maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move evaluator-specific settings out of libstore

Browse source
This commit is contained in:
Eelco Dolstra 2018-03-27 19:02:22 +02:00
parent c1d445ecec
commit 1672bcd230
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
7 changed files with 42 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/libexpr/eval.cc
View file

@ -310,14 +310,14 @@ EvalState::EvalState(const Strings & _searchPath, ref<Store> store)
static_assert(sizeof(Env) == 16, "environment must be 16 bytes"); static_assert(sizeof(Env) == 16, "environment must be 16 bytes");
/* Initialise the Nix expression search path. */ /* Initialise the Nix expression search path. */
if (!settings.pureEval) { if (!evalSettings.pureEval) {
Strings paths = parseNixPath(getEnv("NIX_PATH", "")); Strings paths = parseNixPath(getEnv("NIX_PATH", ""));
for (auto & i : _searchPath) addToSearchPath(i); for (auto & i : _searchPath) addToSearchPath(i);
for (auto & i : paths) addToSearchPath(i); for (auto & i : paths) addToSearchPath(i);
} }
addToSearchPath("nix=" + canonPath(settings.nixDataDir + "/nix/corepkgs", true)); addToSearchPath("nix=" + canonPath(settings.nixDataDir + "/nix/corepkgs", true));
if (settings.restrictEval || settings.pureEval) { if (evalSettings.restrictEval || evalSettings.pureEval) {
allowedPaths = PathSet(); allowedPaths = PathSet();
for (auto & i : searchPath) { for (auto & i : searchPath) {
@ -387,13 +387,13 @@ Path EvalState::checkSourcePath(const Path & path_)
void EvalState::checkURI(const std::string & uri) void EvalState::checkURI(const std::string & uri)
{ {
if (!settings.restrictEval) return; if (!evalSettings.restrictEval) return;
/* 'uri' should be equal to a prefix, or in a subdirectory of a /* 'uri' should be equal to a prefix, or in a subdirectory of a
prefix. Thus, the prefix https://github.co does not permit prefix. Thus, the prefix https://github.co does not permit
access to https://github.com. Note: this allows 'http://' and access to https://github.com. Note: this allows 'http://' and
'https://' as prefixes for any http/https URI. */ 'https://' as prefixes for any http/https URI. */
for (auto & prefix : settings.allowedUris.get()) for (auto & prefix : evalSettings.allowedUris.get())
if (uri == prefix || if (uri == prefix ||
(uri.size() > prefix.size() (uri.size() > prefix.size()
&& prefix.size() > 0 && prefix.size() > 0
@ -1898,4 +1898,9 @@ std::ostream & operator << (std::ostream & str, const ExternalValueBase & v) {
} }
EvalSettings evalSettings;
static GlobalConfig::Register r1(&evalSettings);
} }

22
src/libexpr/eval.hh
View file

@ -5,6 +5,7 @@
#include "nixexpr.hh" #include "nixexpr.hh"
#include "symbol-table.hh" #include "symbol-table.hh"
#include "hash.hh" #include "hash.hh"
#include "config.hh"
#include <map> #include <map>
#include <unordered_map> #include <unordered_map>
@ -320,4 +321,25 @@ struct InvalidPathError : EvalError
#endif #endif
}; };
struct EvalSettings : Config
{
Setting<bool> enableNativeCode{this, false, "allow-unsafe-native-code-during-evaluation",
"Whether builtin functions that allow executing native code should be enabled."};
Setting<bool> restrictEval{this, false, "restrict-eval",
"Whether to restrict file system access to paths in $NIX_PATH, "
"and network access to the URI prefixes listed in 'allowed-uris'."};
Setting<bool> pureEval{this, false, "pure-eval",
"Whether to restrict file system and network access to files specified by cryptographic hash."};
Setting<bool> enableImportFromDerivation{this, true, "allow-import-from-derivation",
"Whether the evaluator allows importing the result of a derivation."};
Setting<Strings> allowedUris{this, {}, "allowed-uris",
"Prefixes of URIs that builtin functions such as fetchurl and fetchGit are allowed to fetch."};
};
extern EvalSettings evalSettings;
} }

