mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2025-01-19 17:46:46 +02:00
Merge pull request #7689 from ncfavier/nix-path-restrict-eval
getDefaultNixPath: actually respect `{restrict,pure}-eval`
This commit is contained in:
commit
d70b890488
4 changed files with 39 additions and 18 deletions
|
@ -519,6 +519,7 @@ EvalState::EvalState(
|
||||||
static_assert(sizeof(Env) <= 16, "environment must be <= 16 bytes");
|
static_assert(sizeof(Env) <= 16, "environment must be <= 16 bytes");
|
||||||
|
|
||||||
/* Initialise the Nix expression search path. */
|
/* Initialise the Nix expression search path. */
|
||||||
|
evalSettings.nixPath.setDefault(evalSettings.getDefaultNixPath());
|
||||||
if (!evalSettings.pureEval) {
|
if (!evalSettings.pureEval) {
|
||||||
for (auto & i : _searchPath) addToSearchPath(i);
|
for (auto & i : _searchPath) addToSearchPath(i);
|
||||||
for (auto & i : evalSettings.nixPath.get()) addToSearchPath(i);
|
for (auto & i : evalSettings.nixPath.get()) addToSearchPath(i);
|
||||||
|
@ -2472,30 +2473,35 @@ std::ostream & operator << (std::ostream & str, const ExternalValueBase & v) {
|
||||||
|
|
||||||
EvalSettings::EvalSettings()
|
EvalSettings::EvalSettings()
|
||||||
{
|
{
|
||||||
auto var = getEnv("NIX_PATH");
|
|
||||||
if (var) nixPath = parseNixPath(*var);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* impure => NIX_PATH or a default path
|
||||||
|
* restrict-eval => NIX_PATH
|
||||||
|
* pure-eval => empty
|
||||||
|
*/
|
||||||
Strings EvalSettings::getDefaultNixPath()
|
Strings EvalSettings::getDefaultNixPath()
|
||||||
{
|
{
|
||||||
Strings res;
|
if (pureEval)
|
||||||
auto add = [&](const Path & p, const std::string & s = std::string()) {
|
return {};
|
||||||
if (pathExists(p)) {
|
|
||||||
if (s.empty()) {
|
auto var = getEnv("NIX_PATH");
|
||||||
res.push_back(p);
|
if (var) {
|
||||||
} else {
|
return parseNixPath(*var);
|
||||||
res.push_back(s + "=" + p);
|
} else if (restrictEval) {
|
||||||
}
|
return {};
|
||||||
}
|
} else {
|
||||||
};
|
Strings res;
|
||||||
|
auto add = [&](const Path & p, const std::optional<std::string> & s = std::nullopt) {
|
||||||
|
if (pathExists(p))
|
||||||
|
res.push_back(s ? *s + "=" + p : p);
|
||||||
|
};
|
||||||
|
|
||||||
if (!evalSettings.restrictEval && !evalSettings.pureEval) {
|
|
||||||
add(getHome() + "/.nix-defexpr/channels");
|
add(getHome() + "/.nix-defexpr/channels");
|
||||||
add(settings.nixStateDir + "/profiles/per-user/root/channels/nixpkgs", "nixpkgs");
|
add(settings.nixStateDir + "/profiles/per-user/root/channels/nixpkgs", "nixpkgs");
|
||||||
add(settings.nixStateDir + "/profiles/per-user/root/channels");
|
add(settings.nixStateDir + "/profiles/per-user/root/channels");
|
||||||
}
|
|
||||||
|
|
||||||
return res;
|
return res;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
bool EvalSettings::isPseudoUrl(std::string_view s)
|
bool EvalSettings::isPseudoUrl(std::string_view s)
|
||||||
|
|
|
@ -570,7 +570,7 @@ struct EvalSettings : Config
|
||||||
{
|
{
|
||||||
EvalSettings();
|
EvalSettings();
|
||||||
|
|
||||||
static Strings getDefaultNixPath();
|
Strings getDefaultNixPath();
|
||||||
|
|
||||||
static bool isPseudoUrl(std::string_view s);
|
static bool isPseudoUrl(std::string_view s);
|
||||||
|
|
||||||
|
@ -580,8 +580,15 @@ struct EvalSettings : Config
|
||||||
"Whether builtin functions that allow executing native code should be enabled."};
|
"Whether builtin functions that allow executing native code should be enabled."};
|
||||||
|
|
||||||
Setting<Strings> nixPath{
|
Setting<Strings> nixPath{
|
||||||
this, getDefaultNixPath(), "nix-path",
|
this, {}, "nix-path",
|
||||||
"List of directories to be searched for `<...>` file references."};
|
R"(
|
||||||
|
List of directories to be searched for `<...>` file references.
|
||||||
|
|
||||||
|
If [pure evaluation](#conf-pure-eval) is disabled,
|
||||||
|
this is initialised using the [`NIX_PATH`](@docroot@/command-ref/env-common.md#env-NIX_PATH)
|
||||||
|
environment variable, or, if it is unset and [restricted evaluation](#conf-restrict-eval)
|
||||||
|
is disabled, a default search path including the user's and `root`'s channels.
|
||||||
|
)"};
|
||||||
|
|
||||||
Setting<bool> restrictEval{
|
Setting<bool> restrictEval{
|
||||||
this, false, "restrict-eval",
|
this, false, "restrict-eval",
|
||||||
|
|
|
@ -12,3 +12,8 @@ nix-instantiate --eval -E '<by-relative-path/simple.nix>' --restrict-eval
|
||||||
|
|
||||||
[[ $(nix-instantiate --find-file by-absolute-path/simple.nix) = $PWD/simple.nix ]]
|
[[ $(nix-instantiate --find-file by-absolute-path/simple.nix) = $PWD/simple.nix ]]
|
||||||
[[ $(nix-instantiate --find-file by-relative-path/simple.nix) = $PWD/simple.nix ]]
|
[[ $(nix-instantiate --find-file by-relative-path/simple.nix) = $PWD/simple.nix ]]
|
||||||
|
|
||||||
|
unset NIX_PATH
|
||||||
|
|
||||||
|
[[ $(nix-instantiate --option nix-path by-relative-path=. --find-file by-relative-path/simple.nix) = "$PWD/simple.nix" ]]
|
||||||
|
[[ $(NIX_PATH= nix-instantiate --option nix-path by-relative-path=. --find-file by-relative-path/simple.nix) = "$PWD/simple.nix" ]]
|
||||||
|
|
|
@ -17,6 +17,9 @@ nix-instantiate --restrict-eval --eval -E 'builtins.readDir ../src/nix-channel'
|
||||||
(! nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
|
(! nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
|
||||||
nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
|
nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
|
||||||
|
|
||||||
|
# no default NIX_PATH
|
||||||
|
(unset NIX_PATH; ! nix-instantiate --restrict-eval --find-file .)
|
||||||
|
|
||||||
p=$(nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)")
|
p=$(nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)")
|
||||||
cmp $p restricted.sh
|
cmp $p restricted.sh
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue