64 lines
2.9 KiB
Diff
64 lines
2.9 KiB
Diff
From d096d653cc69118e05f49247ab312d0096b16656 Mon Sep 17 00:00:00 2001
|
|
Message-ID: <d096d653cc69118e05f49247ab312d0096b16656.1729457080.git.reepca@russelstein.xyz>
|
|
In-Reply-To: <e936861263d9bafdfbe395c12526f2dc48ac17d7.1729457080.git.reepca@russelstein.xyz>
|
|
References: <e936861263d9bafdfbe395c12526f2dc48ac17d7.1729457080.git.reepca@russelstein.xyz>
|
|
From: Reepca Russelstein <reepca@russelstein.xyz>
|
|
Date: Sun, 20 Oct 2024 15:39:02 -0500
|
|
Subject: [PATCH 2/2] nix: build: sanitize successful build outputs prior to
|
|
exposing them.
|
|
|
|
There is currently a window of time between when the build outputs are exposed
|
|
and when their metadata is canonicalized.
|
|
|
|
* nix/libstore/build.cc (DerivationGoal::registerOutputs): wait until after
|
|
metadata canonicalization to move successful build outputs to the store.
|
|
|
|
Change-Id: Ia995136f3f965eaf7b0e1d92af964b816f3fb276
|
|
---
|
|
nix/libstore/build.cc | 23 ++++++++++++++---------
|
|
1 file changed, 14 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
|
|
index 67ebfe2f14..43a8a37184 100644
|
|
--- a/nix/libstore/build.cc
|
|
+++ b/nix/libstore/build.cc
|
|
@@ -2369,15 +2369,6 @@ void DerivationGoal::registerOutputs()
|
|
Path actualPath = path;
|
|
if (useChroot) {
|
|
actualPath = chrootRootDir + path;
|
|
- if (pathExists(actualPath)) {
|
|
- /* Move output paths from the chroot to the store. */
|
|
- if (buildMode == bmRepair)
|
|
- replaceValidPath(path, actualPath);
|
|
- else
|
|
- if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
|
|
- throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
|
|
- }
|
|
- if (buildMode != bmCheck) actualPath = path;
|
|
} else {
|
|
Path redirected = redirectedOutputs[path];
|
|
if (buildMode == bmRepair
|
|
@@ -2463,6 +2454,20 @@ void DerivationGoal::registerOutputs()
|
|
canonicalisePathMetaData(actualPath,
|
|
buildUser.enabled() && !rewritten ? buildUser.getUID() : -1, inodesSeen);
|
|
|
|
+ if (useChroot) {
|
|
+ if (pathExists(actualPath)) {
|
|
+ /* Now that output paths have been canonicalized (in particular
|
|
+ there are no setuid files left), move them outside of the
|
|
+ chroot and to the store. */
|
|
+ if (buildMode == bmRepair)
|
|
+ replaceValidPath(path, actualPath);
|
|
+ else
|
|
+ if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
|
|
+ throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
|
|
+ }
|
|
+ if (buildMode != bmCheck) actualPath = path;
|
|
+ }
|
|
+
|
|
/* For this output path, find the references to other paths
|
|
contained in it. Compute the SHA-256 NAR hash at the same
|
|
time. The hash is stored in the database so that we can
|
|
--
|
|
2.45.2
|
|
|