From 4e59d3fdb25335d7ab2612e72ff191e9bfbba8f4 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <raito@lix.systems>
Date: Wed, 26 Mar 2025 01:07:47 +0100
Subject: [PATCH] libstore: ensure that `passAsFile` is created in the original
 temp dir

This ensures that `passAsFile` data is created inside the expected
temporary build directory by `openat()` from the parent directory file
descriptor.

This avoids a TOCTOU which is part of the attack chain of CVE-????.

Change-Id: Ie5273446c4a19403088d0389ae8e3f473af8879a
Signed-off-by: Raito Bezarius <raito@lix.systems>
---
 src/libstore/unix/build/derivation-builder.cc | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/libstore/unix/build/derivation-builder.cc b/src/libstore/unix/build/derivation-builder.cc
index 30468d3b2..22445d547 100644
--- a/src/libstore/unix/build/derivation-builder.cc
+++ b/src/libstore/unix/build/derivation-builder.cc
@@ -1070,8 +1070,11 @@ void DerivationBuilderImpl::initEnv()
                 auto hash = hashString(HashAlgorithm::SHA256, i.first);
                 std::string fn = ".attr-" + hash.to_string(HashFormat::Nix32, false);
                 Path p = tmpDir + "/" + fn;
-                writeFile(p, rewriteStrings(i.second, inputRewrites));
-                chownToBuilder(p);
+                AutoCloseFD passAsFileFd{openat(tmpDirFd.get(), fn.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC | O_EXCL | O_NOFOLLOW, 0666)};
+                if (!passAsFileFd)
+                    throw SysError("opening `passAsFile` file in the sandbox '%1%'", p);
+                writeFile(passAsFileFd, rewriteStrings(i.second, inputRewrites));
+                chownToBuilder(passAsFileFd);
                 env[i.first + "Path"] = tmpDirInSandbox() + "/" + fn;
             }
         }