daemon: Sanitize successful build outputs prior to exposing them.

There is currently a window of time between when the build outputs are exposed and when their metadata is canonicalized. * nix/libstore/build.cc (DerivationGoal::registerOutputs): wait until after metadata canonicalization to move successful build outputs to the store. Change-Id: Ia995136f3f965eaf7b0e1d92af964b816f3fb276 Signed-off-by: Ludovic Courtès <ludo@gnu.org>
author: Reepca Russelstein <reepca@russelstein.xyz> 2024-10-20 15:39:02 -0500
committer: Ludovic Courtès <ludo@gnu.org> 2024-10-21 00:09:24 +0200
commit: 5ab3c4c1e43ebb637551223791db0ea3519986e1 (patch)
tree: eed91396837697f77deff12e8c50a54ed01c4cb2
parent: 558224140dab669cabdaebabff18504a066c48d4 (diff)
download: guix-5ab3c4c1e43ebb637551223791db0ea3519986e1.tar.gz
1 files changed, 14 insertions, 9 deletions
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 67ebfe2f14..43a8a37184 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -2369,15 +2369,6 @@ void DerivationGoal::registerOutputs()
         Path actualPath = path;
         if (useChroot) {
             actualPath = chrootRootDir + path;
-            if (pathExists(actualPath)) {
-                /* Move output paths from the chroot to the store. */
-                if (buildMode == bmRepair)
-                    replaceValidPath(path, actualPath);
-                else
-                    if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
-                        throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
-            }
-            if (buildMode != bmCheck) actualPath = path;
         } else {
             Path redirected = redirectedOutputs[path];
             if (buildMode == bmRepair
@@ -2463,6 +2454,20 @@ void DerivationGoal::registerOutputs()
         canonicalisePathMetaData(actualPath,
             buildUser.enabled() && !rewritten ? buildUser.getUID() : -1, inodesSeen);
 
+        if (useChroot) {
+          if (pathExists(actualPath)) {
+            /* Now that output paths have been canonicalized (in particular
+               there are no setuid files left), move them outside of the
+               chroot and to the store. */
+            if (buildMode == bmRepair)
+              replaceValidPath(path, actualPath);
+            else
+              if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
+                throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
+          }
+          if (buildMode != bmCheck) actualPath = path;
+        }
+
         /* For this output path, find the references to other paths
            contained in it.  Compute the SHA-256 NAR hash at the same
            time.  The hash is stored in the database so that we can
author	Reepca Russelstein <reepca@russelstein.xyz>	2024-10-20 15:39:02 -0500
committer	Ludovic Courtès <ludo@gnu.org>	2024-10-21 00:09:24 +0200
commit	5ab3c4c1e43ebb637551223791db0ea3519986e1 (patch)
tree	eed91396837697f77deff12e8c50a54ed01c4cb2
parent	558224140dab669cabdaebabff18504a066c48d4 (diff)
download	guix-5ab3c4c1e43ebb637551223791db0ea3519986e1.tar.gz