Move pathsInChroot

2025-06-25 02:21:16 +02:00 · 2025-05-26 20:30:36 +02:00 · 2025-05-26 20:30:36 +02:00 · 67408807d8
commit 67408807d8
parent 5653bf5e0a
3 changed files with 140 additions and 117 deletions
--- a/src/libstore/unix/build/darwin-derivation-builder.cc
+++ b/src/libstore/unix/build/darwin-derivation-builder.cc
@ -2,6 +2,8 @@

 struct DarwinDerivationBuilder : DerivationBuilderImpl
 {
+    PathsInChroot pathsInChroot;
+
    DarwinDerivationBuilder(
        Store & store, std::unique_ptr<DerivationBuilderCallbacks> miscMethods, DerivationBuilderParams params)
        : DerivationBuilderImpl(store, std::move(miscMethods), std::move(params))
@ -9,6 +11,11 @@ struct DarwinDerivationBuilder : DerivationBuilderImpl
        useChroot = true;
    }

+    void prepareSandbox() override
+    {
+        pathsInChroot = getPathsInSandbox();
+    }
+
    void execBuilder(const Strings & args, const Strings & envStrs) override
    {
        posix_spawnattr_t attrp;
@ -69,7 +76,7 @@ struct DarwinDerivationBuilder : DerivationBuilderImpl
            /* Add all our input paths to the chroot */
            for (auto & i : inputPaths) {
                auto p = store.printStorePath(i);
-                pathsInChroot[p] = p;
+                pathsInChroot.insert_or_assign(p, p);
            }

            /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be
--- a/src/libstore/unix/build/derivation-builder.cc
+++ b/src/libstore/unix/build/derivation-builder.cc
@ -149,6 +149,7 @@ protected:
    /**
     * RAII object to delete the chroot directory.
     */
+    // FIXME: move
    std::shared_ptr<AutoDelete> autoDelChroot;

    /**
@ -169,7 +170,6 @@ protected:
        { }
    };
    typedef std::map<Path, ChrootPath> PathsInChroot; // maps target path to source path
-    PathsInChroot pathsInChroot;

    typedef StringMap Environment;
    Environment env;
@ -250,6 +250,17 @@ public:

 protected:

+    /**
+     * Return the paths that should be made available in the sandbox.
+     * This includes:
+     *
+     * * The paths specified by the `sandbox-paths` setting, and their closure in the Nix store.
+     * * The contents of the `__impureHostDeps` derivation attribute, if the sandbox is in relaxed mode.
+     * * The paths returned by the `pre-build-hook`.
+     * * The paths in the input closure of the derivation.
+     */
+    PathsInChroot getPathsInSandbox();
+
    /**
     * Called by prepareBuild() to do any setup in the parent to
     * prepare for a sandboxed build.
@ -916,12 +927,67 @@ void DerivationBuilderImpl::startBuilder()
        }
    }

-    if (useChroot) {
+    prepareSandbox();
+
+    if (needsHashRewrite() && pathExists(homeDir))
+        throw Error("home directory '%1%' exists; please remove it to assure purity of builds without sandboxing", homeDir);
+
+    /* Fire up a Nix daemon to process recursive Nix calls from the
+       builder. */
+    if (drvOptions.getRequiredSystemFeatures(drv).count("recursive-nix"))
+        startDaemon();
+
+    /* Run the builder. */
+    printMsg(lvlChatty, "executing builder '%1%'", drv.builder);
+    printMsg(lvlChatty, "using builder args '%1%'", concatStringsSep(" ", drv.args));
+    for (auto & i : drv.env)
+        printMsg(lvlVomit, "setting builder env variable '%1%'='%2%'", i.first, i.second);
+
+    /* Create the log file. */
+    [[maybe_unused]] Path logFile = miscMethods->openLogFile();
+
+    /* Create a pseudoterminal to get the output of the builder. */
+    builderOut = posix_openpt(O_RDWR | O_NOCTTY);
+    if (!builderOut)
+        throw SysError("opening pseudoterminal master");
+
+    // FIXME: not thread-safe, use ptsname_r
+    std::string slaveName = ptsname(builderOut.get());
+
+    if (buildUser) {
+        if (chmod(slaveName.c_str(), 0600))
+            throw SysError("changing mode of pseudoterminal slave");
+
+        if (chown(slaveName.c_str(), buildUser->getUID(), 0))
+            throw SysError("changing owner of pseudoterminal slave");
+    }
+#ifdef __APPLE__
+    else {
+        if (grantpt(builderOut.get()))
+            throw SysError("granting access to pseudoterminal slave");
+    }
+#endif
+
+    if (unlockpt(builderOut.get()))
+        throw SysError("unlocking pseudoterminal");
+
+    buildResult.startTime = time(0);
+
+    /* Start a child process to build the derivation. */
+    startChild();
+
+    pid.setSeparatePG(true);
+    miscMethods->childStarted(builderOut.get());
+
+    processSandboxSetupMessages();
+}
+
+DerivationBuilderImpl::PathsInChroot DerivationBuilderImpl::getPathsInSandbox()
+{
+    PathsInChroot pathsInChroot;

