Merge remote-tracking branch 'origin/master' into flakes

2025-06-30 15:48:00 +02:00 · 2019-05-08 14:30:27 +02:00 · 2019-05-08 14:30:27 +02:00 · 2bc55aba1e
commit 2bc55aba1e
parent a887892eb6 7c6391ddc7
23 changed files with 167 additions and 28 deletions
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@ -803,6 +803,9 @@ private:
    /* Whether we're currently doing a chroot build. */
    bool useChroot = false;

+    /* Whether we need to perform hash rewriting if there are valid output paths. */
+    bool needsHashRewrite;
+
    Path chrootRootDir;

    /* RAII object to delete the chroot directory. */
@ -994,6 +997,13 @@ DerivationGoal::DerivationGoal(const Path & drvPath, const StringSet & wantedOut
    , wantedOutputs(wantedOutputs)
    , buildMode(buildMode)
 {
+#if __linux__
+    needsHashRewrite = !useChroot;
+#else
+    /* Darwin requires hash rewriting even when sandboxing is enabled. */
+    needsHashRewrite = true;
+#endif
+
    state = &DerivationGoal::getDerivation;
    name = (format("building of '%1%'") % drvPath).str();
    trace("created");
@ -2073,7 +2083,7 @@ void DerivationGoal::startBuilder()
 #endif
    }

-    else {
+    if (needsHashRewrite) {

        if (pathExists(homeDir))
            throw Error(format("directory '%1%' exists; please remove it") % homeDir);
@ -2500,17 +2510,17 @@ void setupSeccomp()
        seccomp_release(ctx);
    });

-    if (settings.thisSystem == "x86_64-linux" &&
+    if (nativeSystem == "x86_64-linux" &&
        seccomp_arch_add(ctx, SCMP_ARCH_X86) != 0)
        throw SysError("unable to add 32-bit seccomp architecture");

-    if (settings.thisSystem == "x86_64-linux" &&
+    if (nativeSystem == "x86_64-linux" &&
        seccomp_arch_add(ctx, SCMP_ARCH_X32) != 0)
        throw SysError("unable to add X32 seccomp architecture");

-    if (settings.thisSystem == "aarch64-linux" &&
+    if (nativeSystem == "aarch64-linux" &&
        seccomp_arch_add(ctx, SCMP_ARCH_ARM) != 0)
-        printError("unsable to add ARM seccomp architecture; this may result in spurious build failures if running 32-bit ARM processes.");
+        printError("unable to add ARM seccomp architecture; this may result in spurious build failures if running 32-bit ARM processes");

    /* Prevent builders from creating setuid/setgid binaries. */
    for (int perm : { S_ISUID, S_ISGID }) {
@ -2873,6 +2883,10 @@ void DerivationGoal::runChild()
                for (auto & i : missingPaths) {
                    sandboxProfile += (format("\t(subpath \"%1%\")\n") % i.c_str()).str();
                }
+                /* Also add redirected outputs to the chroot */
+                for (auto & i : redirectedOutputs) {
+                    sandboxProfile += (format("\t(subpath \"%1%\")\n") % i.second.c_str()).str();
+                }
                sandboxProfile += ")\n";

                /* Our inputs (transitive dependencies and any impurities computed above)
@ -3051,7 +3065,9 @@ void DerivationGoal::registerOutputs()
                        throw SysError(format("moving build output '%1%' from the sandbox to the Nix store") % path);
            }
            if (buildMode != bmCheck) actualPath = worker.store.toRealPath(path);
-        } else {
+        }
+
+        if (needsHashRewrite) {
            Path redirected = redirectedOutputs[path];
            if (buildMode == bmRepair
                && redirectedBadOutputs.find(path) != redirectedBadOutputs.end()