realiseContext(): Add derivation outputs to the allowed paths

This makes import-from-derivation work in restricted mode again.
This commit is contained in:
Eelco Dolstra 2018-02-06 15:38:45 +01:00
parent f24e726ba5
commit 43f8ef73c6
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
2 changed files with 26 additions and 10 deletions

View file

@ -49,24 +49,38 @@ InvalidPathError::InvalidPathError(const Path & path) :
void EvalState::realiseContext(const PathSet & context) void EvalState::realiseContext(const PathSet & context)
{ {
PathSet drvs; PathSet drvs;
for (auto & i : context) { for (auto & i : context) {
std::pair<string, string> decoded = decodeContext(i); std::pair<string, string> decoded = decodeContext(i);
Path ctx = decoded.first; Path ctx = decoded.first;
assert(store->isStorePath(ctx)); assert(store->isStorePath(ctx));
if (!store->isValidPath(ctx)) if (!store->isValidPath(ctx))
throw InvalidPathError(ctx); throw InvalidPathError(ctx);
if (!decoded.second.empty() && nix::isDerivation(ctx)) if (!decoded.second.empty() && nix::isDerivation(ctx)) {
drvs.insert(decoded.first + "!" + decoded.second); drvs.insert(decoded.first + "!" + decoded.second);
/* Add the output of this derivation to the allowed
paths. */
if (allowedPaths) {
auto drv = store->derivationFromPath(decoded.first);
DerivationOutputs::iterator i = drv.outputs.find(decoded.second);
if (i == drv.outputs.end())
throw Error("derivation '%s' does not have an output named '%s'", decoded.first, decoded.second);
allowedPaths->insert(i->second.path);
} }
if (!drvs.empty()) { }
}
if (drvs.empty()) return;
if (!settings.enableImportFromDerivation) if (!settings.enableImportFromDerivation)
throw EvalError(format("attempted to realize '%1%' during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin())); throw EvalError(format("attempted to realize '%1%' during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin()));
/* For performance, prefetch all substitute info. */ /* For performance, prefetch all substitute info. */
PathSet willBuild, willSubstitute, unknown; PathSet willBuild, willSubstitute, unknown;
unsigned long long downloadSize, narSize; unsigned long long downloadSize, narSize;
store->queryMissing(drvs, willBuild, willSubstitute, unknown, downloadSize, narSize); store->queryMissing(drvs, willBuild, willSubstitute, unknown, downloadSize, narSize);
store->buildPaths(drvs); store->buildPaths(drvs);
}
} }

View file

@ -36,3 +36,5 @@ ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix
(! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT) (! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT)
(! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I .) (! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I .)
nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -I . nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -I .
[[ $(nix eval --raw --restrict-eval -I . '(builtins.readFile "${import ./simple.nix}/hello")') == 'Hello World!' ]]