81 lines
3.5 KiB
Diff
81 lines
3.5 KiB
Diff
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
|
||
index 4c91fa4fb..e2139d6c6 100644
|
||
--- a/src/libstore/build/local-derivation-goal.cc
|
||
+++ b/src/libstore/build/local-derivation-goal.cc
|
||
@@ -378,6 +378,8 @@ void LocalDerivationGoal::startBuilder()
|
||
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
||
#endif
|
||
|
||
+ networked = parsedDrv->getBoolAttr("__networked");
|
||
+
|
||
/* Are we doing a chroot build? */
|
||
{
|
||
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
||
@@ -395,7 +397,7 @@ void LocalDerivationGoal::startBuilder()
|
||
else if (settings.sandboxMode == smDisabled)
|
||
useChroot = false;
|
||
else if (settings.sandboxMode == smRelaxed)
|
||
- useChroot = derivationType.isSandboxed() && !noChroot;
|
||
+ useChroot = !networked && derivationType.isSandboxed() && !noChroot;
|
||
}
|
||
|
||
auto & localStore = getLocalStore();
|
||
@@ -608,7 +610,7 @@ void LocalDerivationGoal::startBuilder()
|
||
"nogroup:x:65534:\n", sandboxGid()));
|
||
|
||
/* Create /etc/hosts with localhost entry. */
|
||
- if (derivationType.isSandboxed())
|
||
+ if (!networked && derivationType.isSandboxed())
|
||
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
|
||
|
||
/* Make the closure of the inputs available in the chroot,
|
||
@@ -799,7 +801,7 @@ void LocalDerivationGoal::startBuilder()
|
||
us.
|
||
*/
|
||
|
||
- if (derivationType.isSandboxed())
|
||
+ if (!networked && derivationType.isSandboxed())
|
||
privateNetwork = true;
|
||
|
||
userNamespaceSync.create();
|
||
@@ -1063,7 +1065,7 @@ void LocalDerivationGoal::initEnv()
|
||
to the builder is generally impure, but the output of
|
||
fixed-output derivations is by definition pure (since we
|
||
already know the cryptographic hash of the output). */
|
||
- if (!derivationType.isSandboxed()) {
|
||
+ if (networked || !derivationType.isSandboxed()) {
|
||
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
|
||
env[i] = getEnv(i).value_or("");
|
||
}
|
||
@@ -1677,7 +1679,7 @@ void LocalDerivationGoal::runChild()
|
||
/* Fixed-output derivations typically need to access the
|
||
network, so give them access to /etc/resolv.conf and so
|
||
on. */
|
||
- if (!derivationType.isSandboxed()) {
|
||
+ if (networked || !derivationType.isSandboxed()) {
|
||
// Only use nss functions to resolve hosts and
|
||
// services. Don’t use it for anything else that may
|
||
// be configured for this system. This limits the
|
||
@@ -1921,7 +1923,7 @@ void LocalDerivationGoal::runChild()
|
||
|
||
sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
|
||
|
||
- if (!derivationType.isSandboxed())
|
||
+ if (networked || !derivationType.isSandboxed())
|
||
sandboxProfile += "(import \"sandbox-network.sb\")\n";
|
||
|
||
/* Add the output paths we'll use at build-time to the chroot */
|
||
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
|
||
index d456e9cae..0b43a6bd4 100644
|
||
--- a/src/libstore/build/local-derivation-goal.hh
|
||
+++ b/src/libstore/build/local-derivation-goal.hh
|
||
@@ -41,6 +41,8 @@ struct LocalDerivationGoal : public DerivationGoal
|
||
|
||
Path chrootRootDir;
|
||
|
||
+ bool networked;
|
||
+
|
||
/* RAII object to delete the chroot directory. */
|
||
std::shared_ptr<AutoDelete> autoDelChroot;
|
||
|