needsNetworkAccess() -> isSandboxed()

This commit is contained in:
Eelco Dolstra 2022-03-31 16:06:40 +02:00
parent 4e043c2f32
commit e279fbb16a
4 changed files with 17 additions and 15 deletions

View file

@ -955,7 +955,7 @@ void DerivationGoal::buildDone()
st = st =
dynamic_cast<NotDeterministic*>(&e) ? BuildResult::NotDeterministic : dynamic_cast<NotDeterministic*>(&e) ? BuildResult::NotDeterministic :
statusOk(status) ? BuildResult::OutputRejected : statusOk(status) ? BuildResult::OutputRejected :
derivationType.needsNetworkAccess() || diskFull ? BuildResult::TransientFailure : !derivationType.isSandboxed() || diskFull ? BuildResult::TransientFailure :
BuildResult::PermanentFailure; BuildResult::PermanentFailure;
} }

View file

@ -395,7 +395,7 @@ void LocalDerivationGoal::startBuilder()
else if (settings.sandboxMode == smDisabled) else if (settings.sandboxMode == smDisabled)
useChroot = false; useChroot = false;
else if (settings.sandboxMode == smRelaxed) else if (settings.sandboxMode == smRelaxed)
useChroot = !derivationType.needsNetworkAccess() && !noChroot; useChroot = derivationType.isSandboxed() && !noChroot;
} }
auto & localStore = getLocalStore(); auto & localStore = getLocalStore();
@ -608,7 +608,7 @@ void LocalDerivationGoal::startBuilder()
"nogroup:x:65534:\n", sandboxGid())); "nogroup:x:65534:\n", sandboxGid()));
/* Create /etc/hosts with localhost entry. */ /* Create /etc/hosts with localhost entry. */
if (!derivationType.needsNetworkAccess()) if (derivationType.isSandboxed())
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n"); writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
/* Make the closure of the inputs available in the chroot, /* Make the closure of the inputs available in the chroot,
@ -796,7 +796,7 @@ void LocalDerivationGoal::startBuilder()
us. us.
*/ */
if (!derivationType.needsNetworkAccess()) if (derivationType.isSandboxed())
privateNetwork = true; privateNetwork = true;
userNamespaceSync.create(); userNamespaceSync.create();
@ -1060,7 +1060,7 @@ void LocalDerivationGoal::initEnv()
to the builder is generally impure, but the output of to the builder is generally impure, but the output of
fixed-output derivations is by definition pure (since we fixed-output derivations is by definition pure (since we
already know the cryptographic hash of the output). */ already know the cryptographic hash of the output). */
if (derivationType.needsNetworkAccess()) { if (!derivationType.isSandboxed()) {
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings())) for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
env[i] = getEnv(i).value_or(""); env[i] = getEnv(i).value_or("");
} }
@ -1674,7 +1674,7 @@ void LocalDerivationGoal::runChild()
/* Fixed-output derivations typically need to access the /* Fixed-output derivations typically need to access the
network, so give them access to /etc/resolv.conf and so network, so give them access to /etc/resolv.conf and so
on. */ on. */
if (derivationType.needsNetworkAccess()) { if (!derivationType.isSandboxed()) {
// Only use nss functions to resolve hosts and // Only use nss functions to resolve hosts and
// services. Dont use it for anything else that may // services. Dont use it for anything else that may
// be configured for this system. This limits the // be configured for this system. This limits the
@ -1918,7 +1918,7 @@ void LocalDerivationGoal::runChild()
sandboxProfile += "(import \"sandbox-defaults.sb\")\n"; sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
if (derivationType.needsNetworkAccess()) if (!derivationType.isSandboxed())
sandboxProfile += "(import \"sandbox-network.sb\")\n"; sandboxProfile += "(import \"sandbox-network.sb\")\n";
/* Add the output paths we'll use at build-time to the chroot */ /* Add the output paths we'll use at build-time to the chroot */

View file

@ -90,17 +90,17 @@ bool DerivationType::hasKnownOutputPaths() const
} }
bool DerivationType::needsNetworkAccess() const bool DerivationType::isSandboxed() const
{ {
return std::visit(overloaded { return std::visit(overloaded {
[](const InputAddressed & ia) { [](const InputAddressed & ia) {
return false; return true;
}, },
[](const ContentAddressed & ca) { [](const ContentAddressed & ca) {
return !ca.pure; return ca.pure;
}, },
[](const Impure &) { [](const Impure &) {
return true; return false;
}, },
}, raw()); }, raw());
} }

View file

@ -130,10 +130,12 @@ struct DerivationType : _DerivationTypeRaw {
non-CA derivations. */ non-CA derivations. */
bool isFixed() const; bool isFixed() const;
/* Whether the derivation needs to access the network. Note that /* Whether the derivation is fully sandboxed. If false, the
whether or not we actually sandbox the derivation is controlled sandbox is opened up, e.g. the derivation has access to the
separately. Never true for non-CA derivations. */ network. Note that whether or not we actually sandbox the
bool needsNetworkAccess() const; derivation is controlled separately. Always true for non-CA
derivations. */
bool isSandboxed() const;
/* Whether the derivation is expected to produce the same result /* Whether the derivation is expected to produce the same result
every time, and therefore it only needs to be built once. This every time, and therefore it only needs to be built once. This