Fix $NIX_PATH access control initialisation

This commit is contained in:
Eelco Dolstra 2022-05-17 21:39:28 +02:00
parent 8be06c9aa1
commit 91e641af88
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
3 changed files with 22 additions and 22 deletions

View file

@ -491,26 +491,10 @@ EvalState::EvalState(
for (auto & i : evalSettings.nixPath.get()) addToSearchPath(i);
}
if (rootFS->hasAccessControl()) {
for (auto & i : searchPath) {
if (auto path = resolveSearchPathElem(i)) {
// FIXME
#if 0
if (store->isInStore(*path)) {
try {
StorePathSet closure;
store->computeFSClosure(store->toStorePath(*path).first, closure);
for (auto & p : closure)
allowPath(p);
} catch (InvalidPath &) {
allowPath(*r);
}
} else
allowPath(*r);
#endif
}
}
}
/* Allow access to all paths in the search path. */
if (rootFS->hasAccessControl())
for (auto & i : searchPath)
resolveSearchPathElem(i, true);
createBaseEnv();

View file

@ -207,7 +207,9 @@ public:
SourcePath findFile(SearchPath & searchPath, const std::string_view path, const PosIdx pos = noPos);
/* If the specified search path element is a URI, download it. */
std::optional<SourcePath> resolveSearchPathElem(const SearchPathElem & elem);
std::optional<SourcePath> resolveSearchPathElem(
const SearchPathElem & elem,
bool initAccessControl = false);
/* Evaluate an expression to normal form, storing the result in
value `v'. */

View file

@ -783,7 +783,7 @@ SourcePath EvalState::findFile(SearchPath & searchPath, const std::string_view p
}
std::optional<SourcePath> EvalState::resolveSearchPathElem(const SearchPathElem & elem)
std::optional<SourcePath> EvalState::resolveSearchPathElem(const SearchPathElem & elem, bool initAccessControl)
{
auto i = searchPathResolved.find(elem.second);
if (i != searchPathResolved.end()) return i->second;
@ -803,6 +803,20 @@ std::optional<SourcePath> EvalState::resolveSearchPathElem(const SearchPathElem
}
} else {
auto path = rootPath(absPath(elem.second));
/* Allow access to paths in the search path. */
if (initAccessControl) {
allowPath(path.path.abs());
if (store->isInStore(path.path.abs())) {
try {
StorePathSet closure;
store->computeFSClosure(store->toStorePath(path.path.abs()).first, closure);
for (auto & p : closure)
allowPath(p);
} catch (InvalidPath &) { }
}
}
if (path.pathExists())
res.emplace(path);
else {