mirror/guix
1
0
Fork 0
mirror of https://git.savannah.gnu.org/git/guix.git synced 2025-01-18 13:36:36 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

daemon: Sanitize successful build outputs prior to exposing them.

Browse source 
There is currently a window of time between when the build outputs are exposed
and when their metadata is canonicalized.

* nix/libstore/build.cc (DerivationGoal::registerOutputs): wait until after
  metadata canonicalization to move successful build outputs to the store.

Change-Id: Ia995136f3f965eaf7b0e1d92af964b816f3fb276
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This commit is contained in:
Reepca Russelstein 2024-10-20 15:39:02 -05:00 committed by Ludovic Courtès
parent 558224140d
commit 5ab3c4c1e4
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
1 changed files with 14 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
nix/libstore/build.cc
View file

@ -2369,15 +2369,6 @@ void DerivationGoal::registerOutputs()
Path actualPath = path; Path actualPath = path;
if (useChroot) { if (useChroot) {
actualPath = chrootRootDir + path; actualPath = chrootRootDir + path;
if (pathExists(actualPath)) {
/* Move output paths from the chroot to the store. */
if (buildMode == bmRepair)
replaceValidPath(path, actualPath);
else
if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
}
if (buildMode != bmCheck) actualPath = path;
} else { } else {
Path redirected = redirectedOutputs[path]; Path redirected = redirectedOutputs[path];
if (buildMode == bmRepair if (buildMode == bmRepair
@ -2463,6 +2454,20 @@ void DerivationGoal::registerOutputs()
canonicalisePathMetaData(actualPath, canonicalisePathMetaData(actualPath,
buildUser.enabled() && !rewritten ? buildUser.getUID() : -1, inodesSeen); buildUser.enabled() && !rewritten ? buildUser.getUID() : -1, inodesSeen);
if (useChroot) {
if (pathExists(actualPath)) {
/* Now that output paths have been canonicalized (in particular
there are no setuid files left), move them outside of the
chroot and to the store. */
if (buildMode == bmRepair)
replaceValidPath(path, actualPath);
else
if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
}
if (buildMode != bmCheck) actualPath = path;
}
/* For this output path, find the references to other paths /* For this output path, find the references to other paths
contained in it. Compute the SHA-256 NAR hash at the same contained in it. Compute the SHA-256 NAR hash at the same
time. The hash is stored in the database so that we can time. The hash is stored in the database so that we can