From e279fbb16a99896101006ec00277a5d9d50f5040 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Thu, 31 Mar 2022 16:06:40 +0200
Subject: [PATCH] needsNetworkAccess() -> isSandboxed()

---
 src/libstore/build/derivation-goal.cc       |  2 +-
 src/libstore/build/local-derivation-goal.cc | 12 ++++++------
 src/libstore/derivations.cc                 |  8 ++++----
 src/libstore/derivations.hh                 | 10 ++++++----
 4 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/src/libstore/build/derivation-goal.cc b/src/libstore/build/derivation-goal.cc
index 542a6f6ea..6582497bd 100644
--- a/src/libstore/build/derivation-goal.cc
+++ b/src/libstore/build/derivation-goal.cc
@@ -955,7 +955,7 @@ void DerivationGoal::buildDone()
             st =
                 dynamic_cast<NotDeterministic*>(&e) ? BuildResult::NotDeterministic :
                 statusOk(status) ? BuildResult::OutputRejected :
-                derivationType.needsNetworkAccess() || diskFull ? BuildResult::TransientFailure :
+                !derivationType.isSandboxed() || diskFull ? BuildResult::TransientFailure :
                 BuildResult::PermanentFailure;
         }
 
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 108c661c0..40ef706a6 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -395,7 +395,7 @@ void LocalDerivationGoal::startBuilder()
         else if (settings.sandboxMode == smDisabled)
             useChroot = false;
         else if (settings.sandboxMode == smRelaxed)
-            useChroot = !derivationType.needsNetworkAccess() && !noChroot;
+            useChroot = derivationType.isSandboxed() && !noChroot;
     }
 
     auto & localStore = getLocalStore();
@@ -608,7 +608,7 @@ void LocalDerivationGoal::startBuilder()
                 "nogroup:x:65534:\n", sandboxGid()));
 
         /* Create /etc/hosts with localhost entry. */
-        if (!derivationType.needsNetworkAccess())
+        if (derivationType.isSandboxed())
             writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
 
         /* Make the closure of the inputs available in the chroot,
@@ -796,7 +796,7 @@ void LocalDerivationGoal::startBuilder()
            us.
         */
 
-        if (!derivationType.needsNetworkAccess())
+        if (derivationType.isSandboxed())
             privateNetwork = true;
 
         userNamespaceSync.create();
@@ -1060,7 +1060,7 @@ void LocalDerivationGoal::initEnv()
        to the builder is generally impure, but the output of
        fixed-output derivations is by definition pure (since we
        already know the cryptographic hash of the output). */
-    if (derivationType.needsNetworkAccess()) {
+    if (!derivationType.isSandboxed()) {
         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
             env[i] = getEnv(i).value_or("");
     }
@@ -1674,7 +1674,7 @@ void LocalDerivationGoal::runChild()
             /* Fixed-output derivations typically need to access the
                network, so give them access to /etc/resolv.conf and so
                on. */
-            if (derivationType.needsNetworkAccess()) {
+            if (!derivationType.isSandboxed()) {
                 // Only use nss functions to resolve hosts and
                 // services. Don’t use it for anything else that may
                 // be configured for this system. This limits the
@@ -1918,7 +1918,7 @@ void LocalDerivationGoal::runChild()
 
                 sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
 
-                if (derivationType.needsNetworkAccess())
+                if (!derivationType.isSandboxed())
                     sandboxProfile += "(import \"sandbox-network.sb\")\n";
 
                 /* Add the output paths we'll use at build-time to the chroot */
diff --git a/src/libstore/derivations.cc b/src/libstore/derivations.cc
index 75e0178bb..b4fb77f9f 100644
--- a/src/libstore/derivations.cc
+++ b/src/libstore/derivations.cc
@@ -90,17 +90,17 @@ bool DerivationType::hasKnownOutputPaths() const
 }
 
 
-bool DerivationType::needsNetworkAccess() const
+bool DerivationType::isSandboxed() const
 {
     return std::visit(overloaded {
         [](const InputAddressed & ia) {
-            return false;
+            return true;
         },
         [](const ContentAddressed & ca) {
-            return !ca.pure;
+            return ca.pure;
         },
         [](const Impure &) {
-            return true;
+            return false;
         },
     }, raw());
 }
diff --git a/src/libstore/derivations.hh b/src/libstore/derivations.hh
index 98e59b64e..489948c30 100644
--- a/src/libstore/derivations.hh
+++ b/src/libstore/derivations.hh
@@ -130,10 +130,12 @@ struct DerivationType : _DerivationTypeRaw {
        non-CA derivations. */
     bool isFixed() const;
 
-    /* Whether the derivation needs to access the network. Note that
-       whether or not we actually sandbox the derivation is controlled
-       separately. Never true for non-CA derivations. */
-    bool needsNetworkAccess() const;
+    /* Whether the derivation is fully sandboxed. If false, the
+       sandbox is opened up, e.g. the derivation has access to the
+       network. Note that whether or not we actually sandbox the
+       derivation is controlled separately. Always true for non-CA
+       derivations. */
+    bool isSandboxed() const;
 
     /* Whether the derivation is expected to produce the same result
        every time, and therefore it only needs to be built once. This