Merge pull request #11000 from hercules-ci/backport-10992-to-2.23-maintenance

[Backport 2.23-maintenance] Fix #10947; don't cache disallowed IFD

doc/manual/rl-next/harden-user-sandboxing.md

@@ -1,8 +1,6 @@
 ---
 synopsis: Harden the user sandboxing
 significance: significant
-issues:
-prs: <only provided once merged>
 ---
 
 The build directory has been hardened against interference with the outside world by nesting it inside another directory owned by (and only readable by) the daemon user.

src/libexpr/primops.cc

@@ -79,7 +79,7 @@ StringMap EvalState::realiseContext(const NixStringContext & context, StorePathS
     if (drvs.empty()) return {};
 
     if (isIFD && !evalSettings.enableImportFromDerivation)
-        error<EvalError>(
+        error<EvalBaseError>(
             "cannot build '%1%' during evaluation because the option 'allow-import-from-derivation' is disabled",
             drvs.begin()->to_string(*store)
         ).debugThrow();

tests/functional/flakes/eval-cache.sh

@@ -7,12 +7,22 @@ requireGit
 flake1Dir="$TEST_ROOT/eval-cache-flake"
 
 createGitRepo "$flake1Dir" ""
+cp ../simple.nix ../simple.builder.sh ../config.nix "$flake1Dir/"
+git -C "$flake1Dir" add simple.nix simple.builder.sh config.nix
+git -C "$flake1Dir" commit -m "config.nix"
 
 cat >"$flake1Dir/flake.nix" <<EOF
 {
   description = "Fnord";
-  outputs = { self }: {
+  outputs = { self }: let inherit (import ./config.nix) mkDerivation; in {
     foo.bar = throw "breaks";
+    drv = mkDerivation {
+      name = "build";
+      buildCommand = ''
+        echo true > \$out
+      '';
+    };
+    ifd = assert (import self.drv); self.drv;
   };
 }
 EOF
@@ -22,3 +32,8 @@ git -C "$flake1Dir" commit -m "Init"
 
 expect 1 nix build "$flake1Dir#foo.bar" 2>&1 | grepQuiet 'error: breaks'
 expect 1 nix build "$flake1Dir#foo.bar" 2>&1 | grepQuiet 'error: breaks'
+
+# Conditional error should not be cached
+expect 1 nix build "$flake1Dir#ifd" --option allow-import-from-derivation false 2>&1 \
+  | grepQuiet 'error: cannot build .* during evaluation because the option '\''allow-import-from-derivation'\'' is disabled'
+nix build "$flake1Dir#ifd"

tests/nixos/user-sandboxing/attacker.c

@@ -9,11 +9,13 @@
 
 #define SYS_fchmodat2 452
 
-int fchmodat2(int dirfd, const char *pathname, mode_t mode, int flags) {
+int fchmodat2(int dirfd, const char * pathname, mode_t mode, int flags)
+{
     return syscall(SYS_fchmodat2, dirfd, pathname, mode, flags);
 }
 
-int main(int argc, char **argv) {
+int main(int argc, char ** argv)
+{
     if (argc <= 1) {
         // stage 1: place the setuid-builder executable
 
@@ -49,8 +51,7 @@ int main(int argc, char **argv) {
             for (;;) {
                 ssize_t len = read(fd, buf, sizeof(buf));
                 struct inotify_event * ev;
-        for (char *pe = buf; pe < buf + len;
-            pe += sizeof(struct inotify_event) + ev->len) {
+                for (char * pe = buf; pe < buf + len; pe += sizeof(struct inotify_event) + ev->len) {
                     ev = (struct inotify_event *) pe;
                     fprintf(stderr, "folder %s created\n", ev->name);
                     // wait a bit to prevent racing against the creation
@@ -79,4 +80,3 @@ int main(int argc, char **argv) {
         exit(0);
     }
 }
-