diff --git a/.gitignore b/.gitignore index 4f7e668e7..60bd7d064 100644 --- a/.gitignore +++ b/.gitignore @@ -48,8 +48,8 @@ perl/Makefile.config /src/libexpr/nix.tbl # /src/libstore/ -/src/libstore/schema.sql.hh -/src/libstore/sandbox-defaults.sb +/src/libstore/schema.sql.gen.hh +/src/libstore/sandbox-defaults.sb.gen.hh /src/nix/nix diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 46ce562f7..92471b228 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2656,9 +2656,9 @@ void DerivationGoal::runChild() sandboxProfile += "(deny default (with no-log))\n"; } - /* Disallow creating setuid/setgid binaries, since that - would allow breaking build user isolation. */ - sandboxProfile += "(deny file-write-setugid)\n"; + sandboxProfile += +#include "sandbox-defaults.sb.gen.hh" + ; /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */ diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 5b03e86f3..a226e0110 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -320,7 +320,7 @@ void LocalStore::openDB(State & state, bool create) /* Initialise the database schema, if necessary. */ if (create) { const char * schema = -#include "schema.sql.hh" +#include "schema.sql.gen.hh" ; db.exec(schema); } diff --git a/src/libstore/local.mk b/src/libstore/local.mk index ffdb55abc..7bc69f65d 100644 --- a/src/libstore/local.mk +++ b/src/libstore/local.mk @@ -34,12 +34,16 @@ libstore_CXXFLAGS = \ -DSANDBOX_SHELL="\"$(sandbox_shell)\"" \ -DLSOF=\"$(lsof)\" -$(d)/local-store.cc: $(d)/schema.sql.hh +$(d)/local-store.cc: $(d)/schema.sql.gen.hh -%.sql.hh: %.sql - $(trace-gen) sed -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $< > $@ || (rm $@ && exit 1) +$(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh -clean-files += $(d)/schema.sql.hh +%.gen.hh: % + echo 'R"foo(' >> $@.tmp + cat $< >> $@.tmp + echo ')foo"' >> $@.tmp + mv $@.tmp $@ + +clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh $(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644)) -$(eval $(call install-file-in, $(d)/sandbox-defaults.sb, $(datadir)/nix, 0644)) diff --git a/src/libstore/sandbox-defaults.sb.in b/src/libstore/sandbox-defaults.sb similarity index 90% rename from src/libstore/sandbox-defaults.sb.in rename to src/libstore/sandbox-defaults.sb index b5e80085f..6bd15603e 100644 --- a/src/libstore/sandbox-defaults.sb.in +++ b/src/libstore/sandbox-defaults.sb @@ -28,15 +28,10 @@ (allow file-read-metadata (literal "/var") (literal "/tmp") - ; symlinks - (literal "@sysconfdir@") - (literal "@sysconfdir@/nix") - (literal "@sysconfdir@/nix/nix.conf") (literal "/etc/resolv.conf") (literal "/private/etc/resolv.conf")) (allow file-read* - (literal "/private@sysconfdir@/nix/nix.conf") (literal "/private/var/run/resolv.conf")) ; some builders use filehandles other than stdin/stdout @@ -61,3 +56,7 @@ ; allow local networking (allow network* (local ip) (remote unix-socket)) + +; Disallow creating setuid/setgid binaries, since that +; would allow breaking build user isolation. +(deny file-write-setugid)