libstore: open build directory as a dirfd as well

We now keep around a proper AutoCloseFD around the temporary directory which we plan to use for openat operations and avoiding the build directory being swapped out while we are doing something else. Change-Id: I18d387b0f123ebf2d20c6405cd47ebadc5505f2a Signed-off-by: Raito Bezarius <raito@lix.systems>
2025-06-25 02:21:16 +02:00 · 2025-03-26 01:04:59 +01:00 · 2025-03-26 01:04:59 +01:00 · 6a5b6ad3b7
commit 6a5b6ad3b7
parent 7226a116a0
1 changed files with 12 additions and 0 deletions
--- a/src/libstore/unix/build/derivation-builder.cc
+++ b/src/libstore/unix/build/derivation-builder.cc
@ -95,6 +95,11 @@ protected:
     */
    Path topTmpDir;

+    /**
+     * The file descriptor of the temporary directory.
+     */
+    AutoCloseFD tmpDirFd;
+
    /**
     * The sort of derivation we are building.
     *
@ -710,6 +715,13 @@ void DerivationBuilderImpl::startBuilder()
    topTmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), 0700);
    setBuildTmpDir();
    assert(!tmpDir.empty());
+
+    /* The TOCTOU between the previous mkdir call and this open call is unavoidable due to
+       POSIX semantics.*/
+    tmpDirFd = AutoCloseFD{open(tmpDir.c_str(), O_RDONLY | O_NOFOLLOW | O_DIRECTORY)};
+    if (!tmpDirFd)
+        throw SysError("failed to open the build temporary directory descriptor '%1%'", tmpDir);
+
    chownToBuilder(tmpDir);

    for (auto & [outputName, status] : initialOutputs) {