aboutsummaryrefslogtreecommitdiff
path: root/src/libstore
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2016-01-04 16:32:16 +0100
committerEelco Dolstra <eelco.dolstra@logicblox.com>2016-01-04 20:01:13 +0100
commit71a93a5f0e742eb4856a4a5ea46b06a309bb04de (patch)
treeac257a5be779f54817fecf64122221e75bbd6a59 /src/libstore
parent9be037448ce353d932249e91466c219670d334df (diff)
Don't allow sandbox profile except in relaxed mode
This makes Darwin consistent with Linux: Nix expressions can't break out of the sandbox unless relaxed sandbox mode is enabled. For the normal sandbox mode this will require fixing #759 however.
Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/build.cc15
1 files changed, 10 insertions, 5 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index e00a07d3b..4192c6c65 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1710,6 +1710,10 @@ void DerivationGoal::startBuilder()
% drv->platform % settings.thisSystem % drvPath);
}
+#if __APPLE__
+ additionalSandboxProfile = get(drv->env, "__sandboxProfile");
+#endif
+
/* Are we doing a chroot build? Note that fixed-output
derivations are never done in a chroot, mainly so that
functions like fetchurl (which needs a proper /etc/resolv.conf)
@@ -1723,7 +1727,11 @@ void DerivationGoal::startBuilder()
throw Error("option ‘build-use-sandbox’ must be set to one of ‘true’, ‘false’ or ‘relaxed’");
if (x == "true") {
if (get(drv->env, "__noChroot") == "1")
- throw Error(format("derivation ‘%1%’ has ‘__noChroot’ set, but that's not allowed when ‘build-use-sandbox’ is ‘true’") % drvPath);
+ throw Error(format("derivation ‘%1%’ has ‘__noChroot’ set, "
+ "but that's not allowed when ‘build-use-sandbox’ is ‘true’") % drvPath);
+ if (additionalSandboxProfile != "")
+ throw Error(format("derivation ‘%1%’ specifies a sandbox profile, "
+ "but this is only allowed when ‘build-use-sandbox’ is ‘relaxed’") % drvPath);
useChroot = true;
}
else if (x == "false")
@@ -1924,9 +1932,6 @@ void DerivationGoal::startBuilder()
for (auto & i : closure)
dirsInChroot[i] = i;
-#if __APPLE__
- additionalSandboxProfile = get(drv->env, "__sandboxProfile");
-#endif
string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES));
PathSet allowedPaths = tokenizeString<StringSet>(allowed);
@@ -1948,7 +1953,7 @@ void DerivationGoal::startBuilder()
}
}
if (!found)
- throw Error(format("derivation '%1%' requested impure path ‘%2%’, but it was not in allowed-impure-host-deps (‘%3%’)") % drvPath % i % allowed);
+ throw Error(format("derivation ‘%1%’ requested impure path ‘%2%’, but it was not in allowed-impure-host-deps (‘%3%’)") % drvPath % i % allowed);
dirsInChroot[i] = i;
}