diff options
| -rw-r--r-- | src/libexpr/eval-settings.cc | 8 | ||||
| -rw-r--r-- | src/libexpr/eval-settings.hh | 14 | ||||
| -rw-r--r-- | src/libexpr/eval.cc | 2 | ||||
| -rw-r--r-- | src/libexpr/primops.cc | 12 |
4 files changed, 23 insertions, 13 deletions
diff --git a/src/libexpr/eval-settings.cc b/src/libexpr/eval-settings.cc index 105fd3e9d..0bdf1b9a5 100644 --- a/src/libexpr/eval-settings.cc +++ b/src/libexpr/eval-settings.cc @@ -63,11 +63,9 @@ Strings EvalSettings::getDefaultNixPath() } }; - if (!evalSettings.restrictEval && !evalSettings.pureEval) { - add(getNixDefExpr() + "/channels"); - add(rootChannelsDir() + "/nixpkgs", "nixpkgs"); - add(rootChannelsDir()); - } + add(getNixDefExpr() + "/channels"); + add(rootChannelsDir() + "/nixpkgs", "nixpkgs"); + add(rootChannelsDir()); return res; } diff --git a/src/libexpr/eval-settings.hh b/src/libexpr/eval-settings.hh index cd73d195f..4673c509b 100644 --- a/src/libexpr/eval-settings.hh +++ b/src/libexpr/eval-settings.hh @@ -75,8 +75,17 @@ struct EvalSettings : Config R"( Pure evaluation mode ensures that the result of Nix expressions is fully determined by explicitly declared inputs, and not influenced by external state: - - Restrict file system and network access to files specified by cryptographic hash - - Disable [`builtins.currentSystem`](@docroot@/language/builtin-constants.md#builtins-currentSystem) and [`builtins.currentTime`](@docroot@/language/builtin-constants.md#builtins-currentTime) + - File system and network access is restricted to accesses to immutable data only: + - Path literals relative to the home directory like `~/lix` are rejected at parse time. + - Access to absolute paths that did not result from Nix language evaluation is rejected when such paths are given as parameters to builtins like, for example, [`builtins.readFile`](@docroot@/language/builtins.md#builtins-readFile). + + Access is nonetheless allowed to (absolute) paths in the Nix store that are returned by builtins like [`builtins.filterSource`](@docroot@/language/builtins.md#builtins-filterSource), [`builtins.fetchTarball`](@docroot@/language/builtins.md#builtins-fetchTarball) and similar. + - Impure fetches such as not specifying a commit ID for `builtins.fetchGit` or not specifying a hash for `builtins.fetchTarball` are rejected. + - In flakes, access to relative paths outside of the root of the flake's source tree (often, a git repository) is rejected. + - The evaluator ignores `NIX_PATH`, `-I` and the `nix-path` setting. Thus, [`builtins.nixPath`](@docroot@/language/builtin-constants.md#builtins-nixPath) is an empty list. + - The builtins [`builtins.currentSystem`](@docroot@/language/builtin-constants.md#builtins-currentSystem) and [`builtins.currentTime`](@docroot@/language/builtin-constants.md#builtins-currentTime) are absent from `builtins`. + - [`builtins.getEnv`](@docroot@/language/builtin-constants.md#builtins-currentSystem) always returns empty string for any variable. + - [`builtins.storePath`](@docroot@/language/builtins.md#builtins-storePath) throws an error (Lix may change this, tracking issue: <https://git.lix.systems/lix-project/lix/issues/402>) )" }; @@ -98,6 +107,7 @@ struct EvalSettings : Config allowed to access `https://github.com/NixOS/patchelf.git`. )"}; + Setting<bool> traceFunctionCalls{this, false, "trace-function-calls", R"( If set to `true`, the Nix evaluator will trace every function call. diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index 25d98b23b..4b3593f09 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -418,7 +418,7 @@ EvalState::EvalState( } if (evalSettings.restrictEval || evalSettings.pureEval) { - allowedPaths = PathSet(); + allowedPaths = std::optional(PathSet()); for (auto & i : searchPath.elements) { auto r = resolveSearchPathPath(i.path); diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index 4b7e61dfe..20851da70 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -923,14 +923,15 @@ static RegisterPrimOp primop_getEnv({ .args = {"s"}, .doc = R"( `getEnv` returns the value of the environment variable *s*, or an - empty string if the variable doesn’t exist. This function should be + empty string if the variable doesn't exist. This function should be used with care, as it can introduce all sorts of nasty environment dependencies in your Nix expression. - `getEnv` is used in Nix Packages to locate the file - `~/.nixpkgs/config.nix`, which contains user-local settings for Nix - Packages. (That is, it does a `getEnv "HOME"` to locate the user’s - home directory.) + `getEnv` is used in nixpkgs for evil impurities such as locating the file + `~/.config/nixpkgs/config.nix` which contains user-local settings for nixpkgs. + (That is, it does a `getEnv "HOME"` to locate the user's home directory.) + + When in [pure evaluation mode](@docroot@/command-ref/conf-file.md#conf-pure-eval), this function always returns an empty string. )", .fun = prim_getEnv, }); @@ -1506,6 +1507,7 @@ static RegisterPrimOp primop_storePath({ in a new path (e.g. `/nix/store/ld01dnzc…-source-source`). Not available in [pure evaluation mode](@docroot@/command-ref/conf-file.md#conf-pure-eval). + Lix may change this, tracking issue: <https://git.lix.systems/lix-project/lix/issues/402> See also [`builtins.fetchClosure`](#builtins-fetchClosure). )", |