16
src/libexpr/primops.cc
View file

@ -73,7 +73,7 @@ void EvalState::realiseContext(const PathSet & context)
if (drvs.empty()) return; if (drvs.empty()) return;
if (!settings.enableImportFromDerivation) if (!evalSettings.enableImportFromDerivation)
throw EvalError(format("attempted to realize '%1%' during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin())); throw EvalError(format("attempted to realize '%1%' during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin()));
/* For performance, prefetch all substitute info. */ /* For performance, prefetch all substitute info. */
@ -464,7 +464,7 @@ static void prim_tryEval(EvalState & state, const Pos & pos, Value * * args, Val
static void prim_getEnv(EvalState & state, const Pos & pos, Value * * args, Value & v) static void prim_getEnv(EvalState & state, const Pos & pos, Value * * args, Value & v)
{ {
string name = state.forceStringNoCtx(*args[0], pos); string name = state.forceStringNoCtx(*args[0], pos);
mkString(v, settings.restrictEval || settings.pureEval ? "" : getEnv(name)); mkString(v, evalSettings.restrictEval || evalSettings.pureEval ? "" : getEnv(name));
} }
@ -1031,7 +1031,7 @@ static void prim_toFile(EvalState & state, const Pos & pos, Value * * args, Valu
static void addPath(EvalState & state, const Pos & pos, const string & name, const Path & path_, static void addPath(EvalState & state, const Pos & pos, const string & name, const Path & path_,
Value * filterFun, bool recursive, const Hash & expectedHash, Value & v) Value * filterFun, bool recursive, const Hash & expectedHash, Value & v)
{ {
const auto path = settings.pureEval && expectedHash ? const auto path = evalSettings.pureEval && expectedHash ?
path_ : path_ :
state.checkSourcePath(path_); state.checkSourcePath(path_);
PathFilter filter = filterFun ? ([&](const Path & path) { PathFilter filter = filterFun ? ([&](const Path & path) {
@ -2056,7 +2056,7 @@ void fetch(EvalState & state, const Pos & pos, Value * * args, Value & v,
state.checkURI(url); state.checkURI(url);
if (settings.pureEval && !expectedHash) if (evalSettings.pureEval && !expectedHash)
throw Error("in pure evaluation mode, '%s' requires a 'sha256' argument", who); throw Error("in pure evaluation mode, '%s' requires a 'sha256' argument", who);
Path res = getDownloader()->downloadCached(state.store, url, unpack, name, expectedHash); Path res = getDownloader()->downloadCached(state.store, url, unpack, name, expectedHash);
@ -2124,12 +2124,12 @@ void EvalState::createBaseEnv()
addConstant(name, v); addConstant(name, v);
}; };
if (!settings.pureEval) { if (!evalSettings.pureEval) {
mkInt(v, time(0)); mkInt(v, time(0));
addConstant("__currentTime", v); addConstant("__currentTime", v);
} }
if (!settings.pureEval) { if (!evalSettings.pureEval) {
mkString(v, settings.thisSystem); mkString(v, settings.thisSystem);
addConstant("__currentSystem", v); addConstant("__currentSystem", v);
} }
@ -2154,7 +2154,7 @@ void EvalState::createBaseEnv()
mkApp(v, *vScopedImport, *v2); mkApp(v, *vScopedImport, *v2);
forceValue(v); forceValue(v);
addConstant("import", v); addConstant("import", v);
if (settings.enableNativeCode) { if (evalSettings.enableNativeCode) {
addPrimOp("__importNative", 2, prim_importNative); addPrimOp("__importNative", 2, prim_importNative);
addPrimOp("__exec", 1, prim_exec); addPrimOp("__exec", 1, prim_exec);
} }
@ -2181,7 +2181,7 @@ void EvalState::createBaseEnv()
// Paths // Paths
addPrimOp("__toPath", 1, prim_toPath); addPrimOp("__toPath", 1, prim_toPath);
if (settings.pureEval) if (evalSettings.pureEval)
addPurityError("__storePath"); addPurityError("__storePath");
else else
addPrimOp("__storePath", 1, prim_storePath); addPrimOp("__storePath", 1, prim_storePath);

2
src/libexpr/primops/fetchGit.cc
View file

@ -28,7 +28,7 @@ GitInfo exportGit(ref<Store> store, const std::string & uri,
std::experimental::optional<std::string> ref, std::string rev, std::experimental::optional<std::string> ref, std::string rev,
const std::string & name) const std::string & name)
{ {
if (settings.pureEval && rev == "") if (evalSettings.pureEval && rev == "")
throw Error("in pure evaluation mode, 'fetchGit' requires a Git revision"); throw Error("in pure evaluation mode, 'fetchGit' requires a Git revision");
if (!ref && rev == "" && hasPrefix(uri, "/") && pathExists(uri + "/.git")) { if (!ref && rev == "" && hasPrefix(uri, "/") && pathExists(uri + "/.git")) {

