Merge pull request #1 from shlevy/sandbox-profiles

Use AutoDelete for sandbox profile file
This commit is contained in:
Jude Taylor 2015-11-17 10:08:47 -08:00
commit 36f7fcc157
3 changed files with 24 additions and 5 deletions

View file

@ -778,9 +778,13 @@ private:
DirsInChroot dirsInChroot; DirsInChroot dirsInChroot;
typedef map<string, string> Environment; typedef map<string, string> Environment;
Environment env; Environment env;
#if SANDBOX_ENABLED
typedef string SandboxProfile; typedef string SandboxProfile;
SandboxProfile additionalSandboxProfile; SandboxProfile additionalSandboxProfile;
AutoDelete autoDelSandbox;
#endif
/* Hash rewriting. */ /* Hash rewriting. */
HashRewrites rewritesToTmp, rewritesFromTmp; HashRewrites rewritesToTmp, rewritesFromTmp;
typedef map<Path, Path> RedirectedOutputs; typedef map<Path, Path> RedirectedOutputs;
@ -2445,9 +2449,10 @@ void DerivationGoal::runChild()
const char *builder = "invalid"; const char *builder = "invalid";
string sandboxProfile; string sandboxProfile;
if (isBuiltin(*drv)) if (isBuiltin(*drv)) {
; ;
else if (useChroot && SANDBOX_ENABLED) { #if SANDBOX_ENABLED
} else if (useChroot) {
/* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */ /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
PathSet ancestry; PathSet ancestry;
@ -2527,16 +2532,20 @@ void DerivationGoal::runChild()
debug("Generated sandbox profile:"); debug("Generated sandbox profile:");
debug(sandboxProfile); debug(sandboxProfile);
Path tmpProfile = createTempDir() + "/profile.sb"; Path sandboxFile = drvPath + ".sb";
writeFile(tmpProfile, sandboxProfile); if (pathExists(sandboxFile)) deletePath(sandboxFile);
autoDelSandbox.reset(sandboxFile, false);
writeFile(sandboxFile, sandboxProfile);
builder = "/usr/bin/sandbox-exec"; builder = "/usr/bin/sandbox-exec";
args.push_back("sandbox-exec"); args.push_back("sandbox-exec");
args.push_back("-f"); args.push_back("-f");
args.push_back(tmpProfile); args.push_back(sandboxFile);
args.push_back("-D"); args.push_back("-D");
args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir); args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
args.push_back(drv->builder); args.push_back(drv->builder);
#endif
} else { } else {
builder = drv->builder.c_str(); builder = drv->builder.c_str();
string builderBasename = baseNameOf(drv->builder); string builderBasename = baseNameOf(drv->builder);

View file

@ -599,6 +599,8 @@ string drainFD(int fd)
////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////
AutoDelete::AutoDelete() : del{false} {}
AutoDelete::AutoDelete(const string & p, bool recursive) : path(p) AutoDelete::AutoDelete(const string & p, bool recursive) : path(p)
{ {
del = true; del = true;
@ -626,6 +628,12 @@ void AutoDelete::cancel()
del = false; del = false;
} }
void AutoDelete::reset(const Path & p, bool recursive) {
path = p;
this->recursive = recursive;
del = true;
}
////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////

View file

@ -199,9 +199,11 @@ class AutoDelete
bool del; bool del;
bool recursive; bool recursive;
public: public:
AutoDelete();
AutoDelete(const Path & p, bool recursive = true); AutoDelete(const Path & p, bool recursive = true);
~AutoDelete(); ~AutoDelete();
void cancel(); void cancel();
void reset(const Path & p, bool recursive = true);
operator Path() const { return path; } operator Path() const { return path; }
}; };