EvalState::realiseContext(): Allow access to the entire closure

Fixes #11030.
2025-06-24 22:11:15 +02:00 · 2024-12-13 16:49:48 +01:00 · 2024-12-13 16:49:48 +01:00 · 08361f031d
commit 08361f031d
parent 18770c7e18
5 changed files with 44 additions and 10 deletions
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -347,6 +347,16 @@ void EvalState::allowPath(const StorePath & storePath)
        rootFS2->allowPrefix(CanonPath(store->toRealPath(storePath)));
 }

+void EvalState::allowClosure(const StorePath & storePath)
+{
+    if (!rootFS.dynamic_pointer_cast<AllowListSourceAccessor>()) return;
+
+    StorePathSet closure;
+    store->computeFSClosure(storePath, closure);
+    for (auto & p : closure)
+        allowPath(p);
+}
+
 void EvalState::allowAndSetStorePathString(const StorePath & storePath, Value & v)
 {
    allowPath(storePath);
@ -3099,10 +3109,7 @@ std::optional<SourcePath> EvalState::resolveLookupPathPath(const LookupPath::Pat
            allowPath(path.path.abs());
            if (store->isInStore(path.path.abs())) {
                try {
-                    StorePathSet closure;
-                    store->computeFSClosure(store->toStorePath(path.path.abs()).first, closure);
-                    for (auto & p : closure)
-                        allowPath(p);
+                    allowClosure(store->toStorePath(path.path.abs()).first);
                } catch (InvalidPath &) { }
            }
        }
--- a/src/libexpr/eval.hh
+++ b/src/libexpr/eval.hh
@ -400,6 +400,11 @@ public:
     */
    void allowPath(const StorePath & storePath);

+    /**
+     * Allow access to the closure of a store path.
+     */
+    void allowClosure(const StorePath & storePath);
+
    /**
     * Allow access to a store path and return it as a string.
     */
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@ -119,11 +119,9 @@ StringMap EvalState::realiseContext(const NixStringContext & context, StorePathS
    if (store != buildStore) copyClosure(*buildStore, *store, outputsToCopyAndAllow);

    if (isIFD) {
-        for (auto & outputPath : outputsToCopyAndAllow) {
-            /* Add the output of this derivations to the allowed
-            paths. */
-            allowPath(outputPath);
-        }
+        /* Allow access to the output closures of this derivation. */
+        for (auto & outputPath : outputsToCopyAndAllow)
+            allowClosure(outputPath);
    }

    return res;
--- a/tests/functional/import-from-derivation.nix
+++ b/tests/functional/import-from-derivation.nix
@ -1,4 +1,4 @@
-with import ./config.nix;
+with import <config>;

 rec {
  bar = mkDerivation {
@ -30,4 +30,23 @@ rec {
        echo -n BLA$(cat $src) > $out
      '';
  };
+
+  step1 = mkDerivation {
+    name = "step1";
+    buildCommand = ''
+      mkdir -p $out
+      echo 'foo' > $out/bla
+    '';
+  };
+
+  addPathExpr = mkDerivation {
+    name = "add-path";
+    inherit step1;
+    buildCommand = ''
+      mkdir -p $out
+      echo "builtins.path { path = \"$step1\"; sha256 = \"7ptL+pnrZXnSa5hwwB+2SXTLkcSb5264WGGokN8OXto=\"; }" > $out/default.nix
+    '';
+  };
+
+  importAddPathExpr = import addPathExpr;
 }
--- a/tests/functional/import-from-derivation.sh
+++ b/tests/functional/import-from-derivation.sh
@ -6,6 +6,8 @@ TODO_NixOS

 clearStoreIfPossible

+export NIX_PATH=config="${config_nix}"
+
 if nix-instantiate --readonly-mode ./import-from-derivation.nix -A result; then
    echo "read-only evaluation of an imported derivation unexpectedly failed"
    exit 1
@ -15,6 +17,9 @@ outPath=$(nix-build ./import-from-derivation.nix -A result --no-out-link)

 [ "$(cat "$outPath")" = FOO579 ]

+# Check that we can have access to the entire closure of a derivation output.
+nix build --no-link --restrict-eval -I src=. -f ./import-from-derivation.nix importAddPathExpr -v
+
 # FIXME: the next tests are broken on CA.
 if [[ -n "${NIX_TESTS_CA_BY_DEFAULT:-}" ]]; then
    exit 0