feat(3p/nix): add --trace-file-access to nix-instantiate

This builds on edef's work with depot-scan by adding a dedicated
flag to the command. We piggyback on upstream's restricted-mode
implementation, the checkSourcePath function.

Change-Id: I52bb613549f40dbca1e8caa036635910c1a3d6d0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1654
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>

third_party/nix/src/libexpr/eval.cc

@@ -379,6 +379,7 @@ EvalState::EvalState(const Strings& _searchPath, const ref<Store>& store)
 EvalState::~EvalState() = default;
 
 Path EvalState::checkSourcePath(const Path& path_) {
+  TraceFileAccess(path_);
   if (!allowedPaths) {
     return path_;
   }
@@ -1819,6 +1820,20 @@ void EvalState::printStats() {
   }
 }
 
+void EvalState::TraceFileAccess(const Path& realPath) {
+  if (file_access_trace_fn.has_value()) {
+    if (last_traced_file != realPath) {
+      (*file_access_trace_fn)(realPath);
+      // Basic deduplication.
+      last_traced_file = std::string(realPath);
+    }
+  }
+}
+
+void EvalState::EnableFileAccessTracing(std::function<void(const Path&)> fn) {
+  file_access_trace_fn = fn;
+}
+
 size_t valueSize(const Value& v) {
   traceable_flat_hash_set<const Bindings*> seenBindings;
   traceable_flat_hash_set<const Env*> seenEnvs;

third_party/nix/src/libexpr/eval.hh

@@ -284,6 +284,10 @@ class EvalState : public gc {
 
   void realiseContext(const PathSet& context);
 
+  /* File access tracing. */
+  void TraceFileAccess(const Path& path);
+  void EnableFileAccessTracing(std::function<void(const Path&)> fn);
+
  private:
   unsigned long nrEnvs = 0;
   unsigned long nrValuesInEnvs = 0;
@@ -299,6 +303,10 @@ class EvalState : public gc {
 
   bool countCalls;
 
+  std::optional<std::function<void(const Path&)>> file_access_trace_fn =
+      std::nullopt;
+  Path last_traced_file = "";
+
   typedef std::map<Symbol, size_t> PrimOpCalls;
   PrimOpCalls primOpCalls;