Merge pull request #96 from tweag/support-chroot-store

Make flakes work with 'nix build --store ...'
2019-05-16 10:51:40 +02:00 · 2019-05-16 10:51:40 +02:00 · b531695331
parent 666fac2ba3 5c34d66538
commit b531695331
5 changed files with 14 additions and 8 deletions
--- a/src/libexpr/primops/fetchGit.cc
+++ b/src/libexpr/primops/fetchGit.cc
@ -259,7 +259,7 @@ static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Va
    v.attrs->sort();
    if (state.allowedPaths)
-        state.allowedPaths->insert(gitInfo.storePath);
+        state.allowedPaths->insert(state.store->toRealPath(gitInfo.storePath));
 }
 static RegisterPrimOp r("fetchGit", 1, prim_fetchGit);
--- a/src/libexpr/primops/fetchMercurial.cc
+++ b/src/libexpr/primops/fetchMercurial.cc
@ -214,7 +214,7 @@ static void prim_fetchMercurial(EvalState & state, const Pos & pos, Value * * ar
    v.attrs->sort();
    if (state.allowedPaths)
-        state.allowedPaths->insert(hgInfo.storePath);
+        state.allowedPaths->insert(state.store->toRealPath(hgInfo.storePath));
 }
 static RegisterPrimOp r("fetchMercurial", 1, prim_fetchMercurial);
--- a/src/libexpr/primops/flake.cc
+++ b/src/libexpr/primops/flake.cc
@ -248,7 +248,7 @@ static SourceInfo fetchFlake(EvalState & state, const FlakeRef & flakeRef, bool
        FlakeRef ref(resolvedRef.baseRef());
        ref.rev = Hash(std::string(*result.etag, 1, result.etag->size() - 2), htSHA1);
        SourceInfo info(ref);
-        info.storePath = result.path;
+        info.storePath = result.storePath;
        return info;
    }
@ -294,21 +294,22 @@ Flake getFlake(EvalState & state, const FlakeRef & flakeRef, bool impureIsAllowe
    state.store->assertStorePath(sourceInfo.storePath);
    if (state.allowedPaths)
-        state.allowedPaths->insert(sourceInfo.storePath);
+        state.allowedPaths->insert(state.store->toRealPath(sourceInfo.storePath));
    // Guard against symlink attacks.
    Path flakeFile = canonPath(sourceInfo.storePath + "/" + resolvedRef.subdir + "/flake.nix");
-    if (!isInDir(flakeFile, sourceInfo.storePath))
+    Path realFlakeFile = state.store->toRealPath(flakeFile);
-        throw Error("flake file '%s' escapes from '%s'", resolvedRef, sourceInfo.storePath);
+    if (!isInDir(realFlakeFile, state.store->toRealPath(sourceInfo.storePath)))
        throw Error("'flake.nix' file of flake '%s' escapes from '%s'", resolvedRef, sourceInfo.storePath);
    Flake flake(flakeRef, sourceInfo);
    flake.hash = state.store->queryPathInfo(sourceInfo.storePath)->narHash;
-    if (!pathExists(flakeFile))
+    if (!pathExists(realFlakeFile))
        throw Error("source tree referenced by '%s' does not contain a '%s/flake.nix' file", resolvedRef, resolvedRef.subdir);
    Value vInfo;
-    state.evalFile(flakeFile, vInfo); // FIXME: symlink attack
+    state.evalFile(realFlakeFile, vInfo); // FIXME: symlink attack
    state.forceAttrs(vInfo);
--- a/src/libstore/download.cc
+++ b/src/libstore/download.cc
@ -804,6 +804,7 @@ CachedDownloadResult Downloader::downloadCached(ref<Store> store, const string &
        expectedStorePath = store->makeFixedOutputPath(unpack, expectedHash, name);
        if (store->isValidPath(expectedStorePath)) {
            CachedDownloadResult result;
            result.storePath = expectedStorePath;
            result.path = store->toRealPath(expectedStorePath);
            return result;
        }
@ -912,6 +913,7 @@ CachedDownloadResult Downloader::downloadCached(ref<Store> store, const string &
            url, expectedHash.to_string(), gotHash.to_string());
    }
    result.storePath = storePath;
    result.path = store->toRealPath(storePath);
    return result;
 }
--- a/src/libstore/download.hh
+++ b/src/libstore/download.hh
@ -43,6 +43,9 @@ struct DownloadResult
 struct CachedDownloadResult
 {
    // Note: 'storePath' may be different from 'path' when using a
    // chroot store.
    Path storePath;
    Path path;
    std::optional<std::string> etag;
 };