From 8c27eb6c1bc490c9d2f3c7c1dedb1ca3c8e00759 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?=
 <theophane.hufschmitt@tweag.io>
Date: Tue, 13 Feb 2024 08:28:02 +0100
Subject: [PATCH] Copy the output of fixed-output derivations before
 registering them

It is possible to exfiltrate a file descriptor out of the build sandbox
of FODs, and use it to modify the store path after it has been
registered.
To avoid that issue, don't register the output of the build, but a copy
of it (that will be free of any leaked file descriptor).
---
 src/libstore/build.cc | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index d3a712c1a..3fb827a15 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -3286,10 +3286,17 @@ void DerivationGoal::registerOutputs()
             throw BuildError(format("suspicious ownership or permission on '%1%'; rejecting this build output") % path);
 #endif
 
-        /* Apply hash rewriting if necessary. */
+        /* Apply hash rewriting if necessary.
+         *
+         * For FODs, we always do the dump-and-restore dance regardless to make
+         * sure that there's no stale file descriptor pointing to the output
+         * of the path.
+         * */
         bool rewritten = false;
-        if (!outputRewrites.empty()) {
+        if (fixedOutput || !outputRewrites.empty()) {
+            if (!outputRewrites.empty()) {
             printError(format("warning: rewriting hashes in '%1%'; cross fingers") % path);
+            }
 
             /* Canonicalise first.  This ensures that the path we're
                rewriting doesn't contain a hard link to /etc/shadow or