83 lines
3.7 KiB
Diff
83 lines
3.7 KiB
Diff
diff -Naur /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.cc nix3/src/libstore/build/local-derivation-goal.cc
|
||
--- /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.cc 1970-01-01 08:00:01.000000000 +0800
|
||
+++ nix3/src/libstore/build/local-derivation-goal.cc 2021-04-24 16:29:52.493166702 +0800
|
||
@@ -395,6 +395,8 @@
|
||
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
||
#endif
|
||
|
||
+ networked = parsedDrv->getBoolAttr("__networked");
|
||
+
|
||
/* Are we doing a chroot build? */
|
||
{
|
||
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
||
@@ -412,7 +414,7 @@
|
||
else if (settings.sandboxMode == smDisabled)
|
||
useChroot = false;
|
||
else if (settings.sandboxMode == smRelaxed)
|
||
- useChroot = !(derivationIsImpure(derivationType)) && !noChroot;
|
||
+ useChroot = !allowNetwork() && !(derivationIsImpure(derivationType)) && !noChroot;
|
||
}
|
||
|
||
auto & localStore = getLocalStore();
|
||
@@ -623,7 +625,7 @@
|
||
"nogroup:x:65534:\n", sandboxGid()));
|
||
|
||
/* Create /etc/hosts with localhost entry. */
|
||
- if (!(derivationIsImpure(derivationType)))
|
||
+ if (!allowNetwork() && !(derivationIsImpure(derivationType)))
|
||
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
|
||
|
||
/* Make the closure of the inputs available in the chroot,
|
||
@@ -810,7 +812,7 @@
|
||
us.
|
||
*/
|
||
|
||
- if (!(derivationIsImpure(derivationType)))
|
||
+ if (!allowNetwork() && !(derivationIsImpure(derivationType)))
|
||
privateNetwork = true;
|
||
|
||
userNamespaceSync.create();
|
||
@@ -1066,7 +1068,7 @@
|
||
to the builder is generally impure, but the output of
|
||
fixed-output derivations is by definition pure (since we
|
||
already know the cryptographic hash of the output). */
|
||
- if (derivationIsImpure(derivationType)) {
|
||
+ if (allowNetwork() || derivationIsImpure(derivationType)) {
|
||
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
|
||
env[i] = getEnv(i).value_or("");
|
||
}
|
||
@@ -1702,7 +1704,7 @@
|
||
/* Fixed-output derivations typically need to access the
|
||
network, so give them access to /etc/resolv.conf and so
|
||
on. */
|
||
- if (derivationIsImpure(derivationType)) {
|
||
+ if (allowNetwork() || derivationIsImpure(derivationType)) {
|
||
// Only use nss functions to resolve hosts and
|
||
// services. Don’t use it for anything else that may
|
||
// be configured for this system. This limits the
|
||
@@ -1943,7 +1945,7 @@
|
||
|
||
sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
|
||
|
||
- if (derivationIsImpure(derivationType))
|
||
+ if (allowNetwork() || derivationIsImpure(derivationType))
|
||
sandboxProfile += "(import \"sandbox-network.sb\")\n";
|
||
|
||
/* Add the output paths we'll use at build-time to the chroot */
|
||
diff -Naur /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.hh nix3/src/libstore/build/local-derivation-goal.hh
|
||
--- /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.hh 1970-01-01 08:00:01.000000000 +0800
|
||
+++ nix3/src/libstore/build/local-derivation-goal.hh 2021-04-24 16:35:23.060968488 +0800
|
||
@@ -40,6 +40,12 @@
|
||
|
||
Path chrootRootDir;
|
||
|
||
+ bool networked;
|
||
+ bool allowNetwork()
|
||
+ {
|
||
+ return derivationIsFixed(drv->type()) || networked;
|
||
+ }
|
||
+
|
||
/* RAII object to delete the chroot directory. */
|
||
std::shared_ptr<AutoDelete> autoDelChroot;
|
||
|