it-infra/nixbld-etc-nixos/nix-3-networked-derivations.patch

83 lines
3.7 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

diff -Naur /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.cc nix3/src/libstore/build/local-derivation-goal.cc
--- /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.cc 1970-01-01 08:00:01.000000000 +0800
+++ nix3/src/libstore/build/local-derivation-goal.cc 2021-04-24 16:29:52.493166702 +0800
@@ -395,6 +395,8 @@
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
#endif
+ networked = parsedDrv->getBoolAttr("__networked");
+
/* Are we doing a chroot build? */
{
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
@@ -412,7 +414,7 @@
else if (settings.sandboxMode == smDisabled)
useChroot = false;
else if (settings.sandboxMode == smRelaxed)
- useChroot = !(derivationIsImpure(derivationType)) && !noChroot;
+ useChroot = !allowNetwork() && !(derivationIsImpure(derivationType)) && !noChroot;
}
auto & localStore = getLocalStore();
@@ -623,7 +625,7 @@
"nogroup:x:65534:\n", sandboxGid()));
/* Create /etc/hosts with localhost entry. */
- if (!(derivationIsImpure(derivationType)))
+ if (!allowNetwork() && !(derivationIsImpure(derivationType)))
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
/* Make the closure of the inputs available in the chroot,
@@ -810,7 +812,7 @@
us.
*/
- if (!(derivationIsImpure(derivationType)))
+ if (!allowNetwork() && !(derivationIsImpure(derivationType)))
privateNetwork = true;
userNamespaceSync.create();
@@ -1066,7 +1068,7 @@
to the builder is generally impure, but the output of
fixed-output derivations is by definition pure (since we
already know the cryptographic hash of the output). */
- if (derivationIsImpure(derivationType)) {
+ if (allowNetwork() || derivationIsImpure(derivationType)) {
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
env[i] = getEnv(i).value_or("");
}
@@ -1702,7 +1704,7 @@
/* Fixed-output derivations typically need to access the
network, so give them access to /etc/resolv.conf and so
on. */
- if (derivationIsImpure(derivationType)) {
+ if (allowNetwork() || derivationIsImpure(derivationType)) {
// Only use nss functions to resolve hosts and
// services. Dont use it for anything else that may
// be configured for this system. This limits the
@@ -1943,7 +1945,7 @@
sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
- if (derivationIsImpure(derivationType))
+ if (allowNetwork() || derivationIsImpure(derivationType))
sandboxProfile += "(import \"sandbox-network.sb\")\n";
/* Add the output paths we'll use at build-time to the chroot */
diff -Naur /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.hh nix3/src/libstore/build/local-derivation-goal.hh
--- /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.hh 1970-01-01 08:00:01.000000000 +0800
+++ nix3/src/libstore/build/local-derivation-goal.hh 2021-04-24 16:35:23.060968488 +0800
@@ -40,6 +40,12 @@
Path chrootRootDir;
+ bool networked;
+ bool allowNetwork()
+ {
+ return derivationIsFixed(drv->type()) || networked;
+ }
+
/* RAII object to delete the chroot directory. */
std::shared_ptr<AutoDelete> autoDelChroot;