2
src/libexpr/primops/fetchMercurial.cc
View file

@ -27,7 +27,7 @@ std::regex commitHashRegex("^[0-9a-fA-F]{40}$");
HgInfo exportMercurial(ref<Store> store, const std::string & uri, HgInfo exportMercurial(ref<Store> store, const std::string & uri,
std::string rev, const std::string & name) std::string rev, const std::string & name)
{ {
if (settings.pureEval && rev == "") if (evalSettings.pureEval && rev == "")
throw Error("in pure evaluation mode, 'fetchMercurial' requires a Mercurial revision"); throw Error("in pure evaluation mode, 'fetchMercurial' requires a Mercurial revision");
if (rev == "" && hasPrefix(uri, "/") && pathExists(uri + "/.hg")) { if (rev == "" && hasPrefix(uri, "/") && pathExists(uri + "/.hg")) {

16
src/libstore/globals.hh
View file

@ -193,9 +193,6 @@ public:
Setting<bool> showTrace{this, false, "show-trace", Setting<bool> showTrace{this, false, "show-trace",
"Whether to show a stack trace on evaluation errors."}; "Whether to show a stack trace on evaluation errors."};
Setting<bool> enableNativeCode{this, false, "allow-unsafe-native-code-during-evaluation",
"Whether builtin functions that allow executing native code should be enabled."};
Setting<SandboxMode> sandboxMode{this, smDisabled, "sandbox", Setting<SandboxMode> sandboxMode{this, smDisabled, "sandbox",
"Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".", "Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".",
{"build-use-chroot", "build-use-sandbox"}}; {"build-use-chroot", "build-use-sandbox"}};
@ -208,13 +205,6 @@ public:
"Additional paths to make available inside the build sandbox.", "Additional paths to make available inside the build sandbox.",
{"build-extra-chroot-dirs", "build-extra-sandbox-paths"}}; {"build-extra-chroot-dirs", "build-extra-sandbox-paths"}};
Setting<bool> restrictEval{this, false, "restrict-eval",
"Whether to restrict file system access to paths in $NIX_PATH, "
"and network access to the URI prefixes listed in 'allowed-uris'."};
Setting<bool> pureEval{this, false, "pure-eval",
"Whether to restrict file system and network access to files specified by cryptographic hash."};
Setting<size_t> buildRepeat{this, 0, "repeat", Setting<size_t> buildRepeat{this, 0, "repeat",
"The number of times to repeat a build in order to verify determinism.", "The number of times to repeat a build in order to verify determinism.",
{"build-repeat"}}; {"build-repeat"}};
@ -319,9 +309,6 @@ public:
/* Path to the SSL CA file used */ /* Path to the SSL CA file used */
Path caFile; Path caFile;
Setting<bool> enableImportFromDerivation{this, true, "allow-import-from-derivation",
"Whether the evaluator allows importing the result of a derivation."};
#if __linux__ #if __linux__
Setting<bool> filterSyscalls{this, true, "filter-syscalls", Setting<bool> filterSyscalls{this, true, "filter-syscalls",
"Whether to prevent certain dangerous system calls, such as " "Whether to prevent certain dangerous system calls, such as "
@ -343,9 +330,6 @@ public:
Setting<uint64_t> maxFree{this, std::numeric_limits<uint64_t>::max(), "max-free", Setting<uint64_t> maxFree{this, std::numeric_limits<uint64_t>::max(), "max-free",
"Stop deleting garbage when free disk space is above the specified amount."}; "Stop deleting garbage when free disk space is above the specified amount."};
Setting<Strings> allowedUris{this, {}, "allowed-uris",
"Prefixes of URIs that builtin functions such as fetchurl and fetchGit are allowed to fetch."};
Setting<Paths> pluginFiles{this, {}, "plugin-files", Setting<Paths> pluginFiles{this, {}, "plugin-files",
"Plugins to dynamically load at nix initialization time."}; "Plugins to dynamically load at nix initialization time."};
}; };

2
src/nix/upgrade-nix.cc
View file

@ -46,7 +46,7 @@ struct CmdUpgradeNix : StoreCommand
void run(ref<Store> store) override void run(ref<Store> store) override
{ {
settings.pureEval = true; evalSettings.pureEval = true;
if (profileDir == "") if (profileDir == "")
profileDir = getProfileDir(store); profileDir = getProfileDir(store);