Make CA derivations compatible with recursive Nix

Add an access-control list to the realisations in recursive-nix (similar to the already existing one for store paths), so that we can build content-addressed derivations in the restricted store. Fix #4353
author: regnat <rg@regnat.ovh> 2021-06-23 17:27:18 +0200
committer: regnat <rg@regnat.ovh> 2021-06-24 14:53:10 +0200
commit: 7746cb13dc4e644c9792b3e3666cd49635d694e0 (patch)
tree: f4e5e4f07d66933c8f5e4f717e8eecae61e056e7 /src/libstore/build/local-derivation-goal.hh
parent: 0a535dd5ac93576f7152d786464e330ae3d46b50 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
index d30be2351..088a57209 100644
--- a/src/libstore/build/local-derivation-goal.hh
+++ b/src/libstore/build/local-derivation-goal.hh
@@ -108,6 +108,9 @@ struct LocalDerivationGoal : public DerivationGoal
     /* Paths that were added via recursive Nix calls. */
     StorePathSet addedPaths;
 
+    /* Realisations that were added via recursive Nix calls. */
+    std::set<DrvOutput> addedDrvOutputs;
+
     /* Recursive Nix calls are only allowed to build or realize paths
        in the original input closure or added via a recursive Nix call
        (so e.g. you can't do 'nix-store -r /nix/store/<bla>' where
@@ -116,6 +119,11 @@ struct LocalDerivationGoal : public DerivationGoal
     {
         return inputPaths.count(path) || addedPaths.count(path);
     }
+    bool isAllowed(const DrvOutput & id)
+    {
+        return addedDrvOutputs.count(id);
+    }
+
     bool isAllowed(const DerivedPath & req);
 
     friend struct RestrictedStore;
author	regnat <rg@regnat.ovh>	2021-06-23 17:27:18 +0200
committer	regnat <rg@regnat.ovh>	2021-06-24 14:53:10 +0200
commit	7746cb13dc4e644c9792b3e3666cd49635d694e0 (patch)
tree	f4e5e4f07d66933c8f5e4f717e8eecae61e056e7 /src/libstore/build/local-derivation-goal.hh
parent	0a535dd5ac93576f7152d786464e330ae3d46b50 (diff)