max/nix-super
1
0
Fork 0
mirror of https://github.com/privatevoid-net/nix-super.git synced 2024-11-11 00:36:20 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix $NIX_PATH access control initialisation

Browse source
This commit is contained in:
Eelco Dolstra 2022-05-17 21:39:28 +02:00
parent 8be06c9aa1
commit 91e641af88
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
3 changed files with 22 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
src/libexpr/eval.cc
View file

@ -491,26 +491,10 @@ EvalState::EvalState(
for (auto & i : evalSettings.nixPath.get()) addToSearchPath(i); for (auto & i : evalSettings.nixPath.get()) addToSearchPath(i);
} }
if (rootFS->hasAccessControl()) { /* Allow access to all paths in the search path. */
for (auto & i : searchPath) { if (rootFS->hasAccessControl())
if (auto path = resolveSearchPathElem(i)) { for (auto & i : searchPath)
// FIXME resolveSearchPathElem(i, true);
#if 0
if (store->isInStore(*path)) {
try {
StorePathSet closure;
store->computeFSClosure(store->toStorePath(*path).first, closure);
for (auto & p : closure)
allowPath(p);
} catch (InvalidPath &) {
allowPath(*r);
}
} else
allowPath(*r);
#endif
}
}
}
createBaseEnv(); createBaseEnv();

4
src/libexpr/eval.hh
View file

@ -207,7 +207,9 @@ public:
SourcePath findFile(SearchPath & searchPath, const std::string_view path, const PosIdx pos = noPos); SourcePath findFile(SearchPath & searchPath, const std::string_view path, const PosIdx pos = noPos);
/* If the specified search path element is a URI, download it. */ /* If the specified search path element is a URI, download it. */
std::optional<SourcePath> resolveSearchPathElem(const SearchPathElem & elem); std::optional<SourcePath> resolveSearchPathElem(
const SearchPathElem & elem,
bool initAccessControl = false);
/* Evaluate an expression to normal form, storing the result in /* Evaluate an expression to normal form, storing the result in
value `v'. */ value `v'. */

16
src/libexpr/parser.y
View file

@ -783,7 +783,7 @@ SourcePath EvalState::findFile(SearchPath & searchPath, const std::string_view p
} }
std::optional<SourcePath> EvalState::resolveSearchPathElem(const SearchPathElem & elem) std::optional<SourcePath> EvalState::resolveSearchPathElem(const SearchPathElem & elem, bool initAccessControl)
{ {
auto i = searchPathResolved.find(elem.second); auto i = searchPathResolved.find(elem.second);
if (i != searchPathResolved.end()) return i->second; if (i != searchPathResolved.end()) return i->second;
@ -803,6 +803,20 @@ std::optional<SourcePath> EvalState::resolveSearchPathElem(const SearchPathElem
} }
} else { } else {
auto path = rootPath(absPath(elem.second)); auto path = rootPath(absPath(elem.second));
/* Allow access to paths in the search path. */
if (initAccessControl) {
allowPath(path.path.abs());
if (store->isInStore(path.path.abs())) {
try {
StorePathSet closure;
store->computeFSClosure(store->toStorePath(path.path.abs()).first, closure);
for (auto & p : closure)
allowPath(p);
} catch (InvalidPath &) { }
}
}
if (path.pathExists()) if (path.pathExists())
res.emplace(path); res.emplace(path);
else { else {