Merge pull request #12077 from NixOS/mergify/bp/2.24-maintenance/pr-12045

EvalState::realiseContext(): Allow access to the entire closure (backport #12045)
2025-07-06 21:41:48 +02:00 · 2024-12-31 15:33:23 +00:00 · 2024-12-31 15:33:23 +00:00 · bda59dee55
commit bda59dee55
parent e40d0352b2 000db53f8f
6 changed files with 131 additions and 9 deletions
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -379,6 +379,16 @@ void EvalState::allowPath(const StorePath & storePath)
        rootFS2->allowPrefix(CanonPath(store->toRealPath(storePath)));
 }

+void EvalState::allowClosure(const StorePath & storePath)
+{
+    if (!rootFS.dynamic_pointer_cast<AllowListSourceAccessor>()) return;
+
+    StorePathSet closure;
+    store->computeFSClosure(storePath, closure);
+    for (auto & p : closure)
+        allowPath(p);
+}
+
 void EvalState::allowAndSetStorePathString(const StorePath & storePath, Value & v)
 {
    allowPath(storePath);
@ -3113,10 +3123,7 @@ std::optional<std::string> EvalState::resolveLookupPathPath(const LookupPath::Pa
            allowPath(path);
            if (store->isInStore(path)) {
                try {
-                    StorePathSet closure;
-                    store->computeFSClosure(store->toStorePath(path).first, closure);
-                    for (auto & p : closure)
-                        allowPath(p);
+                    allowClosure(store->toStorePath(path).first);
                } catch (InvalidPath &) { }
            }
        }
--- a/src/libexpr/eval.hh
+++ b/src/libexpr/eval.hh
@ -392,6 +392,11 @@ public:
     */
    void allowPath(const StorePath & storePath);

+    /**
+     * Allow access to the closure of a store path.
+     */
+    void allowClosure(const StorePath & storePath);
+
    /**
     * Allow access to a store path and return it as a string.
     */
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@ -113,11 +113,9 @@ StringMap EvalState::realiseContext(const NixStringContext & context, StorePathS
    if (store != buildStore) copyClosure(*buildStore, *store, outputsToCopyAndAllow);

    if (isIFD) {
-        for (auto & outputPath : outputsToCopyAndAllow) {
-            /* Add the output of this derivations to the allowed
-            paths. */
-            allowPath(outputPath);
-        }
+        /* Allow access to the output closures of this derivation. */
+        for (auto & outputPath : outputsToCopyAndAllow)
+            allowClosure(outputPath);
    }

    return res;