Merge pull request #5348 from edolstra/chroot-addpath
Support chroot stores in builtins.{path,filterSource}
This commit is contained in:
commit
5a0c8c6712
|
@ -445,7 +445,7 @@ EvalState::EvalState(
|
||||||
StorePathSet closure;
|
StorePathSet closure;
|
||||||
store->computeFSClosure(store->toStorePath(r.second).first, closure);
|
store->computeFSClosure(store->toStorePath(r.second).first, closure);
|
||||||
for (auto & path : closure)
|
for (auto & path : closure)
|
||||||
allowPath(store->printStorePath(path));
|
allowPath(path);
|
||||||
} catch (InvalidPath &) {
|
} catch (InvalidPath &) {
|
||||||
allowPath(r.second);
|
allowPath(r.second);
|
||||||
}
|
}
|
||||||
|
@ -488,6 +488,12 @@ void EvalState::allowPath(const Path & path)
|
||||||
allowedPaths->insert(path);
|
allowedPaths->insert(path);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void EvalState::allowPath(const StorePath & storePath)
|
||||||
|
{
|
||||||
|
if (allowedPaths)
|
||||||
|
allowedPaths->insert(store->toRealPath(storePath));
|
||||||
|
}
|
||||||
|
|
||||||
Path EvalState::checkSourcePath(const Path & path_)
|
Path EvalState::checkSourcePath(const Path & path_)
|
||||||
{
|
{
|
||||||
if (!allowedPaths) return path_;
|
if (!allowedPaths) return path_;
|
||||||
|
@ -1895,9 +1901,9 @@ string EvalState::copyPathToStore(PathSet & context, const Path & path)
|
||||||
? store->computeStorePathForPath(std::string(baseNameOf(path)), checkSourcePath(path)).first
|
? store->computeStorePathForPath(std::string(baseNameOf(path)), checkSourcePath(path)).first
|
||||||
: store->addToStore(std::string(baseNameOf(path)), checkSourcePath(path), FileIngestionMethod::Recursive, htSHA256, defaultPathFilter, repair);
|
: store->addToStore(std::string(baseNameOf(path)), checkSourcePath(path), FileIngestionMethod::Recursive, htSHA256, defaultPathFilter, repair);
|
||||||
dstPath = store->printStorePath(p);
|
dstPath = store->printStorePath(p);
|
||||||
|
allowPath(p);
|
||||||
srcToStore.insert_or_assign(path, std::move(p));
|
srcToStore.insert_or_assign(path, std::move(p));
|
||||||
printMsg(lvlChatty, "copied source '%1%' -> '%2%'", path, dstPath);
|
printMsg(lvlChatty, "copied source '%1%' -> '%2%'", path, dstPath);
|
||||||
allowPath(dstPath);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
context.insert(dstPath);
|
context.insert(dstPath);
|
||||||
|
|
|
@ -153,6 +153,10 @@ public:
|
||||||
/* Allow access to a path. */
|
/* Allow access to a path. */
|
||||||
void allowPath(const Path & path);
|
void allowPath(const Path & path);
|
||||||
|
|
||||||
|
/* Allow access to a store path. Note that this gets remapped to
|
||||||
|
the real store path if `store` is a chroot store. */
|
||||||
|
void allowPath(const StorePath & storePath);
|
||||||
|
|
||||||
/* Check whether access to a path is allowed and throw an error if
|
/* Check whether access to a path is allowed and throw an error if
|
||||||
not. Otherwise return the canonicalised path. */
|
not. Otherwise return the canonicalised path. */
|
||||||
Path checkSourcePath(const Path & path);
|
Path checkSourcePath(const Path & path);
|
||||||
|
|
|
@ -64,7 +64,7 @@ static std::tuple<fetchers::Tree, FlakeRef, FlakeRef> fetchOrSubstituteTree(
|
||||||
debug("got tree '%s' from '%s'",
|
debug("got tree '%s' from '%s'",
|
||||||
state.store->printStorePath(tree.storePath), lockedRef);
|
state.store->printStorePath(tree.storePath), lockedRef);
|
||||||
|
|
||||||
state.allowPath(tree.actualPath);
|
state.allowPath(tree.storePath);
|
||||||
|
|
||||||
assert(!originalRef.input.getNarHash() || tree.storePath == originalRef.input.computeStorePath(*state.store));
|
assert(!originalRef.input.getNarHash() || tree.storePath == originalRef.input.computeStorePath(*state.store));
|
||||||
|
|
||||||
|
|
|
@ -1859,18 +1859,19 @@ static void addPath(
|
||||||
// be rewritten to the actual output).
|
// be rewritten to the actual output).
