Merge pull request #1813 from copumpkin/download-pre-resolve-url
Fix obscure corner case in name resolution for builtin:fetchurl in sandboxed environments
This commit is contained in:
commit
b76e282da8
1 changed files with 17 additions and 0 deletions
|
@ -6,6 +6,7 @@
|
||||||
#include "archive.hh"
|
#include "archive.hh"
|
||||||
#include "affinity.hh"
|
#include "affinity.hh"
|
||||||
#include "builtins.hh"
|
#include "builtins.hh"
|
||||||
|
#include "download.hh"
|
||||||
#include "finally.hh"
|
#include "finally.hh"
|
||||||
#include "compression.hh"
|
#include "compression.hh"
|
||||||
#include "json.hh"
|
#include "json.hh"
|
||||||
|
@ -1777,6 +1778,19 @@ PathSet exportReferences(Store & store, PathSet storePaths)
|
||||||
return paths;
|
return paths;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static std::once_flag dns_resolve_flag;
|
||||||
|
|
||||||
|
static void preloadNSS() {
|
||||||
|
/* builtin:fetchurl can trigger a DNS lookup, which with glibc can trigger a dynamic library load of
|
||||||
|
one of the glibc NSS libraries in a sandboxed child, which will fail unless the library's already
|
||||||
|
been loaded in the parent. So we force a download of an invalid URL to force the NSS machinery to
|
||||||
|
load its lookup libraries in the parent before any child gets a chance to. */
|
||||||
|
std::call_once(dns_resolve_flag, []() {
|
||||||
|
DownloadRequest request("http://this.pre-initializes.the.dns.resolvers.invalid");
|
||||||
|
request.tries = 1; // We only need to do it once, and this also suppresses an annoying warning
|
||||||
|
try { getDownloader()->download(request); } catch (...) {}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
void DerivationGoal::startBuilder()
|
void DerivationGoal::startBuilder()
|
||||||
{
|
{
|
||||||
|
@ -1787,6 +1801,9 @@ void DerivationGoal::startBuilder()
|
||||||
% drv->platform % settings.thisSystem % drvPath);
|
% drv->platform % settings.thisSystem % drvPath);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (drv->isBuiltin())
|
||||||
|
preloadNSS();
|
||||||
|
|
||||||
#if __APPLE__
|
#if __APPLE__
|
||||||
additionalSandboxProfile = get(drv->env, "__sandboxProfile");
|
additionalSandboxProfile = get(drv->env, "__sandboxProfile");
|
||||||
#endif
|
#endif
|
||||||
|
|
Loading…
Reference in a new issue