Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move restricted/pure-eval access control out of the evaluator and into the accessor #9497

Merged
merged 10 commits into from
Dec 8, 2023
Merged

Move restricted/pure-eval access control out of the evaluator and into the accessor #9497

merged 10 commits into from
Dec 8, 2023

Conversation

edolstra
Copy link
Member

@edolstra edolstra commented Nov 30, 2023
edited
Loading

Motivation

Extracted from lazy-trees.

Context

Priorities

Add 👍 to pull requests you find important.

@github-actions github-actions bot added the with-tests Issues related to testing. PRs with tests have some priority label Nov 30, 2023
@github-actions github-actions bot added the fetching Networking with the outside (non-Nix) world, input locking label Nov 30, 2023
@Ericson2314
Copy link
Member

Didn't read all the code while it is still draft, but the concept is quite nice!

@edolstra edolstra mentioned this pull request Nov 30, 2023
Merged
9 tasks
@edolstra edolstra marked this pull request as ready for review November 30, 2023 21:47
roberth
roberth requested changes Nov 30, 2023
View reviewed changes
Copy link
Member

@roberth roberth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Symlinks strike again.
Otherwise looks like the right direction.

src/libexpr/primops.cc Show resolved Hide resolved
src/libfetchers/filtering-input-accessor.hh Show resolved Hide resolved
src/libfetchers/filtering-input-accessor.hh Outdated Show resolved Hide resolved
tests/functional/restricted.sh Outdated Show resolved Hide resolved
tests/functional/restricted.sh
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a regression with symlinks. Needs a test case.
Currently:

ls -l tunnel.d/
total 4
lrwxrwxrwx 1 user user 2 Nov 30 23:46 tunnel -> ..

$ ./result/bin/nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./tunnel.d; } ]; in builtins.readFile <foo/tunnel/aliens-truth>' -I tunnel.d
"They're among us.\n"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added some tests and PosixSourceAccessor now aggressively checks against symlinks.

edolstra and others added 6 commits December 5, 2023 16:33
@edolstra
Check that we can't follow symlinks outside of the allowed paths
345f79d
@edolstra
PosixSourceAccessor: Don't follow any symlinks
83c067c 
All path components must not be symlinks now (so the user needs to
call `resolveSymlinks()` when needed).
@edolstra
CanonPath: Support std::hash
504e4fc
@edolstra
PosixSourceAccessor: Cache lstat() calls
57246c4 
Since we're doing a lot of them in assertNoSymlinks().
@edolstra
Use expectStderr
53ab5d8
@edolstra @roberth
Update src/libfetchers/filtering-input-accessor.hh
2bd8322 
Co-authored-by: Robert Hensing <[email protected]>
@roberth roberth self-requested a review December 8, 2023 20:41
@roberth roberth merged commit d4f6b1d into NixOS:master Dec 8, 2023
7 of 8 checks passed
@infinisil infinisil mentioned this pull request Feb 7, 2024
Closed
@infinisil
Copy link
Member

This caused a regression: #9901

@infinisil infinisil mentioned this pull request Feb 19, 2024
Draft
9 tasks
@devusb devusb mentioned this pull request Mar 10, 2024
Closed
srid added a commit to srid/nixos-config that referenced this pull request Mar 26, 2024
@srid
Don't use unstable nix CLI
380b12e 
Because it broke colmena,
zhaofengli/colmena#190

Ref:
- NixOS/nix#9497
- NixOS/nix#9901
- NixOS/nix#9985
gador added a commit to gador/bento that referenced this pull request Oct 26, 2024
@gador
replace "path:" with "./"
59d0795 
on newer nix versions (> 2.18) the "path:" settings
will lead to evaluation errors when the flake uses
symbolic links.

a typical error message would be:

`error: access to absolute path '/lib' is forbidden in pure evaluation
mode (use '--impure' to override)`

when `/lib` actually is `./lib`.

When "path:" is replaced by just using the flake's path
no evaluation error is shown. As per the man page of `nix flake`
the "path" attribute reffers to the local path of the flake.

This can just be removed (AFAIK) by referencing to the path as a
positional argument.

Possible related issues:
NixOS/nix#11030
original PR introducing the error message NixOS/nix#9497

Signed-off-by: Florian Brandes <[email protected]>
@gador gador mentioned this pull request Oct 26, 2024
Merged
huang12zheng pushed a commit to huang12zheng/nixos-config that referenced this pull request Dec 5, 2024
@srid
Don't use unstable nix CLI
de240f6 
Because it broke colmena,
zhaofengli/colmena#190

Ref:
- NixOS/nix#9497
- NixOS/nix#9901
- NixOS/nix#9985
@edolstra edolstra deleted the move-access-control branch December 9, 2024 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roberth roberth roberth approved these changes

@fricklerhandwerk fricklerhandwerk Awaiting requested review from fricklerhandwerk fricklerhandwerk is a code owner

Assignees
No one assigned
Labels
fetching Networking with the outside (non-Nix) world, input locking with-tests Issues related to testing. PRs with tests have some priority
Projects
Nix team
Status: Done
Milestone
fetch-tree stabilisation
Development

Successfully merging this pull request may close these issues.
5 participants
@edolstra @Ericson2314 @infinisil @roberth @fricklerhandwerk