Add referrer checks for access status

src/libexpr/primops.cc

@@ -1460,6 +1460,8 @@ static void derivationStrictInternal(EvalState & state, const std::string & drvN
  state.forceAttrs(*outputs->value, noPos,
  "while evaluating the `__permissions.outputs` "
  "attribute passed to builtins.derivationStrict");
+ auto outputMap = state.store->queryPartialDerivationOutputMap(drvPath);
+ std::map<StorePath, LocalGranularAccessStore::AccessStatus> accessMap;
  for (auto & output : *outputs->value->attrs) {
  if (!drv.outputs.contains(state.symbols[output.name]))
  state.debugThrowLastTrace(EvalError({
@@ -1468,8 +1470,13 @@ static void derivationStrictInternal(EvalState & state, const std::string & drvN
  }));
  LocalGranularAccessStore::AccessStatus status;
  readAccessStatus(state, output, &status, fmt("__permissions.outputs.%s", state.symbols[output.name]), "builtins.derivationStrict");
- require<LocalGranularAccessStore>(*state.store).setAccessStatus(StoreObjectDerivationOutput {drvPath, std::string(state.symbols[{output.name}])}, status, true);
+ auto outputName = std::string(state.symbols[{output.name}]);
+ if (auto path = outputMap.at(outputName))
+ accessMap[*path] = status;
+ else
+ require<LocalGranularAccessStore>(*state.store).setAccessStatus(StoreObjectDerivationOutput {drvPath, outputName}, status, true);
  }
+ require<LocalGranularAccessStore>(*state.store).setAccessStatus(accessMap);
  }
  auto log = attr->value->attrs->find(state.sLog);
  if (log != attr->value->attrs->end()) {

src/libstore/build/local-derivation-goal.cc

@@ -3023,7 +3023,8 @@ void LocalDerivationGoal::deleteTmpDir(bool force)
  if (experimentalFeatureSettings.isEnabled(Xp::ACLs))
  if (auto store = dynamic_cast<LocalGranularAccessStore*>(&worker.store))
  if (store->effectiveUser) {
- chown(tmpDir.c_str(), store->effectiveUser->uid, info.st_gid);
+ if (chown(tmpDir.c_str(), store->effectiveUser->uid, info.st_gid) == -1)
+ throw SysError("cannot change ownership %s", tmpDir.c_str());
  chowned = true;
  }
  if (!chowned)

src/libstore/granular-access-store.hh

@@ -57,6 +57,17 @@ struct GranularAccessStore : public virtual Store
  virtual void setAccessStatus(const StoreObject & storeObject, const AccessStatus & status, const bool & ensureAccessCheck) = 0;
  virtual AccessStatus getAccessStatus(const StoreObject & storeObject) = 0;
 
+ virtual void setAccessStatus(const std::map<StorePath, AccessStatus> pathMap)
+ {
+ StorePathSet pathSet;
+ for (auto [path, _] : pathMap)
+ pathSet.insert(path);
+ auto paths = topoSortPaths(pathSet);
+ for (auto path : paths) {
+ setAccessStatus(path, pathMap.at(path), true);
+ }
+ }
+
  virtual std::set<AccessControlGroup> getSubjectGroupsUncached(AccessControlSubject subject) = 0;
 
  std::set<AccessControlGroup> getSubjectGroups(AccessControlSubject subject)

src/libstore/local-store.cc

@@ -858,11 +858,11 @@ StorePathSet LocalStore::queryAllValidPaths()
 }
 
 
-void LocalStore::queryReferrers(State & state, const StorePath & path, StorePathSet & referrers)
+void LocalStore::queryReferrers(State & state, const StorePath & path, StorePathSet & referrers, bool accessCheck)
 {
  auto useQueryReferrers(state.stmts->QueryReferrers.use()(printStorePath(path)));
 
- if (!canAccess(path)) throw AccessDenied("Access Denied");
+ if (accessCheck && !canAccess(path)) throw AccessDenied("Access Denied");
 
  while (useQueryReferrers.next())
  referrers.insert(parseStorePath(useQueryReferrers.getStr(0)));
@@ -1086,7 +1086,7 @@ void LocalStore::setCurrentAccessStatus(const Path & path, const LocalStore::Acc
 
  auto info = promise.get_future().get();
 
- if (info){
+ if (info) {
  for (auto reference : info->references) {
  if (reference == storePath) continue;
  auto otherStatus = getCurrentAccessStatus(printStorePath(reference));
@@ -1103,6 +1103,28 @@ void LocalStore::setCurrentAccessStatus(const Path & path, const LocalStore::Acc
  }
  }
  }
+
+ StorePathSet referrers;
+ retrySQLite<void>([&]() {
+ auto state(_state.lock());
+ queryReferrers(*state, storePath, referrers, false);
+ });
+
+ for (auto referrer : referrers) {
+ if (referrer == storePath) continue;
+ auto otherStatus = getAccessStatus(referrer);
+ if (!status.isProtected) continue;
+ if (!otherStatus.isProtected)
+ throw AccessDenied("can not make %s protected because it is referenced by a non-protected path %s", path, printStorePath(referrer));
+ std::vector<AccessControlEntity> difference;
+ std::set_difference(otherStatus.entities.begin(), otherStatus.entities.end(), status.entities.begin(), status.entities.end(),std::inserter(difference, difference.begin()));
+
+ if (! difference.empty()) {
+ std::string entities;
+ for (auto entity : difference) entities += ACL::printTag(entity) + ", ";
+ throw AccessDenied("can not deny %s access to %s because it is referenced by a path %s to which they do not have access", entities.substr(0, entities.size()-2), path, printStorePath(referrer));
+ }
+ }
  }
  }
 

src/libstore/local-store.hh

@@ -371,7 +371,7 @@ private:
 
  // Internal versions that are not wrapped in retry_sqlite.
  bool isValidPath_(State & state, const StorePath & path);
- void queryReferrers(State & state, const StorePath & path, StorePathSet & referrers);
+ void queryReferrers(State & state, const StorePath & path, StorePathSet & referrers, bool accessCheck = true);
 
  /**
  * Add signatures to a ValidPathInfo or Realisation using the secret keys

tests/nixos/acls.nix

@@ -13,6 +13,7 @@ let
  permissions = {
  protected = true;
  users = ["root"];
+ groups = ["root"];
  };
  };
  buildCommand = "echo Example > $out; cat $exampleSource >> $out";
@@ -34,6 +35,7 @@ let
  permissions = {
  protected = true;
  users = ["root"];
+ groups = ["root"];
  };
  };
  buildCommand = "echo Example > $out; cat $exampleSource >> $out";