Restrict the operations on drv outputs in recursive Nix

There's currently no way to properly filter them, so disallow them altogether instead.
author: regnat <rg@regnat.ovh> 2020-12-11 21:12:53 +0100
committer: regnat <rg@regnat.ovh> 2020-12-11 21:17:25 +0100
commit: e9b39f6004ec68f062230514534b08033cf133c7 (patch)
tree: 79ce77f1ff6dc6d88a24d1c863e1c6cd2b0b646b /src
parent: bab1cda0e6c30e25460b5a9c809589d3948f35df (diff)
1 files changed, 6 insertions, 10 deletions
diff --git a/src/libstore/build/derivation-goal.cc b/src/libstore/build/derivation-goal.cc
index 54b37553a..f494545fb 100644
--- a/src/libstore/build/derivation-goal.cc
+++ b/src/libstore/build/derivation-goal.cc
@@ -2093,18 +2093,14 @@ struct RestrictedStore : public LocalFSStore, public virtual RestrictedStoreConf
     }
 
     void registerDrvOutput(const Realisation & info) override
-    {
-        // XXX: Should we check for something here? Probably, but I'm not sure
-        // how
-        next->registerDrvOutput(info);
-    }
+    // XXX: This should probably be allowed as a no-op if the realisation
+    // corresponds to an allowed derivation
+    { throw Error("registerDrvOutput"); }
 
     std::optional<const Realisation> queryRealisation(const DrvOutput & id) override
-    {
-        // XXX: Should we check for something here? Probably, but I'm not sure
-        // how
-        return next->queryRealisation(id);
-    }
+    // XXX: This should probably be allowed if the realisation corresponds to
+    // an allowed derivation
+    { throw Error("queryRealisation"); }
 
     void buildPaths(const std::vector<StorePathWithOutputs> & paths, BuildMode buildMode) override
     {
author	regnat <rg@regnat.ovh>	2020-12-11 21:12:53 +0100
committer	regnat <rg@regnat.ovh>	2020-12-11 21:17:25 +0100
commit	e9b39f6004ec68f062230514534b08033cf133c7 (patch)
tree	79ce77f1ff6dc6d88a24d1c863e1c6cd2b0b646b /src
parent	bab1cda0e6c30e25460b5a9c809589d3948f35df (diff)