EvalState::realiseContext(): Allow access to the entire closure

Fixes #11030. (cherry picked from commit 08361f031d) # Conflicts: # src/libexpr/eval.cc # tests/functional/import-from-derivation.nix # tests/functional/import-from-derivation.sh
2025-07-07 01:51:47 +02:00 · 2024-12-13 16:49:48 +01:00 · 2024-12-13 16:49:48 +01:00 · f986f7e89b
commit f986f7e89b
parent 6a791e946f
5 changed files with 129 additions and 5 deletions
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -379,6 +379,16 @@ void EvalState::allowPath(const StorePath & storePath)
        rootFS2->allowPrefix(CanonPath(store->toRealPath(storePath)));
 }

+void EvalState::allowClosure(const StorePath & storePath)
+{
+    if (!rootFS.dynamic_pointer_cast<AllowListSourceAccessor>()) return;
+
+    StorePathSet closure;
+    store->computeFSClosure(storePath, closure);
+    for (auto & p : closure)
+        allowPath(p);
+}
+
 void EvalState::allowAndSetStorePathString(const StorePath & storePath, Value & v)
 {
    allowPath(storePath);
@ -3113,10 +3123,14 @@ std::optional<std::string> EvalState::resolveLookupPathPath(const LookupPath::Pa
            allowPath(path);
            if (store->isInStore(path)) {
                try {
+<<<<<<< HEAD
                    StorePathSet closure;
                    store->computeFSClosure(store->toStorePath(path).first, closure);
                    for (auto & p : closure)
                        allowPath(p);
+=======
+                    allowClosure(store->toStorePath(path.path.abs()).first);
+>>>>>>> 08361f031 (EvalState::realiseContext(): Allow access to the entire closure)
                } catch (InvalidPath &) { }
            }
        }
--- a/src/libexpr/eval.hh
+++ b/src/libexpr/eval.hh
@ -392,6 +392,11 @@ public:
     */
    void allowPath(const StorePath & storePath);

+    /**
+     * Allow access to the closure of a store path.
+     */
+    void allowClosure(const StorePath & storePath);
+
    /**
     * Allow access to a store path and return it as a string.
     */
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@ -113,11 +113,9 @@ StringMap EvalState::realiseContext(const NixStringContext & context, StorePathS
    if (store != buildStore) copyClosure(*buildStore, *store, outputsToCopyAndAllow);

    if (isIFD) {
-        for (auto & outputPath : outputsToCopyAndAllow) {
-            /* Add the output of this derivations to the allowed
-            paths. */
-            allowPath(outputPath);
-        }
+        /* Allow access to the output closures of this derivation. */
+        for (auto & outputPath : outputsToCopyAndAllow)
+            allowClosure(outputPath);
    }

    return res;