From 8dc2b2715bc5dc401dd83a1104332c674b335c72 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 19 Feb 2025 23:13:11 +0100 Subject: [PATCH] In pure eval mode, restrict rootFS to just the Nix store Note that in pure mode, we don't need to use the union FS even when using a chroot store, since the user shouldn't have access to the physical /nix/store. --- src/libexpr/eval.cc | 21 +++++++++++++-------- src/libutil/mounted-source-accessor.cc | 6 ++++++ 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index ab2eb98e5..c0842dbbd 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -247,22 +247,27 @@ EvalState::EvalState( , emptyBindings(0) , rootFS( ({ + /* In pure eval mode, we provide a filesystem that only + contains the Nix store. + + If we have a chroot store and pure eval is not enabled, + use a union accessor to make the chroot store available + at its logical location while still having the + underlying directory available. This is necessary for + instance if we're evaluating a file from the physical + /nix/store while using a chroot store. */ auto accessor = getFSSourceAccessor(); - /* If we have a chroot store, make a union accessor to - make the chroot store available at its logical location - while still having the underlying directory - available. This is necessary for instance if we're - evaluating a file from the physical /nix/store while - using a chroot store. */ auto realStoreDir = dirOf(store->toRealPath(StorePath::dummy)); - if (store->storeDir != realStoreDir) { + if (settings.pureEval || store->storeDir != realStoreDir) { auto storeFS = makeMountedSourceAccessor( { {CanonPath::root, makeEmptySourceAccessor()}, {CanonPath(store->storeDir), makeFSSourceAccessor(realStoreDir)} }); - accessor = makeUnionSourceAccessor({accessor, storeFS}); + accessor = settings.pureEval + ? storeFS + : makeUnionSourceAccessor({accessor, storeFS}); } /* Apply access control if needed. */ diff --git a/src/libutil/mounted-source-accessor.cc b/src/libutil/mounted-source-accessor.cc index 97e5f10a4..79223d155 100644 --- a/src/libutil/mounted-source-accessor.cc +++ b/src/libutil/mounted-source-accessor.cc @@ -63,6 +63,12 @@ struct MountedSourceAccessor : SourceAccessor path.pop(); } } + + std::optional getPhysicalPath(const CanonPath & path) override + { + auto [accessor, subpath] = resolve(path); + return accessor->getPhysicalPath(subpath); + } }; ref makeMountedSourceAccessor(std::map> mounts)