynamic_cast<LocalStore *>(&worker.store);
|
auto * localStoreP = dynamic_cast<LocalStore *>(&worker.store);
|
||||||
assert(localStoreP);
|
assert(localStoreP);
|
||||||
|
|
||||||
|
decltype(DerivationBuilderParams::defaultPathsInChroot) defaultPathsInChroot = settings.sandboxPaths.get();
|
||||||
decltype(DerivationBuilderParams::finalEnv) finalEnv;
|
decltype(DerivationBuilderParams::finalEnv) finalEnv;
|
||||||
decltype(DerivationBuilderParams::extraFiles) extraFiles;
|
decltype(DerivationBuilderParams::extraFiles) extraFiles;
|
||||||
|
|
||||||
|
/* Add the closure of store paths to the chroot. */
|
||||||
|
StorePathSet closure;
|
||||||
|
for (auto & i : defaultPathsInChroot)
|
||||||
|
try {
|
||||||
|
if (worker.store.isInStore(i.second.source))
|
||||||
|
worker.store.computeFSClosure(worker.store.toStorePath(i.second.source).first, closure);
|
||||||
|
} catch (InvalidPath & e) {
|
||||||
|
} catch (Error & e) {
|
||||||
|
e.addTrace({}, "while processing sandbox path '%s'", i.second.source);
|
||||||
|
throw;
|
||||||
|
}
|
||||||
|
for (auto & i : closure) {
|
||||||
|
auto p = worker.store.printStorePath(i);
|
||||||
|
defaultPathsInChroot.insert_or_assign(p, ChrootPath{.source = p});
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
if (drv->structuredAttrs) {
|
if (drv->structuredAttrs) {
|
||||||
auto json = drv->structuredAttrs->prepareStructuredAttrs(
|
auto json = drv->structuredAttrs->prepareStructuredAttrs(
|
||||||
|
|
@ -748,6 +765,7 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
|
||||||
*drvOptions,
|
*drvOptions,
|
||||||
inputPaths,
|
inputPaths,
|
||||||
initialOutputs,
|
initialOutputs,
|
||||||
|
std::move(defaultPathsInChroot),
|
||||||
std::move(finalEnv),
|
std::move(finalEnv),
|
||||||
std::move(extraFiles),
|
std::move(extraFiles),
|
||||||
});
|
});
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,12 @@ struct DerivationBuilderParams
|
||||||
|
|
||||||
const BuildMode & buildMode;
|
const BuildMode & buildMode;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Extra paths we want to be in the chroot, regardless of the
|
||||||
|
* derivation we are building.
|
||||||
|
*/
|
||||||
|
PathsInChroot defaultPathsInChroot;
|
||||||
|
|
||||||
struct EnvEntry
|
struct EnvEntry
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
|
|
@ -96,6 +102,7 @@ struct DerivationBuilderParams
|
||||||
const DerivationOptions & drvOptions,
|
const DerivationOptions & drvOptions,
|
||||||
const StorePathSet & inputPaths,
|
const StorePathSet & inputPaths,
|
||||||
std::map<std::string, InitialOutput> & initialOutputs,
|
std::map<std::string, InitialOutput> & initialOutputs,
|
||||||
|
PathsInChroot defaultPathsInChroot,
|
||||||
std::map<std::string, EnvEntry, std::less<>> finalEnv,
|
std::map<std::string, EnvEntry, std::less<>> finalEnv,
|
||||||
StringMap extraFiles)
|
StringMap extraFiles)
|
||||||
: drvPath{drvPath}
|
: drvPath{drvPath}
|
||||||
|
|
@ -105,6 +112,7 @@ struct DerivationBuilderParams
|
||||||
, inputPaths{inputPaths}
|
, inputPaths{inputPaths}
|
||||||
, initialOutputs{initialOutputs}
|
, initialOutputs{initialOutputs}
|
||||||
, buildMode{buildMode}
|
, buildMode{buildMode}
|
||||||
|
, defaultPathsInChroot{std::move(defaultPathsInChroot)}
|
||||||
, finalEnv{std::move(finalEnv)}
|
, finalEnv{std::move(finalEnv)}
|
||||||
, extraFiles{std::move(extraFiles)}
|
, extraFiles{std::move(extraFiles)}
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -836,29 +836,13 @@ PathsInChroot DerivationBuilderImpl::getPathsInSandbox()
|
||||||
{
|
{
|
||||||
/* Allow a user-configurable set of directories from the
|
/* Allow a user-configurable set of directories from the
|
||||||
host file system. */
|
host file system. */
|
||||||
PathsInChroot pathsInChroot = settings.sandboxPaths.get();
|
PathsInChroot pathsInChroot = defaultPathsInChroot;
|
||||||
|
|
||||||
if (hasPrefix(store.storeDir, tmpDirInSandbox())) {
|
if (hasPrefix(store.storeDir, tmpDirInSandbox())) {
|
||||||
throw Error("`sandbox-build-dir` must not contain the storeDir");
|
throw Error("`sandbox-build-dir` must not contain the storeDir");
|
||||||
}
|
}
|
||||||
pathsInChroot[tmpDirInSandbox()] = {.source = tmpDir};
|
pathsInChroot[tmpDirInSandbox()] = {.source = tmpDir};
|
||||||
|
|
||||||
/* Add the closure of store paths to the chroot. */
|
|
||||||
StorePathSet closure;
|
|
||||||
for (auto & i : pathsInChroot)
|
|
||||||
try {
|
|
||||||
if (store.isInStore(i.second.source))
|
|
||||||
store.computeFSClosure(store.toStorePath(i.second.source).first, closure);
|
|
||||||
} catch (InvalidPath & e) {
|
|
||||||
} catch (Error & e) {
|
|
||||||
e.addTrace({}, "while processing sandbox path '%s'", i.second.source);
|
|
||||||
throw;
|
|
||||||
}
|
|
||||||
for (auto & i : closure) {
|
|
||||||
auto p = store.printStorePath(i);
|
|
||||||
pathsInChroot.insert_or_assign(p, ChrootPath{.source = p});
|
|
||||||
}
|
|
||||||
|
|
||||||
PathSet allowedPaths = settings.allowedImpureHostPrefixes;
|
PathSet allowedPaths = settings.allowedImpureHostPrefixes;
|
||||||
|
|
||||||
/* This works like the above, except on a per-derivation level */
|
/* This works like the above, except on a per-derivation level */
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue