diff options
| author | Eelco Dolstra <edolstra@gmail.com> | 2022-06-23 15:34:16 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-23 15:34:16 +0200 |
| commit | 3c57db1a0f5438015c19285ec02fd15d9c6cb51f (patch) | |
| tree | bf10cbaae585c7fc989786f5ded62e274282687f /src | |
| parent | 0b2ea0023c81e8631df549dce996833ab5213a4a (diff) | |
| parent | 925b97522497e9c0f7a385c904410e560796208f (diff) | |
Merge pull request #6710 from edolstra/embedded-sandbox-shell
Embed the sandbox shell into the statically linked 'nix' binary
Diffstat (limited to 'src')
| -rw-r--r-- | src/libstore/build/local-derivation-goal.cc | 14 | ||||
| -rw-r--r-- | src/libstore/local.mk | 10 |
2 files changed, 23 insertions, 1 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index 3ac9c20f9..d1ec91ed5 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -1717,7 +1717,19 @@ void LocalDerivationGoal::runChild() for (auto & i : dirsInChroot) { if (i.second.source == "/proc") continue; // backwards compatibility - doBind(i.second.source, chrootRootDir + i.first, i.second.optional); + + #if HAVE_EMBEDDED_SANDBOX_SHELL + if (i.second.source == "__embedded_sandbox_shell__") { + static unsigned char sh[] = { + #include "embedded-sandbox-shell.gen.hh" + }; + auto dst = chrootRootDir + i.first; + createDirs(dirOf(dst)); + writeFile(dst, std::string_view((const char *) sh, sizeof(sh))); + chmod_(dst, 0555); + } else + #endif + doBind(i.second.source, chrootRootDir + i.first, i.second.optional); } /* Bind a new instance of procfs on /proc. */ diff --git a/src/libstore/local.mk b/src/libstore/local.mk index 0f94d3917..1d26ac918 100644 --- a/src/libstore/local.mk +++ b/src/libstore/local.mk @@ -43,9 +43,19 @@ libstore_CXXFLAGS += \ -DNIX_MAN_DIR=\"$(mandir)\" \ -DLSOF=\"$(lsof)\" +ifeq ($(embedded_sandbox_shell),yes) +libstore_CXXFLAGS += -DSANDBOX_SHELL=\"__embedded_sandbox_shell__\" + +$(d)/build/local-derivation-goal.cc: $(d)/embedded-sandbox-shell.gen.hh + +$(d)/embedded-sandbox-shell.gen.hh: $(sandbox_shell) + $(trace-gen) hexdump -v -e '1/1 "0x%x," "\n"' < $< > $@.tmp + @mv $@.tmp $@ +else ifneq ($(sandbox_shell),) libstore_CXXFLAGS += -DSANDBOX_SHELL="\"$(sandbox_shell)\"" endif +endif $(d)/local-store.cc: $(d)/schema.sql.gen.hh $(d)/ca-specific-schema.sql.gen.hh |