Mount allowed paths on storeFS with pure eval
#14081
Conversation
github-actions
bot
added
new-cli
|
The last commit (the one not in a previous PR) needs some debugging. |
|
🎉 All dependencies have been resolved ! |
| mkdir -p "$traverseDir" | ||
| goUp="..$(echo "$traverseDir" | sed -e 's,[^/]\+,..,g')" | ||
| output="$(nix eval --raw --restrict-eval -I "$traverseDir" \ | ||
| output="$(nix eval --raw --impure --restrict-eval -I "$traverseDir" \ |
There was a problem hiding this comment.
This was just a mistake I think --- it didn't mean to test pure and restricted evaluation together.
Ericson2314
force-pushed
the
pure-eval-mount-not-filter
branch
from
0264b6a to
4917e48
Compare
|
@edolstra in the remaining test failures, I am getting an empty memory source accessor from the mounted source accessor, rather than my failing one with the right error message, and I am not sure why. |
|
At first glance this appears to make the code more complicated, so I'm not sure if it's an improvement? |
|
No I don't think this makes it more complicated. The only thing that is complicated right now is my crude attempts to get the error message right. If we ignore the error messages part, it is extremely simple:
|
| /* This is just an overkill way to make sure other store | ||
| paths get this error, and not the "doesn't exist" error | ||
| that the mounted source accessor would do on its own. */ | ||
| accessor->mount( | ||
| CanonPath::root, | ||
| AllowListSourceAccessor::create( | ||
| getFSSourceAccessor(), {}, {CanonPath::root, CanonPath(store->storeDir)}, [&](const CanonPath & path) -> RestrictedPathError { | ||
| throw RestrictedPathError( | ||
| "access to absolute path '%1%' is forbidden in pure evaluation mode (use '--impure' to override)", | ||
| CanonPath(store->storeDir) / path); | ||
| })); | ||
| /* We don't want to list store paths */ | ||
| accessor->mount(CanonPath(store->storeDir), makeEmptySourceAccessor()); |
There was a problem hiding this comment.
This is me trying to arrange the error reporting. It is not yet working. Another approach is fine.
| if (settings.restrictEval) | ||
| return AllowListSourceAccessor::create( | ||
| makeImpureAccessor(), {}, {}, [](const CanonPath & path) -> RestrictedPathError { | ||
| throw RestrictedPathError("access to absolute path '%1%' is forbidden in restricted mode", path); | ||
| }); |
There was a problem hiding this comment.
This is simpler than before, because it is just for restricted eval now.
Ericson2314
force-pushed
the
pure-eval-mount-not-filter
branch
from
e540a35 to
c4bf20c
Compare
No `AllowListSourceAccessor` for pure eval --- not needed anymore!
Ericson2314
force-pushed
the
pure-eval-mount-not-filter
branch
from
c4bf20c to
80edaab
Compare
Motivation
No
AllowListSourceAccessorfor pure eval --- not needed anymore!Context
Depends on #14080
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.