diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2017-10-30 18:54:40 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-10-30 18:54:40 +0100 |
| commit | 197922ea4e76ec9439d487e2d16411495a71df4e (patch) | |
| tree | f6585def3243a7791997793c49a779e2329a5417 /src/libstore/build.cc | |
| parent | f90f660b243866b8860eeb24cc4a345d32cc7ce7 (diff) | |
| parent | 4a4a009f78d7267d58a1dbd95f70f12ee3fe89f2 (diff) | |
Merge pull request #1646 from copumpkin/optional-sandbox-local-network
Allow optional localhost network access to sandboxed derivations
Diffstat (limited to 'src/libstore/build.cc')
| -rw-r--r-- | src/libstore/build.cc | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 9f8edc826..061682377 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2833,10 +2833,10 @@ void DerivationGoal::runChild() sandboxProfile += "(deny default (with no-log))\n"; } - sandboxProfile += "(import \"sandbox-defaults.sb\")"; + sandboxProfile += "(import \"sandbox-defaults.sb\")\n"; if (fixedOutput) - sandboxProfile += "(import \"sandbox-network.sb\")"; + sandboxProfile += "(import \"sandbox-network.sb\")\n"; /* Our rwx outputs */ sandboxProfile += "(allow file-read* file-write* process-exec\n"; @@ -2879,7 +2879,7 @@ void DerivationGoal::runChild() sandboxProfile += additionalSandboxProfile; } else - sandboxProfile += "(import \"sandbox-minimal.sb\")"; + sandboxProfile += "(import \"sandbox-minimal.sb\")\n"; debug("Generated sandbox profile:"); debug(sandboxProfile); @@ -2888,6 +2888,8 @@ void DerivationGoal::runChild() writeFile(sandboxFile, sandboxProfile); + bool allowLocalNetworking = get(drv->env, "__darwinAllowLocalNetworking") == "1"; + /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */ Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true); @@ -2903,6 +2905,10 @@ void DerivationGoal::runChild() args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir); args.push_back("-D"); args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/"); + if (allowLocalNetworking) { + args.push_back("-D"); + args.push_back(string("_ALLOW_LOCAL_NETWORKING=1")); + } args.push_back(drv->builder); } #endif |