Add runtime closure invariant

Author: balsoft

src/libstore/build/local-derivation-goal.cc

@@ -2763,7 +2763,7 @@ SingleDrvOutputs LocalDerivationGoal::registerOutputs()
            isn't statically known so that we can safely unlock the path before
            the next iteration */
         if (newInfo.ca)
-            localStore.registerValidPaths({{newInfo.path, newInfo}});
+            localStore.registerValidPaths({{newInfo.path, newInfo}}, false);
 
         infos.emplace(outputName, std::move(newInfo));
     }

src/libstore/local-store.cc

@@ -861,8 +861,6 @@ uint64_t LocalStore::addValidPath(State & state,
         throw Error("cannot add path '%s' to the Nix store because it claims to be content-addressed but isn't",
             printStorePath(info.path));
 
-    syncPathPermissions(info);
-
     state.stmts->RegisterValidPath.use()
         (printStorePath(info.path))
         (info.narHash.to_string(Base16, true))
@@ -1174,20 +1172,22 @@ void LocalStore::syncPathPermissions(const ValidPathInfo & info)
     }
 }
 
-void LocalStore::registerValidPath(const ValidPathInfo & info)
+void LocalStore::registerValidPath(const ValidPathInfo & info, bool syncPermissions)
 {
-    registerValidPaths({{info.path, info}});
+    registerValidPaths({{info.path, info}}, syncPermissions);
 }
 
 
-void LocalStore::registerValidPaths(const ValidPathInfos & infos)
+void LocalStore::registerValidPaths(const ValidPathInfos & infos, bool syncPermissions)
 {
     /* SQLite will fsync by default, but the new valid paths may not
        be fsync-ed.  So some may want to fsync them before registering
        the validity, at the expense of some speed of the path
        registering operation. */
     if (settings.syncBeforeRegistering) sync();
 
+    std::vector<StorePath> sortedPaths;
+
     retrySQLite<void>([&]() {
         auto state(_state.lock());
 
@@ -1222,7 +1222,7 @@ void LocalStore::registerValidPaths(const ValidPathInfos & infos)
            error if a cycle is detected and roll back the
            transaction.  Cycles can only occur when a derivation
            has multiple outputs. */
-        topoSort(paths,
+        sortedPaths = topoSort(paths,
             {[&](const StorePath & path) {
                 auto i = infos.find(path);
                 return i == infos.end() ? StorePathSet() : i->second.references;
@@ -1236,12 +1236,55 @@ void LocalStore::registerValidPaths(const ValidPathInfos & infos)
 
         txn.commit();
     });
+
+    std::reverse(sortedPaths.begin(), sortedPaths.end());
+
+    if (syncPermissions)
+        for (auto path : sortedPaths)
+            syncPathPermissions(infos.at(path));
 }
 
 void LocalStore::setCurrentAccessStatus(const Path & path, const LocalStore::AccessStatus & status)
 {
     experimentalFeatureSettings.require(Xp::ACLs);
 
+    if (isInStore(path)) {
+        StorePath storePath(baseNameOf(path));
+
+        // FIXME(acls): cache is broken when called from registerValidPaths
+
+        std::promise<ref<const ValidPathInfo>> promise;
+
+        queryPathInfoUncached(storePath,
+            {[&](std::future<std::shared_ptr<const ValidPathInfo>> result) {
+                try {
+                    promise.set_value(ref(result.get()));
+                } catch (...) {
+                    promise.set_exception(std::current_exception());
+                }
+            }});
+
+        auto info = promise.get_future().get();
+
+        for (auto reference : info->references) {
+            if (reference == storePath) continue;
+            auto otherStatus = getCurrentAccessStatus(printStorePath(reference));
+            if (!otherStatus.isProtected) continue;
+            if (!status.isProtected)
+                throw AccessDenied("can not make %s non-protected because it references a protected path %s", path, printStorePath(reference));
+            std::vector<AccessControlEntity> difference;
+            std::set_difference(status.entities.begin(), status.entities.end(), otherStatus.entities.begin(), otherStatus.entities.end(), difference.begin());
+
+            if (! difference.empty()) {
+                std::string entities;
+                for (auto entity : difference) entities += ACL::printTag(entity) + ", ";
+                throw AccessDenied("can not allow %s access to %s because it references path %s to which they do not have access", entities.substr(0, entities.size()-2), path, printStorePath(reference));
+            }
+        }
+    }
+
+    debug("setting access status %s on %s", status.json().dump(), path);
+
     using namespace ACL;
 
     // NOTE: On Darwin, the standard posix permissions are not part of the ACL API.

src/libstore/local-store.hh

@@ -257,9 +257,9 @@ public:
      * register the hash of the file system contents of the path.  The
      * hash must be a SHA-256 hash.
      */
-    void registerValidPath(const ValidPathInfo & info);
+    void registerValidPath(const ValidPathInfo & info, bool syncPermissions = true);
 
-    void registerValidPaths(const ValidPathInfos & infos);
+    void registerValidPaths(const ValidPathInfos & infos, bool syncPermissions = true);
 
     unsigned int getProtocol() override;
 

src/libutil/acl.cc

@@ -355,6 +355,19 @@ void Permissions::allowExecute(bool allow)
         erase(perms.begin(), perms.end());
 }
 
+std::string printTag(Tag tag)
+{
+    return std::visit(overloaded {
+        [&](User u){
+            return fmt("user with uid %d", u.uid);
+        },
+        [&](Group g){
+            return fmt("group with gid %d", g.gid);
+        },
+    }, tag);
+}
+
+
 AccessControlList::AccessControlList(std::filesystem::path p)
 {
     auto native = Native::AccessControlList(p);
@@ -384,6 +397,7 @@ void AccessControlList::set(std::filesystem::path p)
     native[Other {}] = current[Other {}];
     if (!empty())
         native[Mask {}] = {Permission::Read, Permission::Write, Permission::Execute};
+    if (current == native) return;
 #endif
     native.set(p);
 }

src/libutil/acl.hh

@@ -65,6 +65,8 @@ struct Group
  */
 typedef std::variant<User, Group> Tag;
 
+std::string printTag(Tag t);
+
 namespace Native {
 #ifdef __APPLE__
 

tests/repl.sh

@@ -52,7 +52,7 @@ testRepl () {
 # Simple test, try building a drv
 testRepl
 # Same thing (kind-of), but with a remote store.
-testRepl --store "$TEST_ROOT/store?real=$NIX_STORE_DIR"
+testRepl --store "$TEST_ROOT/repl-store?real=$NIX_STORE_DIR"
 
 testReplResponse () {
     local commands="$1"; shift