forked from lix-project/lix
AutoUserLock: If sandboxing is disabled, use the build users group
We have to use a gid that has write access to the Nix store.
This commit is contained in:
parent
82d5cf2a76
commit
9d17ce07e8
3 changed files with 44 additions and 40 deletions
|
@ -177,9 +177,38 @@ void LocalDerivationGoal::tryLocalBuild() {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Are we doing a chroot build? */
|
||||||
|
{
|
||||||
|
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
||||||
|
if (settings.sandboxMode == smEnabled) {
|
||||||
|
if (noChroot)
|
||||||
|
throw Error("derivation '%s' has '__noChroot' set, "
|
||||||
|
"but that's not allowed when 'sandbox' is 'true'", worker.store.printStorePath(drvPath));
|
||||||
|
#if __APPLE__
|
||||||
|
if (additionalSandboxProfile != "")
|
||||||
|
throw Error("derivation '%s' specifies a sandbox profile, "
|
||||||
|
"but this is only allowed when 'sandbox' is 'relaxed'", worker.store.printStorePath(drvPath));
|
||||||
|
#endif
|
||||||
|
useChroot = true;
|
||||||
|
}
|
||||||
|
else if (settings.sandboxMode == smDisabled)
|
||||||
|
useChroot = false;
|
||||||
|
else if (settings.sandboxMode == smRelaxed)
|
||||||
|
useChroot = derivationType.isSandboxed() && !noChroot;
|
||||||
|
}
|
||||||
|
|
||||||
|
auto & localStore = getLocalStore();
|
||||||
|
if (localStore.storeDir != localStore.realStoreDir.get()) {
|
||||||
|
#if __linux__
|
||||||
|
useChroot = true;
|
||||||
|
#else
|
||||||
|
throw Error("building using a diverted store is not supported on this platform");
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
if (useBuildUsers()) {
|
if (useBuildUsers()) {
|
||||||
if (!buildUser)
|
if (!buildUser)
|
||||||
buildUser = acquireUserLock(parsedDrv->useUidRange() ? 65536 : 1);
|
buildUser = acquireUserLock(parsedDrv->useUidRange() ? 65536 : 1, useChroot);
|
||||||
|
|
||||||
if (!buildUser) {
|
if (!buildUser) {
|
||||||
if (!actLock)
|
if (!actLock)
|
||||||
|
@ -433,35 +462,6 @@ void LocalDerivationGoal::startBuilder()
|
||||||
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Are we doing a chroot build? */
|
|
||||||
{
|
|
||||||
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
|
||||||
if (settings.sandboxMode == smEnabled) {
|
|
||||||
if (noChroot)
|
|
||||||
throw Error("derivation '%s' has '__noChroot' set, "
|
|
||||||
"but that's not allowed when 'sandbox' is 'true'", worker.store.printStorePath(drvPath));
|
|
||||||
#if __APPLE__
|
|
||||||
if (additionalSandboxProfile != "")
|
|
||||||
throw Error("derivation '%s' specifies a sandbox profile, "
|
|
||||||
"but this is only allowed when 'sandbox' is 'relaxed'", worker.store.printStorePath(drvPath));
|
|
||||||
#endif
|
|
||||||
useChroot = true;
|
|
||||||
}
|
|
||||||
else if (settings.sandboxMode == smDisabled)
|
|
||||||
useChroot = false;
|
|
||||||
else if (settings.sandboxMode == smRelaxed)
|
|
||||||
useChroot = derivationType.isSandboxed() && !noChroot;
|
|
||||||
}
|
|
||||||
|
|
||||||
auto & localStore = getLocalStore();
|
|
||||||
if (localStore.storeDir != localStore.realStoreDir.get()) {
|
|
||||||
#if __linux__
|
|
||||||
useChroot = true;
|
|
||||||
#else
|
|
||||||
throw Error("building using a diverted store is not supported on this platform");
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Create a temporary directory where the build will take
|
/* Create a temporary directory where the build will take
|
||||||
place. */
|
place. */
|
||||||
tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
|
tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
|
||||||
|
|
|
@ -109,22 +109,18 @@ struct AutoUserLock : UserLock
|
||||||
{
|
{
|
||||||
AutoCloseFD fdUserLock;
|
AutoCloseFD fdUserLock;
|
||||||
uid_t firstUid = 0;
|
uid_t firstUid = 0;
|
||||||
|
gid_t firstGid = 0;
|
||||||
uid_t nrIds = 1;
|
uid_t nrIds = 1;
|
||||||
|
|
||||||
uid_t getUID() override { assert(firstUid); return firstUid; }
|
uid_t getUID() override { assert(firstUid); return firstUid; }
|
||||||
|
|
||||||
gid_t getUIDCount() override { return nrIds; }
|
gid_t getUIDCount() override { return nrIds; }
|
||||||
|
|
||||||
gid_t getGID() override
|
gid_t getGID() override { assert(firstGid); return firstGid; }
|
||||||
{
|
|
||||||
// We use the same GID ranges as for the UIDs.
