Copy the output of fixed-output derivations before registering them

It is possible to exfiltrate a file descriptor out of the build sandbox of FODs, and use it to modify the store path after it has been registered. To avoid that issue, don't register the output of the build, but a copy of it (that will be free of any leaked file descriptor).
2025-07-05 20:41:47 +02:00 · 2024-02-13 08:28:02 +01:00 · 2024-02-13 08:28:02 +01:00 · c3878f510e
commit c3878f510e
parent a55c6a0f47
3 changed files with 18 additions and 0 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -2543,6 +2543,12 @@ SingleDrvOutputs LocalDerivationGoal::registerOutputs()
            [&](const DerivationOutput::CAFixed & dof) {
                auto & wanted = dof.ca.hash;

+                // Replace the output by a fresh copy of itself to make sure
+                // that there's no stale file descriptor pointing to it
+                Path tmpOutput = actualPath + ".tmp";
+                renameFile(actualPath, tmpOutput);
+                copyFile(tmpOutput, actualPath, true);
+
                auto newInfo0 = newInfoFromCA(DerivationOutput::CAFloating {
                    .method = dof.ca.method,
                    .hashAlgo = wanted.algo,