Move evaluator-specific settings out of libstore

2018-03-27 19:02:22 +02:00 · 2018-03-27 19:02:22 +02:00 · 1672bcd230
commit 1672bcd230
parent c1d445ecec
7 changed files with 42 additions and 31 deletions
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -310,14 +310,14 @@ EvalState::EvalState(const Strings & _searchPath, ref<Store> store)
    static_assert(sizeof(Env) == 16, "environment must be 16 bytes");

    /* Initialise the Nix expression search path. */
-    if (!settings.pureEval) {
+    if (!evalSettings.pureEval) {
        Strings paths = parseNixPath(getEnv("NIX_PATH", ""));
        for (auto & i : _searchPath) addToSearchPath(i);
        for (auto & i : paths) addToSearchPath(i);
    }
    addToSearchPath("nix=" + canonPath(settings.nixDataDir + "/nix/corepkgs", true));

-    if (settings.restrictEval || settings.pureEval) {
+    if (evalSettings.restrictEval || evalSettings.pureEval) {
        allowedPaths = PathSet();

        for (auto & i : searchPath) {
@ -387,13 +387,13 @@ Path EvalState::checkSourcePath(const Path & path_)

 void EvalState::checkURI(const std::string & uri)
 {
-    if (!settings.restrictEval) return;
+    if (!evalSettings.restrictEval) return;

    /* 'uri' should be equal to a prefix, or in a subdirectory of a
       prefix. Thus, the prefix https://github.co does not permit
       access to https://github.com. Note: this allows 'http://' and
       'https://' as prefixes for any http/https URI. */
-    for (auto & prefix : settings.allowedUris.get())
+    for (auto & prefix : evalSettings.allowedUris.get())
        if (uri == prefix ||
            (uri.size() > prefix.size()
            && prefix.size() > 0
@ -1898,4 +1898,9 @@ std::ostream & operator << (std::ostream & str, const ExternalValueBase & v) {
 }


+EvalSettings evalSettings;
+
+static GlobalConfig::Register r1(&evalSettings);
+
+
 }
--- a/src/libexpr/eval.hh
+++ b/src/libexpr/eval.hh
@ -5,6 +5,7 @@
 #include "nixexpr.hh"
 #include "symbol-table.hh"
 #include "hash.hh"
+#include "config.hh"

 #include <map>
 #include <unordered_map>
@ -320,4 +321,25 @@ struct InvalidPathError : EvalError
 #endif
 };

+struct EvalSettings : Config
+{
+    Setting<bool> enableNativeCode{this, false, "allow-unsafe-native-code-during-evaluation",
+        "Whether builtin functions that allow executing native code should be enabled."};
+
+    Setting<bool> restrictEval{this, false, "restrict-eval",
+        "Whether to restrict file system access to paths in $NIX_PATH, "
+        "and network access to the URI prefixes listed in 'allowed-uris'."};
+
+    Setting<bool> pureEval{this, false, "pure-eval",
+        "Whether to restrict file system and network access to files specified by cryptographic hash."};
+
+    Setting<bool> enableImportFromDerivation{this, true, "allow-import-from-derivation",
+        "Whether the evaluator allows importing the result of a derivation."};
+
+    Setting<Strings> allowedUris{this, {}, "allowed-uris",
+        "Prefixes of URIs that builtin functions such as fetchurl and fetchGit are allowed to fetch."};
+};
+
+extern EvalSettings evalSettings;
+
 }
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@ -73,7 +73,7 @@ void EvalState::realiseContext(const PathSet & context)

    if (drvs.empty()) return;

-    if (!settings.enableImportFromDerivation)
+    if (!evalSettings.enableImportFromDerivation)
        throw EvalError(format("attempted to realize '%1%' during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin()));

    /* For performance, prefetch all substitute info. */
@ -464,7 +464,7 @@ static void prim_tryEval(EvalState & state, const Pos & pos, Value * * args, Val
 static void prim_getEnv(EvalState & state, const Pos & pos, Value * * args, Value & v)
 {
    string name = state.forceStringNoCtx(*args[0], pos);
-    mkString(v, settings.restrictEval || settings.pureEval ? "" : getEnv(name));
+    mkString(v, evalSettings.restrictEval || evalSettings.pureEval ? "" : getEnv(name));
 }


@ -1031,7 +1031,7 @@ static void prim_toFile(EvalState & state, const Pos & pos, Value * * args, Valu
 static void addPath(EvalState & state, const Pos & pos, const string & name, const Path & path_,
    Value * filterFun, bool recursive, const Hash & expectedHash, Value & v)
 {
-    const auto path = settings.pureEval && expectedHash ?
+    const auto path = evalSettings.pureEval && expectedHash ?
        path_ :
        state.checkSourcePath(path_);
    PathFilter filter = filterFun ? ([&](const Path & path) {
@ -2056,7 +2056,7 @@ void fetch(EvalState & state, const Pos & pos, Value * * args, Value & v,

    state.checkURI(url);

-    if (settings.pureEval && !expectedHash)
+    if (evalSettings.pureEval && !expectedHash)
        throw Error("in pure evaluation mode, '%s' requires a 'sha256' argument", who);

    Path res = getDownloader()->downloadCached(state.store, url, unpack, name, expectedHash);
@ -2124,12 +2124,12 @@ void EvalState::createBaseEnv()
        addConstant(name, v);
    };

-    if (!settings.pureEval) {
+    if (!evalSettings.pureEval) {
        mkInt(v, time(0));
        addConstant("__currentTime", v);
    }

-    if (!settings.pureEval) {
+    if (!evalSettings.pureEval) {
        mkString(v, settings.thisSystem);
        addConstant("__currentSystem", v);
    }
@ -2154,7 +2154,7 @@ void EvalState::createBaseEnv()
    mkApp(v, *vScopedImport, *v2);
    forceValue(v);
    addConstant("import", v);
-    if (settings.enableNativeCode) {
+    if (evalSettings.enableNativeCode) {
        addPrimOp("__importNative", 2, prim_importNative);
        addPrimOp("__exec", 1, prim_exec);
    }
@ -2181,7 +2181,7 @@ void EvalState::createBaseEnv()

    // Paths
    addPrimOp("__toPath", 1, prim_toPath);
-    if (settings.pureEval)
+    if (evalSettings.pureEval)
        addPurityError("__storePath");
    else
        addPrimOp("__storePath", 1, prim_storePath);
--- a/src/libexpr/primops/fetchGit.cc
+++ b/src/libexpr/primops/fetchGit.cc
@ -28,7 +28,7 @@ GitInfo exportGit(ref<Store> store, const std::string & uri,
    std::experimental::optional<std::string> ref, std::string rev,
    const std::string & name)
 {
-    if (settings.pureEval && rev == "")
+    if (evalSettings.pureEval && rev == "")
        throw Error("in pure evaluation mode, 'fetchGit' requires a Git revision");

    if (!ref && rev == "" && hasPrefix(uri, "/") && pathExists(uri + "/.git")) {
--- a/src/libexpr/primops/fetchMercurial.cc
+++ b/src/libexpr/primops/fetchMercurial.cc
@ -27,7 +27,7 @@ std::regex commitHashRegex("^[0-9a-fA-F]{40}$");
 HgInfo exportMercurial(ref<Store> store, const std::string & uri,
    std::string rev, const std::string & name)
 {
-    if (settings.pureEval && rev == "")
+    if (evalSettings.pureEval && rev == "")
        throw Error("in pure evaluation mode, 'fetchMercurial' requires a Mercurial revision");

    if (rev == "" && hasPrefix(uri, "/") && pathExists(uri + "/.hg")) {
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@ -193,9 +193,6 @@ public:
    Setting<bool> showTrace{this, false, "show-trace",
        "Whether to show a stack trace on evaluation errors."};

-    Setting<bool> enableNativeCode{this, false, "allow-unsafe-native-code-during-evaluation",
-        "Whether builtin functions that allow executing native code should be enabled."};
-
    Setting<SandboxMode> sandboxMode{this, smDisabled, "sandbox",
        "Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".",
        {"build-use-chroot", "build-use-sandbox"}};
@ -208,13 +205,6 @@ public:
        "Additional paths to make available inside the build sandbox.",
        {"build-extra-chroot-dirs", "build-extra-sandbox-paths"}};

-    Setting<bool> restrictEval{this, false, "restrict-eval",
-        "Whether to restrict file system access to paths in $NIX_PATH, "
-        "and network access to the URI prefixes listed in 'allowed-uris'."};
-
-    Setting<bool> pureEval{this, false, "pure-eval",
-        "Whether to restrict file system and network access to files specified by cryptographic hash."};
-
    Setting<size_t> buildRepeat{this, 0, "repeat",
        "The number of times to repeat a build in order to verify determinism.",
        {"build-repeat"}};
@ -319,9 +309,6 @@ public:
    /* Path to the SSL CA file used */
    Path caFile;

-    Setting<bool> enableImportFromDerivation{this, true, "allow-import-from-derivation",
-        "Whether the evaluator allows importing the result of a derivation."};
-
 #if __linux__
    Setting<bool> filterSyscalls{this, true, "filter-syscalls",
            "Whether to prevent certain dangerous system calls, such as "
@ -343,9 +330,6 @@ public:
    Setting<uint64_t> maxFree{this, std::numeric_limits<uint64_t>::max(), "max-free",
        "Stop deleting garbage when free disk space is above the specified amount."};

-    Setting<Strings> allowedUris{this, {}, "allowed-uris",
-        "Prefixes of URIs that builtin functions such as fetchurl and fetchGit are allowed to fetch."};
-
    Setting<Paths> pluginFiles{this, {}, "plugin-files",
        "Plugins to dynamically load at nix initialization time."};
 };
--- a/src/nix/upgrade-nix.cc
+++ b/src/nix/upgrade-nix.cc
@ -46,7 +46,7 @@ struct CmdUpgradeNix : StoreCommand

    void run(ref<Store> store) override
    {
-        settings.pureEval = true;
+        evalSettings.pureEval = true;

        if (profileDir == "")
            profileDir = getProfileDir(store);