nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-12-16 05:51:05 +01:00
Code Activity

Merge pull request #13801 from obsidiansystems/move-sandbox-path-closure-code

Browse source 
Make sure `settings.sandboxedPaths` is closed outside `DerivationBuilder`
This commit is contained in:
John Ericson 2025-08-20 19:15:16 -04:00 committed by GitHub
commit e2b984704a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 27 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/libstore/build/derivation-building-goal.cc
View file

@ -677,9 +677,26 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
auto * localStoreP = dynamic_cast<LocalStore *>(&worker.store);
assert(localStoreP);
decltype(DerivationBuilderParams::defaultPathsInChroot) defaultPathsInChroot = settings.sandboxPaths.get();
decltype(DerivationBuilderParams::finalEnv) finalEnv;
decltype(DerivationBuilderParams::extraFiles) extraFiles;
/* Add the closure of store paths to the chroot. */
StorePathSet closure;
for (auto & i : defaultPathsInChroot)
try {
if (worker.store.isInStore(i.second.source))
worker.store.computeFSClosure(worker.store.toStorePath(i.second.source).first, closure);
} catch (InvalidPath & e) {
} catch (Error & e) {
e.addTrace({}, "while processing sandbox path '%s'", i.second.source);
throw;
}
for (auto & i : closure) {
auto p = worker.store.printStorePath(i);
defaultPathsInChroot.insert_or_assign(p, ChrootPath{.source = p});
}
try {
if (drv->structuredAttrs) {
auto json = drv->structuredAttrs->prepareStructuredAttrs(
@ -748,6 +765,7 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
*drvOptions,
inputPaths,
initialOutputs,
std::move(defaultPathsInChroot),
std::move(finalEnv),
std::move(extraFiles),
});

8
src/libstore/include/nix/store/build/derivation-builder.hh
View file

@ -59,6 +59,12 @@ struct DerivationBuilderParams
const BuildMode & buildMode;
/**
* Extra paths we want to be in the chroot, regardless of the
* derivation we are building.
*/
PathsInChroot defaultPathsInChroot;
struct EnvEntry
{
/**
@ -96,6 +102,7 @@ struct DerivationBuilderParams
const DerivationOptions & drvOptions,
const StorePathSet & inputPaths,
std::map<std::string, InitialOutput> & initialOutputs,
PathsInChroot defaultPathsInChroot,
std::map<std::string, EnvEntry, std::less<>> finalEnv,
StringMap extraFiles)
: drvPath{drvPath}
@ -105,6 +112,7 @@ struct DerivationBuilderParams
, inputPaths{inputPaths}
, initialOutputs{initialOutputs}
, buildMode{buildMode}
, defaultPathsInChroot{std::move(defaultPathsInChroot)}
, finalEnv{std::move(finalEnv)}
, extraFiles{std::move(extraFiles)}
{

18
src/libstore/unix/build/derivation-builder.cc
View file

@ -836,29 +836,13 @@ PathsInChroot DerivationBuilderImpl::getPathsInSandbox()
{
/* Allow a user-configurable set of directories from the
host file system. */
PathsInChroot pathsInChroot = settings.sandboxPaths.get();
PathsInChroot pathsInChroot = defaultPathsInChroot;
if (hasPrefix(store.storeDir, tmpDirInSandbox())) {
throw Error("`sandbox-build-dir` must not contain the storeDir");
}
pathsInChroot[tmpDirInSandbox()] = {.source = tmpDir};
/* Add the closure of store paths to the chroot. */
StorePathSet closure;
for (auto & i : pathsInChroot)
try {
if (store.isInStore(i.second.source))
store.computeFSClosure(store.toStorePath(i.second.source).first, closure);
} catch (InvalidPath & e) {
} catch (Error & e) {
e.addTrace({}, "while processing sandbox path '%s'", i.second.source);
throw;
}
for (auto & i : closure) {
auto p = store.printStorePath(i);
pathsInChroot.insert_or_assign(p, ChrootPath{.source = p});
}
PathSet allowedPaths = settings.allowedImpureHostPrefixes;
/* This works like the above, except on a per-derivation level */