From a30df4675f4df09834a62536925d6a95606c4670 Mon Sep 17 00:00:00 2001
From: Daiderd Jordan <daiderd@gmail.com>
Date: Thu, 5 Jul 2018 00:24:32 +0200
Subject: [PATCH 1/2] eval-checker: use explicit 'nixpkgs' argument for
 release.nix expressions

Using builtins.fetchGit is not allowed in restricted mode, but it's
desirable for eg. the tarball build. So we avoid it for the evaluation
checks.

See https://github.com/NixOS/nixpkgs/pull/43042
---
 ofborg/src/tasks/massrebuilder.rs | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/ofborg/src/tasks/massrebuilder.rs b/ofborg/src/tasks/massrebuilder.rs
index 19dc889..ee95b09 100644
--- a/ofborg/src/tasks/massrebuilder.rs
+++ b/ofborg/src/tasks/massrebuilder.rs
@@ -348,6 +348,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
                 "nixos-options",
                 nix::Operation::Instantiate,
                 vec![
+                    String::from("--arg"),
+                    String::from("nixpkgs"),
+                    String::from("./."),
                     String::from("./nixos/release.nix"),
                     String::from("-A"),
                     String::from("options"),
@@ -359,6 +362,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
                 "nixos-manual",
                 nix::Operation::Instantiate,
                 vec![
+                    String::from("--arg"),
+                    String::from("nixpkgs"),
+                    String::from("./."),
                     String::from("./nixos/release.nix"),
                     String::from("-A"),
                     String::from("manual"),
@@ -370,6 +376,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
                 "nixpkgs-manual",
                 nix::Operation::Instantiate,
                 vec![
+                    String::from("--arg"),
+                    String::from("nixpkgs"),
+                    String::from("./."),
                     String::from("./pkgs/top-level/release.nix"),
                     String::from("-A"),
                     String::from("manual"),
@@ -381,6 +390,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
                 "nixpkgs-tarball",
                 nix::Operation::Instantiate,
                 vec![
+                    String::from("--arg"),
+                    String::from("nixpkgs"),
+                    String::from("./."),
                     String::from("./pkgs/top-level/release.nix"),
                     String::from("-A"),
                     String::from("tarball"),
@@ -392,6 +404,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
                 "nixpkgs-unstable-jobset",
                 nix::Operation::Instantiate,
                 vec![
+                    String::from("--arg"),
+                    String::from("nixpkgs"),
+                    String::from("./."),
                     String::from("./pkgs/top-level/release.nix"),
                     String::from("-A"),
                     String::from("unstable"),

From b8975bca4ef79175b859c77803277df13436dded Mon Sep 17 00:00:00 2001
From: Daiderd Jordan <daiderd@gmail.com>
Date: Thu, 5 Jul 2018 00:58:44 +0200
Subject: [PATCH 2/2] add test for builtins.fetchGit restricted mode

---
 ofborg/src/nix.rs                             | 21 ++++++++++++++++++-
 .../test-srcs/eval-mixed-failure/default.nix  | 19 ++++++++++++++++-
 2 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/ofborg/src/nix.rs b/ofborg/src/nix.rs
index dcae057..fb97ab5 100644
--- a/ofborg/src/nix.rs
+++ b/ofborg/src/nix.rs
@@ -675,7 +675,7 @@ mod tests {
     }
 
     #[test]
-    fn instantiation() {
+    fn instantiation_success() {
         let ret: Result<File, File> = nix().safely(
             Operation::Instantiate,
             passing_eval_path().as_path(),
@@ -693,4 +693,23 @@ mod tests {
             ],
         );
     }
+
+    #[test]
+    fn instantiation_nixpkgs_restricted_mode() {
+        let ret: Result<File, File> = nix().safely(
+            Operation::Instantiate,
+            individual_eval_path().as_path(),
+            vec![String::from("-A"), String::from("nixpkgs-restricted-mode")],
+            true,
+        );
+
+        assert_run(
+            ret,
+            Expect::Fail,
+            vec![
+                "access to path '/fake'",
+                "is forbidden in restricted mode",
+            ],
+        );
+    }
 }
diff --git a/ofborg/test-srcs/eval-mixed-failure/default.nix b/ofborg/test-srcs/eval-mixed-failure/default.nix
index a4f5290..72b8b46 100644
--- a/ofborg/test-srcs/eval-mixed-failure/default.nix
+++ b/ofborg/test-srcs/eval-mixed-failure/default.nix
@@ -1,6 +1,14 @@
 let
+  fetchGit = builtins.fetchGit or (path: assert builtins.trace ''
+    error: access to path '/fake' is forbidden in restricted mode
+  '' false; path);
+
   nix = import <nix/config.nix>;
-in rec {
+in
+
+{ nixpkgs ? fetchGit /fake }:
+
+rec {
   success = derivation {
     name = "success";
     system = builtins.currentSystem;
@@ -28,6 +36,15 @@ in rec {
       "echo this ones cool" ];
   };
 
+  nixpkgs-restricted-mode = derivation {
+    name = "nixpkgs-restricted-mode-fetchgit";
+    system = builtins.currentSystem;
+    builder = nix.shell;
+    args = [
+      "-c"
+      "echo hi; echo ${toString nixpkgs} > $out" ];
+  };
+
   fails-instantiation = assert builtins.trace ''
     You just can't frooble the frozz on this particular system.
   '' false; {};