diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-01-04 16:32:16 +0100 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-01-04 20:01:13 +0100 |
commit | 71a93a5f0e742eb4856a4a5ea46b06a309bb04de (patch) | |
tree | ac257a5be779f54817fecf64122221e75bbd6a59 /src/libstore | |
parent | 9be037448ce353d932249e91466c219670d334df (diff) |
Don't allow sandbox profile except in relaxed mode
This makes Darwin consistent with Linux: Nix expressions can't break
out of the sandbox unless relaxed sandbox mode is enabled.
For the normal sandbox mode this will require fixing #759 however.
Diffstat (limited to 'src/libstore')
-rw-r--r-- | src/libstore/build.cc | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index e00a07d3b..4192c6c65 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1710,6 +1710,10 @@ void DerivationGoal::startBuilder() % drv->platform % settings.thisSystem % drvPath); } +#if __APPLE__ + additionalSandboxProfile = get(drv->env, "__sandboxProfile"); +#endif + /* Are we doing a chroot build? Note that fixed-output derivations are never done in a chroot, mainly so that functions like fetchurl (which needs a proper /etc/resolv.conf) @@ -1723,7 +1727,11 @@ void DerivationGoal::startBuilder() throw Error("option ‘build-use-sandbox’ must be set to one of ‘true’, ‘false’ or ‘relaxed’"); if (x == "true") { if (get(drv->env, "__noChroot") == "1") - throw Error(format("derivation ‘%1%’ has ‘__noChroot’ set, but that's not allowed when ‘build-use-sandbox’ is ‘true’") % drvPath); + throw Error(format("derivation ‘%1%’ has ‘__noChroot’ set, " + "but that's not allowed when ‘build-use-sandbox’ is ‘true’") % drvPath); + if (additionalSandboxProfile != "") + throw Error(format("derivation ‘%1%’ specifies a sandbox profile, " + "but this is only allowed when ‘build-use-sandbox’ is ‘relaxed’") % drvPath); useChroot = true; } else if (x == "false") @@ -1924,9 +1932,6 @@ void DerivationGoal::startBuilder() for (auto & i : closure) dirsInChroot[i] = i; -#if __APPLE__ - additionalSandboxProfile = get(drv->env, "__sandboxProfile"); -#endif string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES)); PathSet allowedPaths = tokenizeString<StringSet>(allowed); @@ -1948,7 +1953,7 @@ void DerivationGoal::startBuilder() } } if (!found) - throw Error(format("derivation '%1%' requested impure path ‘%2%’, but it was not in allowed-impure-host-deps (‘%3%’)") % drvPath % i % allowed); + throw Error(format("derivation ‘%1%’ requested impure path ‘%2%’, but it was not in allowed-impure-host-deps (‘%3%’)") % drvPath % i % allowed); dirsInChroot[i] = i; } |