mirror of
https://github.com/NixOS/nix
synced 2024-10-18 14:32:45 -04:00
fix passing CA files into builtins:fetchurl sandbox
This patch has been manually adapted from
14dc84ed03
Tested with:
$ NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'...
error:
… writing file '/nix/store/0zynn4n8yx59bczy1mgh1lq2rnprvvrc-google.com'
error: unable to download 'https://google.com': Problem with the SSL CA cert (path? access rights?) (77)
error: builder for '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv' failed with exit code 1
Now returns:
nix-env % NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
this derivation will be built:
/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'...
error: hash mismatch in fixed-output derivation '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv':
specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
got: sha256-5xXEhGtnRdopaUTqaz2M1o2NE7ovhU0SjcSOPwntqwY=
(cherry picked from commit 1fbdf409524bb350b8614f3d95067cb9ba3c57f2)
This commit is contained in:
Puck Meerburg
Robert Hensing
parent
de2a27caab
commit
9b818f14dd
|
|
@ -1732,13 +1732,20 @@ void LocalDerivationGoal::runChild()
|
||||||
|
|
||||||
bool setUser = true;
|
bool setUser = true;
|
||||||
|
|
||||||
/* Make the contents of netrc available to builtin:fetchurl
|
/* Make the contents of netrc and the CA certificate bundle
|
||||||
(which may run under a different uid and/or in a sandbox). */
|
available to builtin:fetchurl (which may run under a
|
||||||
|
different uid and/or in a sandbox). */
|
||||||
std::string netrcData;
|
std::string netrcData;
|
||||||
try {
|
std::string caFileData;
|
||||||
if (drv->isBuiltin() && drv->builder == "builtin:fetchurl")
|
if (drv->isBuiltin() && drv->builder == "builtin:fetchurl") {
|
||||||
netrcData = readFile(settings.netrcFile);
|
try {
|
||||||
} catch (SystemError &) { }
|
netrcData = readFile(settings.netrcFile);
|
||||||
|
} catch (SystemError &) { }
|
||||||
|
|
||||||
|
try {
|
||||||
|
caFileData = readFile(settings.caFile);
|
||||||
|
} catch (SystemError &) { }
|
||||||
|
}
|
||||||
|
|
||||||
#if __linux__
|
#if __linux__
|
||||||
if (useChroot) {
|
if (useChroot) {
|
||||||
|
|
@ -2166,7 +2173,7 @@ void LocalDerivationGoal::runChild()
|
||||||
e.second = rewriteStrings(e.second, inputRewrites);
|
e.second = rewriteStrings(e.second, inputRewrites);
|
||||||
|
|
||||||
if (drv->builder == "builtin:fetchurl")
|
if (drv->builder == "builtin:fetchurl")
|
||||||
builtinFetchurl(drv2, netrcData);
|
builtinFetchurl(drv2, netrcData, caFileData);
|
||||||
else if (drv->builder == "builtin:buildenv")
|
else if (drv->builder == "builtin:buildenv")
|
||||||
builtinBuildenv(drv2);
|
builtinBuildenv(drv2);
|
||||||
else if (drv->builder == "builtin:unpack-channel")
|
else if (drv->builder == "builtin:unpack-channel")
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,9 @@
|
||||||
namespace nix {
|
namespace nix {
|
||||||
|
|
||||||
// TODO: make pluggable.
|
// TODO: make pluggable.
|
||||||
void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData);
|
void builtinFetchurl(const BasicDerivation & drv,
|
||||||
|
const std::string & netrcData,
|
||||||
|
const std::string & caFileData);
|
||||||
void builtinUnpackChannel(const BasicDerivation & drv);
|
void builtinUnpackChannel(const BasicDerivation & drv);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,10 @@
|
||||||
|
|
||||||
namespace nix {
|
namespace nix {
|
||||||
|
|
||||||
void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData)
|
void builtinFetchurl(
|
||||||
|
const BasicDerivation & drv,
|
||||||
|
const std::string & netrcData,
|
||||||
|
const std::string & caFileData)
|
||||||
{
|
{
|
||||||
/* Make the host's netrc data available. Too bad curl requires
|
/* Make the host's netrc data available. Too bad curl requires
|
||||||
this to be stored in a file. It would be nice if we could just
|
this to be stored in a file. It would be nice if we could just
|
||||||
|
|
@ -16,6 +19,9 @@ void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData)
|
||||||
writeFile(settings.netrcFile, netrcData, 0600);
|
writeFile(settings.netrcFile, netrcData, 0600);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
settings.caFile = "ca-certificates.crt";
|
||||||
|
writeFile(settings.caFile, caFileData, 0600);
|
||||||
|
|
||||||
auto out = get(drv.outputs, "out");
|
auto out = get(drv.outputs, "out");
|
||||||
if (!out)
|
if (!out)
|
||||||
throw Error("'builtin:fetchurl' requires an 'out' output");
|
throw Error("'builtin:fetchurl' requires an 'out' output");
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue