EvalState::realiseContext(): Allow access to the entire closure

Fixes NixOS#11030.
DeterminateSystems · Dec 13, 2024 · 48d9696 · 48d9696
1 parent f1187cb
commit 48d9696
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 9 deletions.
diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc
@@ -347,6 +347,16 @@ void EvalState::allowPath(const StorePath & storePath)
         rootFS2->allowPrefix(CanonPath(store->toRealPath(storePath)));
 }
 
+void EvalState::allowClosure(const StorePath & storePath)
+{
+    if (!rootFS.dynamic_pointer_cast<AllowListSourceAccessor>()) return;
+
+    StorePathSet closure;
+    store->computeFSClosure(storePath, closure);
+    for (auto & p : closure)
+        allowPath(p);
+}
+
 void EvalState::allowAndSetStorePathString(const StorePath & storePath, Value & v)
 {
     allowPath(storePath);
@@ -3099,10 +3109,7 @@ std::optional<SourcePath> EvalState::resolveLookupPathPath(const LookupPath::Pat
             allowPath(path.path.abs());
             if (store->isInStore(path.path.abs())) {
                 try {
-                    StorePathSet closure;
-                    store->computeFSClosure(store->toStorePath(path.path.abs()).first, closure);
-                    for (auto & p : closure)
-                        allowPath(p);
+                    allowClosure(store->toStorePath(path.path.abs()).first);
                 } catch (InvalidPath &) { }
             }
         }

diff --git a/src/libexpr/eval.hh b/src/libexpr/eval.hh
@@ -400,6 +400,11 @@ public:
      */
     void allowPath(const StorePath & storePath);
 
+    /**
+     * Allow access to the closure of a store path.
+     */
+    void allowClosure(const StorePath & storePath);
+
     /**
      * Allow access to a store path and return it as a string.
      */

diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
@@ -119,11 +119,9 @@ StringMap EvalState::realiseContext(const NixStringContext & context, StorePathS
     if (store != buildStore) copyClosure(*buildStore, *store, outputsToCopyAndAllow);
 
     if (isIFD) {
-        for (auto & outputPath : outputsToCopyAndAllow) {
-            /* Add the output of this derivations to the allowed
-            paths. */
-            allowPath(outputPath);
-        }
+        /* Allow access to the output closures of this derivation. */
+        for (auto & outputPath : outputsToCopyAndAllow)
+            allowClosure(outputPath);
     }
 
     return res;