max/nix-super
1
0
Fork 0
mirror of https://github.com/privatevoid-net/nix-super.git synced 2024-11-13 01:36:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

realiseContext(): Add derivation outputs to the allowed paths

Browse source 
This makes import-from-derivation work in restricted mode again.
This commit is contained in:
Eelco Dolstra 2018-02-06 15:38:45 +01:00
parent f24e726ba5
commit 43f8ef73c6
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
2 changed files with 26 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
src/libexpr/primops.cc
View file

@ -49,24 +49,38 @@ InvalidPathError::InvalidPathError(const Path & path) :
void EvalState::realiseContext(const PathSet & context) void EvalState::realiseContext(const PathSet & context)
{ {
PathSet drvs; PathSet drvs;
for (auto & i : context) { for (auto & i : context) {
std::pair<string, string> decoded = decodeContext(i); std::pair<string, string> decoded = decodeContext(i);
Path ctx = decoded.first; Path ctx = decoded.first;
assert(store->isStorePath(ctx)); assert(store->isStorePath(ctx));
if (!store->isValidPath(ctx)) if (!store->isValidPath(ctx))
throw InvalidPathError(ctx); throw InvalidPathError(ctx);
if (!decoded.second.empty() && nix::isDerivation(ctx)) if (!decoded.second.empty() && nix::isDerivation(ctx)) {
drvs.insert(decoded.first + "!" + decoded.second); drvs.insert(decoded.first + "!" + decoded.second);
/* Add the output of this derivation to the allowed
paths. */
if (allowedPaths) {
auto drv = store->derivationFromPath(decoded.first);
DerivationOutputs::iterator i = drv.outputs.find(decoded.second);
if (i == drv.outputs.end())
throw Error("derivation '%s' does not have an output named '%s'", decoded.first, decoded.second);
allowedPaths->insert(i->second.path);
}
}
} }
if (!drvs.empty()) {
if (!settings.enableImportFromDerivation) if (drvs.empty()) return;
throw EvalError(format("attempted to realize '%1%' during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin()));
/* For performance, prefetch all substitute info. */ if (!settings.enableImportFromDerivation)
PathSet willBuild, willSubstitute, unknown; throw EvalError(format("attempted to realize '%1%' during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin()));
unsigned long long downloadSize, narSize;
store->queryMissing(drvs, willBuild, willSubstitute, unknown, downloadSize, narSize); /* For performance, prefetch all substitute info. */
store->buildPaths(drvs); PathSet willBuild, willSubstitute, unknown;
} unsigned long long downloadSize, narSize;
store->queryMissing(drvs, willBuild, willSubstitute, unknown, downloadSize, narSize);
store->buildPaths(drvs);
} }

2
tests/restricted.sh
View file

@ -36,3 +36,5 @@ ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix
(! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT) (! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT)
(! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I .) (! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I .)
nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -I . nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -I .
[[ $(nix eval --raw --restrict-eval -I . '(builtins.readFile "${import ./simple.nix}/hello")') == 'Hello World!' ]]