Move restricted/pure-eval access control out of the evaluator and into the accessor#9497
Merged
roberth merged 10 commits intoNixOS:masterfrom Dec 8, 2023
Merged
Move restricted/pure-eval access control out of the evaluator and into the accessor#9497roberth merged 10 commits intoNixOS:masterfrom
roberth merged 10 commits intoNixOS:masterfrom
Conversation
github-actions
bot
added
the
with-tests
github-actions
bot
added
the
fetching
Member
|
Didn't read all the code while it is still draft, but the concept is quite nice! |
9 tasks
roberth
suggested changes
Nov 30, 2023
Member
roberth
left a comment
roberth
left a comment
There was a problem hiding this comment.
Symlinks strike again.
Otherwise looks like the right direction.
Member
There was a problem hiding this comment.
We have a regression with symlinks. Needs a test case.
Currently:
ls -l tunnel.d/
total 4
lrwxrwxrwx 1 user user 2 Nov 30 23:46 tunnel -> ..
$ ./result/bin/nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./tunnel.d; } ]; in builtins.readFile <foo/tunnel/aliens-truth>' -I tunnel.d
"They're among us.\n"
Member
Author
There was a problem hiding this comment.
I've added some tests and PosixSourceAccessor now aggressively checks against symlinks.
All path components must not be symlinks now (so the user needs to call `resolveSymlinks()` when needed).
Since we're doing a lot of them in assertNoSymlinks().
Co-authored-by: Robert Hensing <[email protected]>
roberth
approved these changes
Dec 8, 2023
Member
|
This caused a regression: #9901 |
gador
added a commit
to gador/bento
that referenced
this pull request
Oct 26, 2024
on newer nix versions (> 2.18) the "path:" settings will lead to evaluation errors when the flake uses symbolic links. a typical error message would be: `error: access to absolute path '/lib' is forbidden in pure evaluation mode (use '--impure' to override)` when `/lib` actually is `./lib`. When "path:" is replaced by just using the flake's path no evaluation error is shown. As per the man page of `nix flake` the "path" attribute reffers to the local path of the flake. This can just be removed (AFAIK) by referencing to the path as a positional argument. Possible related issues: NixOS/nix#11030 original PR introducing the error message NixOS/nix#9497 Signed-off-by: Florian Brandes <[email protected]>
huang12zheng
pushed a commit
to huang12zheng/nixos-config
that referenced
this pull request
Dec 5, 2024
Because it broke colmena, zhaofengli/colmena#190 Ref: - NixOS/nix#9497 - NixOS/nix#9901 - NixOS/nix#9985
huang12zheng
pushed a commit
to huang12zheng/nixos-config
that referenced
this pull request
Feb 25, 2025
Because it broke colmena, zhaofengli/colmena#190 Ref: - NixOS/nix#9497 - NixOS/nix#9901 - NixOS/nix#9985
ftrojahn
pushed a commit
to ftrojahn/dpol-bento
that referenced
this pull request
Mar 19, 2025
on newer nix versions (> 2.18) the "path:" settings will lead to evaluation errors when the flake uses symbolic links. a typical error message would be: `error: access to absolute path '/lib' is forbidden in pure evaluation mode (use '--impure' to override)` when `/lib` actually is `./lib`. When "path:" is replaced by just using the flake's path no evaluation error is shown. As per the man page of `nix flake` the "path" attribute reffers to the local path of the flake. This can just be removed (AFAIK) by referencing to the path as a positional argument. Possible related issues: NixOS/nix#11030 original PR introducing the error message NixOS/nix#9497 Signed-off-by: Florian Brandes <[email protected]> (cherry picked from commit 59d0795)
ftrojahn
pushed a commit
to ftrojahn/dpol-bento
that referenced
this pull request
Jan 24, 2026
on newer nix versions (> 2.18) the "path:" settings will lead to evaluation errors when the flake uses symbolic links. a typical error message would be: `error: access to absolute path '/lib' is forbidden in pure evaluation mode (use '--impure' to override)` when `/lib` actually is `./lib`. When "path:" is replaced by just using the flake's path no evaluation error is shown. As per the man page of `nix flake` the "path" attribute reffers to the local path of the flake. This can just be removed (AFAIK) by referencing to the path as a positional argument. Possible related issues: NixOS/nix#11030 original PR introducing the error message NixOS/nix#9497 Signed-off-by: Florian Brandes <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Extracted from lazy-trees.
Context
Priorities
Add 👍 to pull requests you find important.