mirror/guix
mirror/guix
1
Fork 0
mirror of https://https.git.savannah.gnu.org/git/guix.git/ synced 2025-07-10 16:50:43 +02:00
Code Releases Activity

daemon: Move comments where they belong.

Browse source 
* nix/libstore/build.cc (DerivationGoal::startBuilder): Shuffle
comments for clarity.

Change-Id: I6557c103ade4a3ab046354548ea193c68f8c9c05
This commit is contained in:
Ludovic Courtès 2025-02-14 17:29:56 +01:00
parent 0163c732a1
commit bdd7b9a45d
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
1 changed files with 7 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

13
nix/libstore/build.cc
View file

@ -1870,18 +1870,19 @@ void DerivationGoal::startBuilder()
}
dirsInChroot[tmpDirInSandbox] = tmpDir;
/* Make the closure of the inputs available in the chroot,
rather than the whole store. This prevents any access
to undeclared dependencies. !!! As an extra security
precaution, make the fake store only writable by the
build user. */
/* Create the fake store. */
Path chrootStoreDir = chrootRootDir + settings.nixStore;
createDirs(chrootStoreDir);
chmod_(chrootStoreDir, 01775);
if (buildUser.enabled() && chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1)
throw SysError(format("cannot change ownership of %1%") % chrootStoreDir);
/* As an extra security precaution, make the fake store only
writable by the build user. */
throw SysError(format("cannot change ownership of %1%") % chrootStoreDir);
/* Make the closure of the inputs available in the chroot, rather than
the whole store. This prevents any access to undeclared
dependencies. */
foreach (PathSet::iterator, i, inputPaths) {
struct stat st;
if (lstat(i->c_str(), &st))