wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-06 21:41:48 +02:00
Code Activity

Merge pull request #1646 from copumpkin/optional-sandbox-local-network

Browse source 
Allow optional localhost network access to sandboxed derivations
This commit is contained in:
Eelco Dolstra 2017-10-30 18:54:40 +01:00 committed by GitHub
commit 197922ea4e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 33 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/libstore/build.cc
View file

@ -2833,10 +2833,10 @@ void DerivationGoal::runChild()
sandboxProfile += "(deny default (with no-log))\n";
}
sandboxProfile += "(import \"sandbox-defaults.sb\")";
sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
if (fixedOutput)
sandboxProfile += "(import \"sandbox-network.sb\")";
sandboxProfile += "(import \"sandbox-network.sb\")\n";
/* Our rwx outputs */
sandboxProfile += "(allow file-read* file-write* process-exec\n";
@ -2879,7 +2879,7 @@ void DerivationGoal::runChild()
sandboxProfile += additionalSandboxProfile;
} else
sandboxProfile += "(import \"sandbox-minimal.sb\")";
sandboxProfile += "(import \"sandbox-minimal.sb\")\n";
debug("Generated sandbox profile:");
debug(sandboxProfile);
@ -2888,6 +2888,8 @@ void DerivationGoal::runChild()
writeFile(sandboxFile, sandboxProfile);
bool allowLocalNetworking = get(drv->env, "__darwinAllowLocalNetworking") == "1";
/* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true);
@ -2903,6 +2905,10 @@ void DerivationGoal::runChild()
args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
args.push_back("-D");
args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/");
if (allowLocalNetworking) {
args.push_back("-D");
args.push_back(string("_ALLOW_LOCAL_NETWORKING=1"));
}
args.push_back(drv->builder);
}
#endif