Fix $NIX_PATH access control initialisation

2024-11-24 14:56:15 +02:00 · 2022-05-17 21:39:28 +02:00 · 2022-05-17 21:39:28 +02:00 · 91e641af88
commit 91e641af88
parent 8be06c9aa1
3 changed files with 22 additions and 22 deletions
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -491,26 +491,10 @@ EvalState::EvalState(
        for (auto & i : evalSettings.nixPath.get()) addToSearchPath(i);
    }

-    if (rootFS->hasAccessControl()) {
-        for (auto & i : searchPath) {
-            if (auto path = resolveSearchPathElem(i)) {
-                // FIXME
-                #if 0
-                if (store->isInStore(*path)) {
-                    try {
-                        StorePathSet closure;
-                        store->computeFSClosure(store->toStorePath(*path).first, closure);
-                        for (auto & p : closure)
-                            allowPath(p);
-                    } catch (InvalidPath &) {
-                        allowPath(*r);
-                    }
-                } else
-                    allowPath(*r);
-                #endif
-            }
-        }
-    }
+    /* Allow access to all paths in the search path. */
+    if (rootFS->hasAccessControl())
+        for (auto & i : searchPath)
+            resolveSearchPathElem(i, true);

    createBaseEnv();

--- a/src/libexpr/eval.hh
+++ b/src/libexpr/eval.hh
@ -207,7 +207,9 @@ public:
    SourcePath findFile(SearchPath & searchPath, const std::string_view path, const PosIdx pos = noPos);

    /* If the specified search path element is a URI, download it. */
-    std::optional<SourcePath> resolveSearchPathElem(const SearchPathElem & elem);
+    std::optional<SourcePath> resolveSearchPathElem(
+        const SearchPathElem & elem,
+        bool initAccessControl = false);

    /* Evaluate an expression to normal form, storing the result in
       value `v'. */
--- a/src/libexpr/parser.y
+++ b/src/libexpr/parser.y
@ -783,7 +783,7 @@ SourcePath EvalState::findFile(SearchPath & searchPath, const std::string_view p
 }


-std::optional<SourcePath> EvalState::resolveSearchPathElem(const SearchPathElem & elem)
+ std::optional<SourcePath> EvalState::resolveSearchPathElem(const SearchPathElem & elem, bool initAccessControl)
 {
    auto i = searchPathResolved.find(elem.second);
    if (i != searchPathResolved.end()) return i->second;
@ -803,6 +803,20 @@ std::optional<SourcePath> EvalState::resolveSearchPathElem(const SearchPathElem
        }
    } else {
        auto path = rootPath(absPath(elem.second));
+
+        /* Allow access to paths in the search path. */
+        if (initAccessControl) {
+            allowPath(path.path.abs());
+            if (store->isInStore(path.path.abs())) {
+                try {
+                    StorePathSet closure;
+                    store->computeFSClosure(store->toStorePath(path.path.abs()).first, closure);
+                    for (auto & p : closure)
+                        allowPath(p);
+                } catch (InvalidPath &) { }
+            }
+        }
+
        if (path.pathExists())
            res.emplace(path);
        else {