mirror of
https://github.com/NixOS/nix
synced 2025-06-25 06:31:14 +02:00
88b7db1ba4
If a build directory is accessible to other users it is possible to smuggle data in and out of build directories. Usually this is only a build purity problem, but in combination with other issues it can be used to break out of a build sandbox. to prevent this we default to using a subdirectory of nixStateDir (which is more restrictive). (cherry picked from pennae Lix commit 55b416f6897fb0d8a9315a530a9b7f0914458ded) (store setting done by roberth)
20 lines
690 B
Bash
20 lines
690 B
Bash
# shellcheck shell=bash
|
|
|
|
# All variables should be defined externally by the scripts that source
|
|
# this, `set -u` will catch any that are forgotten.
|
|
# shellcheck disable=SC2154
|
|
|
|
requireSandboxSupport
|
|
requiresUnprivilegedUserNamespaces
|
|
[[ "$busybox" =~ busybox ]] || skipTest "no busybox"
|
|
|
|
unset NIX_STORE_DIR
|
|
|
|
remoteDir=$TEST_ROOT/remote
|
|
|
|
# Note: ssh{-ng}://localhost bypasses ssh. See tests/functional/build-remote.sh for
|
|
# more details.
|
|
nix-build "$file" -o "$TEST_ROOT/result" --max-jobs 0 \
|
|
--arg busybox "$busybox" \
|
|
--store "$TEST_ROOT/local" \
|
|
--builders "$proto://localhost?remote-program=$prog&remote-store=${remoteDir}%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz"
|