From 91e641af883e47bbb40b246668b61e0cc088b3d9 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 17 May 2022 21:39:28 +0200 Subject: [PATCH] Fix $NIX_PATH access control initialisation --- src/libexpr/eval.cc | 24 ++++-------------------- src/libexpr/eval.hh | 4 +++- src/libexpr/parser.y | 16 +++++++++++++++- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index 1918a0c62..5559f40a1 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -491,26 +491,10 @@ EvalState::EvalState( for (auto & i : evalSettings.nixPath.get()) addToSearchPath(i); } - if (rootFS->hasAccessControl()) { - for (auto & i : searchPath) { - if (auto path = resolveSearchPathElem(i)) { - // FIXME - #if 0 - if (store->isInStore(*path)) { - try { - StorePathSet closure; - store->computeFSClosure(store->toStorePath(*path).first, closure); - for (auto & p : closure) - allowPath(p); - } catch (InvalidPath &) { - allowPath(*r); - } - } else - allowPath(*r); - #endif - } - } - } + /* Allow access to all paths in the search path. */ + if (rootFS->hasAccessControl()) + for (auto & i : searchPath) + resolveSearchPathElem(i, true); createBaseEnv(); diff --git a/src/libexpr/eval.hh b/src/libexpr/eval.hh index 0d42bc122..8a3aa1ea4 100644 --- a/src/libexpr/eval.hh +++ b/src/libexpr/eval.hh @@ -207,7 +207,9 @@ public: SourcePath findFile(SearchPath & searchPath, const std::string_view path, const PosIdx pos = noPos); /* If the specified search path element is a URI, download it. */ - std::optional resolveSearchPathElem(const SearchPathElem & elem); + std::optional resolveSearchPathElem( + const SearchPathElem & elem, + bool initAccessControl = false); /* Evaluate an expression to normal form, storing the result in value `v'. */ diff --git a/src/libexpr/parser.y b/src/libexpr/parser.y index 5f5222494..1bc787249 100644 --- a/src/libexpr/parser.y +++ b/src/libexpr/parser.y @@ -783,7 +783,7 @@ SourcePath EvalState::findFile(SearchPath & searchPath, const std::string_view p } -std::optional EvalState::resolveSearchPathElem(const SearchPathElem & elem) + std::optional EvalState::resolveSearchPathElem(const SearchPathElem & elem, bool initAccessControl) { auto i = searchPathResolved.find(elem.second); if (i != searchPathResolved.end()) return i->second; @@ -803,6 +803,20 @@ std::optional EvalState::resolveSearchPathElem(const SearchPathElem } } else { auto path = rootPath(absPath(elem.second)); + + /* Allow access to paths in the search path. */ + if (initAccessControl) { + allowPath(path.path.abs()); + if (store->isInStore(path.path.abs())) { + try { + StorePathSet closure; + store->computeFSClosure(store->toStorePath(path.path.abs()).first, closure); + for (auto & p : closure) + allowPath(p); + } catch (InvalidPath &) { } + } + } + if (path.pathExists()) res.emplace(path); else {