|
|
||||||
assert(firstUid);
|
|
||||||
return firstUid;
|
|
||||||
}
|
|
||||||
|
|
||||||
std::vector<gid_t> getSupplementaryGIDs() override { return {}; }
|
std::vector<gid_t> getSupplementaryGIDs() override { return {}; }
|
||||||
|
|
||||||
static std::unique_ptr<UserLock> acquire(uid_t nrIds)
|
static std::unique_ptr<UserLock> acquire(uid_t nrIds, bool useChroot)
|
||||||
{
|
{
|
||||||
settings.requireExperimentalFeature(Xp::AutoAllocateUids);
|
settings.requireExperimentalFeature(Xp::AutoAllocateUids);
|
||||||
assert(settings.startId > 0);
|
assert(settings.startId > 0);
|
||||||
|
@ -154,6 +150,14 @@ struct AutoUserLock : UserLock
|
||||||
auto lock = std::make_unique<AutoUserLock>();
|
auto lock = std::make_unique<AutoUserLock>();
|
||||||
lock->fdUserLock = std::move(fd);
|
lock->fdUserLock = std::move(fd);
|
||||||
lock->firstUid = settings.startId + i * maxIdsPerBuild;
|
lock->firstUid = settings.startId + i * maxIdsPerBuild;
|
||||||
|
if (useChroot)
|
||||||
|
lock->firstGid = lock->firstUid;
|
||||||
|
else {
|
||||||
|
struct group * gr = getgrnam(settings.buildUsersGroup.get().c_str());
|
||||||
|
if (!gr)
|
||||||
|
throw Error("the group '%s' specified in 'build-users-group' does not exist", settings.buildUsersGroup);
|
||||||
|
lock->firstGid = gr->gr_gid;
|
||||||
|
}
|
||||||
lock->nrIds = nrIds;
|
lock->nrIds = nrIds;
|
||||||
return lock;
|
return lock;
|
||||||
}
|
}
|
||||||
|
@ -163,10 +167,10 @@ struct AutoUserLock : UserLock
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
std::unique_ptr<UserLock> acquireUserLock(uid_t nrIds)
|
std::unique_ptr<UserLock> acquireUserLock(uid_t nrIds, bool useChroot)
|
||||||
{
|
{
|
||||||
if (settings.autoAllocateUids)
|
if (settings.autoAllocateUids)
|
||||||
return AutoUserLock::acquire(nrIds);
|
return AutoUserLock::acquire(nrIds, useChroot);
|
||||||
else
|
else
|
||||||
return SimpleUserLock::acquire();
|
return SimpleUserLock::acquire();
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,7 +31,7 @@ struct UserLock
|
||||||
|
|
||||||
/* Acquire a user lock for a UID range of size `nrIds`. Note that this
|
/* Acquire a user lock for a UID range of size `nrIds`. Note that this
|
||||||
may return nullptr if no user is available. */
|
may return nullptr if no user is available. */
|
||||||
std::unique_ptr<UserLock> acquireUserLock(uid_t nrIds);
|
std::unique_ptr<UserLock> acquireUserLock(uid_t nrIds, bool useChroot);
|
||||||
|
|
||||||
bool useBuildUsers();
|
bool useBuildUsers();
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue