Make inputs writeable in the sandbox (builds still can’t actually write due to user permissions)

2015-01-15 02:49:21 -05:00 · 2015-01-15 02:49:21 -05:00 · f46e329a13
parent f6716e95bb
commit f46e329a13
1 changed files with 7 additions and 2 deletions
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@ -2271,8 +2271,13 @@ void DerivationGoal::runChild()
            }
            sandboxProfile += ")\n";

-            /* Our inputs (transitive dependencies and any impurities computed above) */
-            sandboxProfile += "(allow file-read* process-exec\n";
+            /* Our inputs (transitive dependencies and any impurities computed above)
+               Note that the sandbox profile allows file-write* even though it isn't seemingly necessary. First of all, nix's standard user permissioning
+               mechanism still prevents builders from writing to input directories, so no security/purity is lost. The reason we allow file-write* is that
+               denying it means the `access` syscall will return EPERM instead of EACCESS, which confuses a few programs that assume (understandably, since
+               it appears to be a violation of the POSIX spec) that `access` won't do that, and don't deal with it nicely if it does. The most notable of
+               these is the entire GHC Haskell ecosystem. */
+            sandboxProfile += "(allow file-read* file-write* process-exec\n";
            for (auto & i : dirsInChroot) {
                if (i.first != i.second)
                    throw SysError(format("can't map '%1%' to '%2%': mismatched impure paths not supported on darwin"));