81 lines
3.4 KiB
Diff
81 lines
3.4 KiB
Diff
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
|
||
index 61ee5d7aa..f38684973 100644
|
||
--- a/src/libstore/build/local-derivation-goal.cc
|
||
+++ b/src/libstore/build/local-derivation-goal.cc
|
||
@@ -176,6 +176,8 @@ void LocalDerivationGoal::tryLocalBuild() {
|
||
return;
|
||
}
|
||
|
||
+ networked = parsedDrv->getBoolAttr("__networked");
|
||
+
|
||
/* Are we doing a chroot build? */
|
||
{
|
||
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
||
@@ -193,7 +195,7 @@ void LocalDerivationGoal::tryLocalBuild() {
|
||
else if (settings.sandboxMode == smDisabled)
|
||
useChroot = false;
|
||
else if (settings.sandboxMode == smRelaxed)
|
||
- useChroot = derivationType.isSandboxed() && !noChroot;
|
||
+ useChroot = !networked && derivationType.isSandboxed() && !noChroot;
|
||
}
|
||
|
||
auto & localStore = getLocalStore();
|
||
@@ -677,7 +679,7 @@ void LocalDerivationGoal::startBuilder()
|
||
"nogroup:x:65534:\n", sandboxGid()));
|
||
|
||
/* Create /etc/hosts with localhost entry. */
|
||
- if (derivationType.isSandboxed())
|
||
+ if (!networked && derivationType.isSandboxed())
|
||
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
|
||
|
||
/* Make the closure of the inputs available in the chroot,
|
||
@@ -884,7 +886,7 @@ void LocalDerivationGoal::startBuilder()
|
||
us.
|
||
*/
|
||
|
||
- if (derivationType.isSandboxed())
|
||
+ if (!networked && derivationType.isSandboxed())
|
||
privateNetwork = true;
|
||
|
||
userNamespaceSync.create();
|
||
@@ -1179,7 +1181,7 @@ void LocalDerivationGoal::initEnv()
|
||
to the builder is generally impure, but the output of
|
||
fixed-output derivations is by definition pure (since we
|
||
already know the cryptographic hash of the output). */
|
||
- if (!derivationType.isSandboxed()) {
|
||
+ if (networked || !derivationType.isSandboxed()) {
|
||
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
|
||
env[i] = getEnv(i).value_or("");
|
||
}
|
||
@@ -1811,7 +1813,7 @@ void LocalDerivationGoal::runChild()
|
||
/* Fixed-output derivations typically need to access the
|
||
network, so give them access to /etc/resolv.conf and so
|
||
on. */
|
||
- if (!derivationType.isSandboxed()) {
|
||
+ if (networked || !derivationType.isSandboxed()) {
|
||
// Only use nss functions to resolve hosts and
|
||
// services. Don’t use it for anything else that may
|
||
// be configured for this system. This limits the
|
||
@@ -2059,7 +2061,7 @@ void LocalDerivationGoal::runChild()
|
||
#include "sandbox-defaults.sb"
|
||
;
|
||
|
||
- if (!derivationType.isSandboxed())
|
||
+ if (networked || !derivationType.isSandboxed())
|
||
sandboxProfile +=
|
||
#include "sandbox-network.sb"
|
||
;
|
||
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
|
||
index 34c4e9187..c4c26fd6f 100644
|
||
--- a/src/libstore/build/local-derivation-goal.hh
|
||
+++ b/src/libstore/build/local-derivation-goal.hh
|
||
@@ -44,6 +44,8 @@ struct LocalDerivationGoal : public DerivationGoal
|
||
|
||
Path chrootRootDir;
|
||
|
||
+ bool networked;
|
||
+
|
||
/* RAII object to delete the chroot directory. */
|
||
std::shared_ptr<AutoDelete> autoDelChroot;
|
||
|