wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-06-27 16:51:15 +02:00
Code Activity

In pure eval mode, restrict rootFS to just the Nix store

Browse source 
Note that in pure mode, we don't need to use the union FS even when
using a chroot store, since the user shouldn't have access to the
physical /nix/store.
This commit is contained in:
Eelco Dolstra 2025-02-19 23:13:11 +01:00
parent 4206d95996
commit 8dc2b2715b
2 changed files with 19 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

21
src/libexpr/eval.cc
View file

@ -247,22 +247,27 @@ EvalState::EvalState(
, emptyBindings(0) , emptyBindings(0)
, rootFS( , rootFS(
({ ({
/* In pure eval mode, we provide a filesystem that only
contains the Nix store.
If we have a chroot store and pure eval is not enabled,
use a union accessor to make the chroot store available
at its logical location while still having the
underlying directory available. This is necessary for
instance if we're evaluating a file from the physical
/nix/store while using a chroot store. */
auto accessor = getFSSourceAccessor(); auto accessor = getFSSourceAccessor();
/* If we have a chroot store, make a union accessor to
make the chroot store available at its logical location
while still having the underlying directory
available. This is necessary for instance if we're
evaluating a file from the physical /nix/store while
using a chroot store. */
auto realStoreDir = dirOf(store->toRealPath(StorePath::dummy)); auto realStoreDir = dirOf(store->toRealPath(StorePath::dummy));
if (store->storeDir != realStoreDir) { if (settings.pureEval || store->storeDir != realStoreDir) {
auto storeFS = makeMountedSourceAccessor( auto storeFS = makeMountedSourceAccessor(
{ {
{CanonPath::root, makeEmptySourceAccessor()}, {CanonPath::root, makeEmptySourceAccessor()},
{CanonPath(store->storeDir), makeFSSourceAccessor(realStoreDir)} {CanonPath(store->storeDir), makeFSSourceAccessor(realStoreDir)}
}); });
accessor = makeUnionSourceAccessor({accessor, storeFS}); accessor = settings.pureEval
? storeFS
: makeUnionSourceAccessor({accessor, storeFS});
} }
/* Apply access control if needed. */ /* Apply access control if needed. */

6
src/libutil/mounted-source-accessor.cc
View file

@ -63,6 +63,12 @@ struct MountedSourceAccessor : SourceAccessor
path.pop(); path.pop();
} }
} }
std::optional<std::filesystem::path> getPhysicalPath(const CanonPath & path) override
{
auto [accessor, subpath] = resolve(path);
return accessor->getPhysicalPath(subpath);
}
}; };
ref<SourceAccessor> makeMountedSourceAccessor(std::map<CanonPath, ref<SourceAccessor>> mounts) ref<SourceAccessor> makeMountedSourceAccessor(std::map<CanonPath, ref<SourceAccessor>> mounts)