mirror of
https://github.com/NixOS/nix
synced 2024-10-18 00:16:11 -04:00
pathExists: Return false on "/nix/store" in pure mode
AllowListInputAccessor has the invariant that if a path is accessible, its parent directories are also considered accessible (though reading them only yields the allowed subdirectories). As a result `builtins.pathExists "/nix/store"` returns true. However this wasn't the behaviour of previous path access control, where `builtins.pathExists "/nix/store"` returns false even if a subdirectory of the store is accessible. Fixes #9672.
This commit is contained in:
parent
d2a07a96ba
commit
4065f16888
|
@ -1561,6 +1561,17 @@ static void prim_pathExists(EvalState & state, const PosIdx pos, Value * * args,
|
||||||
mustBeDir ? SymlinkResolution::Full : SymlinkResolution::Ancestors;
|
mustBeDir ? SymlinkResolution::Full : SymlinkResolution::Ancestors;
|
||||||
auto path = realisePath(state, pos, arg, symlinkResolution);
|
auto path = realisePath(state, pos, arg, symlinkResolution);
|
||||||
|
|
||||||
|
/* Backward compatibility hack to retain Nix 2.18 behaviour:
|
||||||
|
in pure mode, make `pathExists "/nix/store"` return
|
||||||
|
false. */
|
||||||
|
if ((evalSettings.restrictEval || evalSettings.pureEval)
|
||||||
|
&& path.accessor == state.rootFS
|
||||||
|
&& isDirOrInDir(state.store->storeDir, path.path.abs()))
|
||||||
|
{
|
||||||
|
v.mkBool(false);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
auto st = path.maybeLstat();
|
auto st = path.maybeLstat();
|
||||||
auto exists = st && (!mustBeDir || st->type == SourceAccessor::tDirectory);
|
auto exists = st && (!mustBeDir || st->type == SourceAccessor::tDirectory);
|
||||||
v.mkBool(exists);
|
v.mkBool(exists);
|
||||||
|
|
|
@ -34,6 +34,7 @@ cat > "$flake2Dir/flake.nix" <<EOF
|
||||||
|
|
||||||
outputs = { self, flake1 }: rec {
|
outputs = { self, flake1 }: rec {
|
||||||
packages.$system.bar = flake1.packages.$system.foo;
|
packages.$system.bar = flake1.packages.$system.foo;
|
||||||
|
foo = builtins.pathExists (self + "/..");
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
@ -251,6 +252,9 @@ nix build -o "$TEST_ROOT/result" "$flake2Dir#bar" --commit-lock-file
|
||||||
[[ -e "$flake2Dir/flake.lock" ]]
|
[[ -e "$flake2Dir/flake.lock" ]]
|
||||||
[[ -z $(git -C "$flake2Dir" diff main || echo failed) ]]
|
[[ -z $(git -C "$flake2Dir" diff main || echo failed) ]]
|
||||||
|
|
||||||
|
# Test that pathExist on the parent of a flake returns false.
|
||||||
|
[[ $(nix eval "$flake2Dir#foo") = false ]]
|
||||||
|
|
||||||
# Rerunning the build should not change the lockfile.
|
# Rerunning the build should not change the lockfile.
|
||||||
nix build -o "$TEST_ROOT/result" "$flake2Dir#bar"
|
nix build -o "$TEST_ROOT/result" "$flake2Dir#bar"
|
||||||
[[ -z $(git -C "$flake2Dir" diff main || echo failed) ]]
|
[[ -z $(git -C "$flake2Dir" diff main || echo failed) ]]
|
||||||
|
|
Loading…
Reference in a new issue