    /* Allow a user-configurable set of directories from the
       host file system. */
-        pathsInChroot.clear();
-
    for (auto i : settings.sandboxPaths.get()) {
        if (i.empty()) continue;
        bool optional = false;
@ -984,17 +1050,8 @@ void DerivationBuilderImpl::startBuilder()
           macOS 11+ has no /usr/lib/libSystem*.dylib */
        pathsInChroot[i] = {i, true};
    }
-    } else {
-        if (drvOptions.useUidRange(drv))
-            throw Error("feature 'uid-range' is only supported in sandboxed builds");
-    }

-    prepareSandbox();
-
-    if (needsHashRewrite() && pathExists(homeDir))
-        throw Error("home directory '%1%' exists; please remove it to assure purity of builds without sandboxing", homeDir);
-
-    if (useChroot && settings.preBuildHook != "") {
+    if (settings.preBuildHook != "") {
        printMsg(lvlChatty, "executing pre-build hook '%1%'", settings.preBuildHook);
        auto args = useChroot ? Strings({store.printStorePath(drvPath), chrootRootDir}) :
            Strings({ store.printStorePath(drvPath) });
@ -1030,54 +1087,7 @@ void DerivationBuilderImpl::startBuilder()
        }
    }

-    /* Fire up a Nix daemon to process recursive Nix calls from the
-       builder. */
-    if (drvOptions.getRequiredSystemFeatures(drv).count("recursive-nix"))
-        startDaemon();
-
-    /* Run the builder. */
-    printMsg(lvlChatty, "executing builder '%1%'", drv.builder);
-    printMsg(lvlChatty, "using builder args '%1%'", concatStringsSep(" ", drv.args));
-    for (auto & i : drv.env)
-        printMsg(lvlVomit, "setting builder env variable '%1%'='%2%'", i.first, i.second);
-
-    /* Create the log file. */
-    [[maybe_unused]] Path logFile = miscMethods->openLogFile();
-
-    /* Create a pseudoterminal to get the output of the builder. */
-    builderOut = posix_openpt(O_RDWR | O_NOCTTY);
-    if (!builderOut)
-        throw SysError("opening pseudoterminal master");
-
-    // FIXME: not thread-safe, use ptsname_r
-    std::string slaveName = ptsname(builderOut.get());
-
-    if (buildUser) {
-        if (chmod(slaveName.c_str(), 0600))
-            throw SysError("changing mode of pseudoterminal slave");
-
-        if (chown(slaveName.c_str(), buildUser->getUID(), 0))
-            throw SysError("changing owner of pseudoterminal slave");
-    }
-#ifdef __APPLE__
-    else {
-        if (grantpt(builderOut.get()))
-            throw SysError("granting access to pseudoterminal slave");
-    }
-#endif
-
-    if (unlockpt(builderOut.get()))
-        throw SysError("unlocking pseudoterminal");
-
-    buildResult.startTime = time(0);
-
-    /* Start a child process to build the derivation. */
-    startChild();
-
-    pid.setSeparatePG(true);
-    miscMethods->childStarted(builderOut.get());
-
-    processSandboxSetupMessages();
+    return pathsInChroot;
 }

 void DerivationBuilderImpl::prepareSandbox()
@ -2411,6 +2421,9 @@ std::unique_ptr<DerivationBuilder> makeDerivationBuilder(
    if (useSandbox)
        throw Error("sandboxing builds is not supported on this platform");

+    if (params.drvOptions.useUidRange(params.drv))
+        throw Error("feature 'uid-range' is only supported in sandboxed builds");
+
    return std::make_unique<DerivationBuilderImpl>(
        store,
        std::move(miscMethods),
--- a/src/libstore/unix/build/linux-derivation-builder.cc
+++ b/src/libstore/unix/build/linux-derivation-builder.cc
@ -20,6 +20,8 @@ struct LinuxDerivationBuilder : DerivationBuilderImpl
     */
    bool usingUserNamespace = true;

+    PathsInChroot pathsInChroot;
+
    LinuxDerivationBuilder(
        Store & store, std::unique_ptr<DerivationBuilderCallbacks> miscMethods, DerivationBuilderParams params)
        : DerivationBuilderImpl(store, std::move(miscMethods), std::move(params))
@ -102,12 +104,6 @@ struct LinuxDerivationBuilder : DerivationBuilderImpl
        if (buildUser && chown(chrootStoreDir.c_str(), 0, buildUser->getGID()) == -1)
            throw SysError("cannot change ownership of '%1%'", chrootStoreDir);

-        for (auto & i : inputPaths) {
-            auto p = store.printStorePath(i);
-            Path r = store.toRealPath(p);
-            pathsInChroot.insert_or_assign(p, r);
-        }
-
        /* If we're repairing, checking or rebuilding part of a
           multiple-outputs derivation, it's possible that we're
           rebuilding a path that is in settings.sandbox-paths
@ -131,6 +127,13 @@ struct LinuxDerivationBuilder : DerivationBuilderImpl
            chownToBuilder(*cgroup + "/cgroup.threads");
            //chownToBuilder(*cgroup + "/cgroup.subtree_control");
        }
+
+        pathsInChroot = getPathsInSandbox();
+
+        for (auto & i : inputPaths) {
+            auto p = store.printStorePath(i);
+            pathsInChroot.insert_or_assign(p, store.toRealPath(p));
+        }
    }

    void startChild() override