amaharaneko/guix-mirrors
1
1
Fork 0
mirror of https://codeberg.org/guix/guix.git synced 2025-10-02 02:15:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
guix-mirrors/nix/libstore
History
Ludovic Courtès ff5181e27e
daemon: Do not make chroot root directory read-only. 
Fixes <https://issues.guix.gnu.org/77570>.

Commit 40f69b586a made chroot root
directory read-only; as a consequence, build processes attempting to
write to the root directory would now get EROFS instead of EACCES.

It turns out that a number of test suites (Go, Ruby, SCons, Shepherd)
would fail because of this observable difference.

To restore previous behavior in build environments while still
preventing build processes from exposing their root directory to outside
processes, this patch (1) keeps the root writable but #o555 by default,
thereby restoring the EACCES behavior, and (2) ensures that the parent
of the chroot root directory is itself user-accessible only.

* nix/libstore/build.cc (class DerivationGoal)[chrootRootTop]: New
field.
(DerivationGoal::startBuilder): Initialize ‘chrootRootTop’ and make it
‘AutoDelete’.  Replace ‘mount’ call that made the root directory
read-only by a mere ‘chmod_’ call.
* tests/store.scm ("build root cannot be made world-readable"): Remove.
("writing to build root leads to EACCES"): New test.

Reported-by: Ada Stevenson <adanskana@gmail.com>
Reported-by: keinflue <keinflue@posteo.net>
Suggested-by: Reepca Russelstein <reepca@russelstein.xyz>
Change-Id: I5912e8b3b293f8242a010cfc79255fc981314445
2025-04-11 12:18:01 +02:00
..
.gitignore
build.cc daemon: Do not make chroot root directory read-only. 2025-04-11 12:18:01 +02:00
builtins.cc daemon: Add “git-download” built-in builder. 2023-09-26 17:36:58 +02:00
builtins.hh
derivations.cc
derivations.hh
gc.cc Revert "nix: Guard against removing temporary roots of living processes." 2022-10-17 09:37:27 +02:00
globals.cc daemon: Change default ‘timeout’ and ‘max-silent-time’ values. 2024-01-05 17:27:21 +01:00
globals.hh
local-store.cc daemon: Create /var/guix/profiles/per-user unconditionally. 2025-03-26 17:57:44 +01:00
local-store.hh daemon: Do not deduplicate files smaller than 8 KiB. 2021-11-16 14:34:28 +01:00
misc.cc daemon: Remove unused function findOutput. 2022-09-11 16:43:30 +02:00
misc.hh daemon: Remove unused function findOutput. 2022-09-11 16:43:30 +02:00
optimise-store.cc daemon: Do not deduplicate files smaller than 8 KiB. 2021-11-16 14:34:28 +01:00
pathlocks.cc
pathlocks.hh
references.cc
references.hh
sqlite.cc
sqlite.hh daemon: Fix build with GCC 13. 2023-09-09 18:47:35 +02:00
store-api.cc daemon: Improve error message in ‘checkStoreName’. 2024-11-17 23:15:49 +01:00
store-api.hh daemon: Remove unused function exportPaths. 2022-09-11 16:43:30 +02:00
worker-protocol.hh daemon: Implement ‘substitute-urls’ RPC. 2023-12-11 23:18:53 +01:00