|
||||||
state.realiseContext(context);
|
state.realiseContext(context);
|
||||||
|
|
||||||
path = evalSettings.pureEval && expectedHash
|
|
||||||
? path
|
|
||||||
: state.checkSourcePath(path);
|
|
||||||
|
|
||||||
if (state.store->isInStore(path)) {
|
if (state.store->isInStore(path)) {
|
||||||
auto storePath = state.store->toStorePath(path).first;
|
auto [storePath, subPath] = state.store->toStorePath(path);
|
||||||
auto info = state.store->queryPathInfo(storePath);
|
auto info = state.store->queryPathInfo(storePath);
|
||||||
if (!info->references.empty())
|
if (!info->references.empty())
|
||||||
throw EvalError("store path '%s' is not allowed to have references",
|
throw EvalError("store path '%s' is not allowed to have references",
|
||||||
state.store->printStorePath(storePath));
|
state.store->printStorePath(storePath));
|
||||||
|
path = state.store->toRealPath(storePath) + subPath;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
path = evalSettings.pureEval && expectedHash
|
||||||
|
? path
|
||||||
|
: state.checkSourcePath(path);
|
||||||
|
|
||||||
PathFilter filter = filterFun ? ([&](const Path & path) {
|
PathFilter filter = filterFun ? ([&](const Path & path) {
|
||||||
auto st = lstat(path);
|
auto st = lstat(path);
|
||||||
|
|
||||||
|
@ -1911,7 +1912,7 @@ static void addPath(
|
||||||
|
|
||||||
mkString(v, dstPath, {dstPath});
|
mkString(v, dstPath, {dstPath});
|
||||||
|
|
||||||
state.allowPath(v.string.s);
|
state.allowPath(dstPath);
|
||||||
|
|
||||||
} catch (Error & e) {
|
} catch (Error & e) {
|
||||||
e.addTrace(pos, "while adding path '%s'", path);
|
e.addTrace(pos, "while adding path '%s'", path);
|
||||||
|
|
|
@ -84,7 +84,7 @@ static void prim_fetchMercurial(EvalState & state, const Pos & pos, Value * * ar
|
||||||
mkInt(*state.allocAttr(v, state.symbols.create("revCount")), *revCount);
|
mkInt(*state.allocAttr(v, state.symbols.create("revCount")), *revCount);
|
||||||
v.attrs->sort();
|
v.attrs->sort();
|
||||||
|
|
||||||
state.allowPath(tree.actualPath);
|
state.allowPath(tree.storePath);
|
||||||
}
|
}
|
||||||
|
|
||||||
static RegisterPrimOp r_fetchMercurial("fetchMercurial", 1, prim_fetchMercurial);
|
static RegisterPrimOp r_fetchMercurial("fetchMercurial", 1, prim_fetchMercurial);
|
||||||
|
|
|
@ -169,7 +169,7 @@ static void fetchTree(
|
||||||
|
|
||||||
auto [tree, input2] = input.fetch(state.store);
|
auto [tree, input2] = input.fetch(state.store);
|
||||||
|
|
||||||
state.allowPath(tree.actualPath);
|
state.allowPath(tree.storePath);
|
||||||
|
|
||||||
emitTreeAttrs(state, tree, input2, v, params.emptyRevFallback, false);
|
emitTreeAttrs(state, tree, input2, v, params.emptyRevFallback, false);
|
||||||
}
|
}
|
||||||
|
@ -233,18 +233,16 @@ static void fetch(EvalState & state, const Pos & pos, Value * * args, Value & v,
|
||||||
? fetchers::downloadTarball(state.store, *url, name, (bool) expectedHash).first.storePath
|
? fetchers::downloadTarball(state.store, *url, name, (bool) expectedHash).first.storePath
|
||||||
: fetchers::downloadFile(state.store, *url, name, (bool) expectedHash).storePath;
|
: fetchers::downloadFile(state.store, *url, name, (bool) expectedHash).storePath;
|
||||||
|
|
||||||
auto realPath = state.store->toRealPath(storePath);
|
|
||||||
|
|
||||||
if (expectedHash) {
|
if (expectedHash) {
|
||||||
auto hash = unpack
|
auto hash = unpack
|
||||||
? state.store->queryPathInfo(storePath)->narHash
|
? state.store->queryPathInfo(storePath)->narHash
|
||||||
: hashFile(htSHA256, realPath);
|
: hashFile(htSHA256, state.store->toRealPath(storePath));
|
||||||
if (hash != *expectedHash)
|
if (hash != *expectedHash)
|
||||||
throw Error((unsigned int) 102, "hash mismatch in file downloaded from '%s':\n specified: %s\n got: %s",
|
throw Error((unsigned int) 102, "hash mismatch in file downloaded from '%s':\n specified: %s\n got: %s",
|
||||||
*url, expectedHash->to_string(Base32, true), hash.to_string(Base32, true));
|
*url, expectedHash->to_string(Base32, true), hash.to_string(Base32, true));
|
||||||
}
|
}
|
||||||
|
|
||||||
state.allowPath(realPath);
|
state.allowPath(storePath);
|
||||||
|
|
||||||
auto path = state.store->printStorePath(storePath);
|
auto path = state.store->printStorePath(storePath);
|
||||||
mkString(v, path, PathSet({path}));
|
mkString(v, path, PathSet({path}));
|
||||||
|
|
Loading…
Reference in a new issue