Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add granular access control for nix store #9287

Draft
wants to merge 61 commits into
base: master
Choose a base branch
from
Draft

Add granular access control for nix store #9287

Changes from 1 commit
Commits
Show all changes
61 commits
Select commit Hold shift + click to select a range
20e574e
Add a library for ACL manipulation
balsoft Nov 1, 2023
337a127
Add a granular store interface
balsoft Nov 1, 2023
5024921
Implement granular access store
balsoft Nov 1, 2023
552e4e5
Add CLI commands to manipulate ACLs
balsoft Nov 1, 2023
61a3cea
Add __permissions to builtins.derivation and builtins.path
balsoft Nov 1, 2023
0be3e5d
Add an integration test for ACL functionality
balsoft Nov 1, 2023
bd56e3e
Add tests/acls.sh
ylecornec Nov 14, 2023
db3a522
acls grant/revoke: Error if group or user does not exists
ylecornec Nov 15, 2023
aba3181
Acls test: permission of dependency.
ylecornec Nov 16, 2023
8dbea38
revokeBuildUserAccess: only revoke permissions added by grantBuildUse…
ylecornec Nov 21, 2023
14e474c
Acls: add test that revokes the permission of a runtime dependency.
ylecornec Nov 22, 2023
afd828b
Acls: Refactor integration tests
ylecornec Nov 23, 2023
5d97559
Acls: disable non integration tests for now
ylecornec Nov 23, 2023
65fe86f
Add json() to AccessStatus
balsoft Nov 30, 2023
db20d22
Add protectByDefault setting
balsoft Nov 30, 2023
1102fdd
Add runtime closure invariant
balsoft Nov 30, 2023
6293167
Run acls.sh test properly
balsoft Nov 30, 2023
9d6c011
Acls: Add tests where a public output depend on a private one
ylecornec Dec 5, 2023
1ed4965
Acls: explicitely access future or current permissions
ylecornec Dec 5, 2023
f9e2c4b
Acls: remove some permission adding code which may not be needed anymore
ylecornec Dec 5, 2023
0c625b0
Acls: Also add future permission to paths of StoreObjectDerivationOutput
ylecornec Dec 5, 2023
7ea4b05
Acls: Add ShouldSync path status
ylecornec Dec 5, 2023
a3d3b71
Acls: tests non trusted user with private file
ylecornec Dec 6, 2023
5f8eef5
Acls: canAccess function, remove default value for use_future parameter
ylecornec Dec 6, 2023
2c00ec5
Merge remote-tracking branch 'origin/master' into acls
balsoft Dec 5, 2023
228d8af
Merge branch 'ylecornec/dep_perms' into acls
balsoft Dec 7, 2023
fccba28
ACL tests
balsoft Dec 8, 2023
7653b07
Add the ability to cache user's groups
balsoft Dec 8, 2023
3994ce1
Prevent segfault
balsoft Dec 13, 2023
3a4914d
Fix darwin build
balsoft Dec 13, 2023
cd72876
Merge remote-tracking branch 'origin/master' into acls
balsoft Dec 13, 2023
eff385d
Fix perl/default.nix
ylecornec Dec 14, 2023
4b66941
Acls: builtins.path set accessStatus
ylecornec Dec 14, 2023
985fe93
Acls: remove PathStatus::ShouldSync
ylecornec Dec 14, 2023
0b92adf
Acls: AccessStatus setter/getter
ylecornec Dec 14, 2023
834219a
Acls tests: Assertions on failing tests output
ylecornec Dec 14, 2023
f9d3f55
Temporarily deactivate ensureAccess
ylecornec Dec 14, 2023
96cb115
Acls: remove canAccess `use_future` argument
ylecornec Dec 14, 2023
2820eb4
Acls: permission check when importing a folder with builtins.path
ylecornec Dec 15, 2023
c1912d8
Acls: Test importing a private folder
ylecornec Dec 15, 2023
9c75782
Don't account for trusted users in ensureAccess
balsoft Dec 18, 2023
8ee4043
Make the 'should be synced' message debug-only
balsoft Dec 18, 2023
af84767
Fix perl bindings build
balsoft Dec 18, 2023
f967eb6
Reactivate runtime closure check
ylecornec Dec 18, 2023
d167252
Acls test: fix for runtime closure checks
ylecornec Dec 18, 2023
53c8eb5
Merge remote-tracking branch 'tweag/acls' into ylecornec/remove_curre…
ylecornec Dec 18, 2023
8841d0d
Acls: reactivate ensureAccess and move the call to setAccessStatus
ylecornec Dec 21, 2023
9f63760
Acls: Fix tests after activating `ensureAccess`
ylecornec Dec 19, 2023
045f1e8
Acls: add tests using flakes
ylecornec Dec 21, 2023
e90e479
Acls: merge {add/remove}AllowedEntities current and future
ylecornec Dec 21, 2023
df135f2
Acls documentation: fix markdown files paths.
ylecornec Dec 21, 2023
d14704c
ACLs: calculate mask correctly
balsoft Jan 12, 2024
51419e5
Merge branch 'ylecornec/remove_current_future' into selective-acl
balsoft Jan 16, 2024
5ef3f14
Ensure access in daemon.cc regardless of current status
balsoft Feb 2, 2024
7a49064
Assign the build directory to the effective user, if present
balsoft Feb 7, 2024
c5f8a40
Fix getUserName behavior
balsoft Feb 7, 2024
5333b25
Add referrer checks for access status
balsoft Feb 10, 2024
9ca2e82
Protect paths if setAccessStatus fail while registering
balsoft Feb 15, 2024
a8ff15f
Automatically deny access for referree derivations
balsoft Mar 14, 2024
946f4f7
Pass through access status from daemon
balsoft Mar 14, 2024
5d5bbbc
chmod if chown fails
balsoft Mar 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Acls test: fix for runtime closure checks
  • Loading branch information
@ylecornec
ylecornec committed Dec 18, 2023
commit d1672525b62129c2f2d9589656cfd92367ce32d2
22 changes: 13 additions & 9 deletions tests/nixos/acls.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -427,7 +427,7 @@ let
users = ["test"];
};
};
buildCommand = "echo $privateSource > $out && echo Example >> $out";
buildCommand = "cat $privateSource > $out && echo Example >> $out";
allowSubstitutes = false;
__permissions = {
outputs.out = { protected = true; users = ["test" "test2"]; };
Expand Down Expand Up @@ -506,13 +506,18 @@ let

assert_in_last_line("Could not access file (/tmp/test_secret) permissions may be missing", add_permissions_output)

inputPath1 = machine.succeed(f"""
sudo -u test2 head -n 1 {userPrivatePath}
""")

machine.fail(f"""
sudo -u test2 cat {inputPath1}
""")
testUserPrivateDrv = machine.succeed("""
sudo nix-instantiate ${test-user-private}
""").strip()
testUserPrivateInput=machine.succeed(f"nix-store -q --references {testUserPrivateDrv} | grep test_secret").strip()

assert_in_last_line(
"test_secret: Permission denied",
machine.fail(f"""
sudo -u test2 cat {testUserPrivateInput} 2>&1
""")
)

'';

Expand Down Expand Up @@ -655,7 +660,6 @@ in
testDependOnPrivate
testTestUserPrivate
testImportFolder
# [TODO] uncomment once access to the runtime closure is unforced
# testRuntimeDepNoPermScript
testRuntimeDepNoPermScript
];
}