-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
restrict-eval does not allow access to git flake inputs #7098
Comments
Do you have allowed-uris set? |
No, but either I shouldn't need it (because they're locked declared flake inputs) or it should fail in the same way with |
Pure evaluation should cover all the uses for restrict-eval, and restrict-eval currently breaks accessing Git inputs on Flakes. [1]: NixOS/nix#7098
Pure evaluation should cover all the uses for restrict-eval, and restrict-eval currently breaks accessing Git inputs on Flakes[1]. [1]: NixOS/nix#7098
Since I got bitten by NixOS/hydra#1257 as well, I decided to investigate. First of all a bit of context: flake inputs are fetched using https://github.com/NixOS/nix/blob/2.12.0/src/libexpr/flake/call-flake.nix#L15, i.e. pure Nix code. That means that there's no difference between a Now, why are e.g.
As you can see, the cc @edolstra @thufschmitt for opinions. |
I'm not familiar at all with
Indeed. Which is something of an issue since we can change their host to anything. We probably want to fix that |
Pure evaluation should cover all the uses for restrict-eval, and restrict-eval currently breaks accessing Git inputs on Flakes[1]. [1]: NixOS/nix#7098
Pure evaluation should cover all the uses for restrict-eval, and restrict-eval currently breaks accessing Git inputs on Flakes[1]. [1]: NixOS/nix#7098
Pure evaluation should cover all the uses for restrict-eval, and restrict-eval currently breaks accessing Git inputs on Flakes[1]. [1]: NixOS/nix#7098
Pure evaluation should cover all the uses for restrict-eval, and restrict-eval currently breaks accessing Git inputs on Flakes[1]. [1]: NixOS/nix#7098
The behaviour has changed. It is at least consistent now:
But this issue should probably be closed given #8295. |
After upgrading to 23.11 am getting error:
for inputs like |
Looked at nix source, apparently each prefix in allowed-uris should end with
|
The trailing slash requirements makes it really difficult to use restricted eval with multiple flakes and their inputs. The nix manual sounds like one should be able to simply specify all allowed schemes, i.e. Since I'm the only user of my hydra instance and I've only worked with flakes so far, I'm using this patch until there's a better solution: diff --git a/src/hydra-eval-jobs/hydra-eval-jobs.cc b/src/hydra-eval-jobs/hydra-eval-jobs.cc
index 2794cc62..bd6416e9 100644
--- a/src/hydra-eval-jobs/hydra-eval-jobs.cc
+++ b/src/hydra-eval-jobs/hydra-eval-jobs.cc
@@ -327,7 +327,7 @@ int main(int argc, char * * argv)
/* Prevent access to paths outside of the Nix search path and
to the environment. */
- evalSettings.restrictEval = true;
+ evalSettings.restrictEval = config->getBoolOption("evaluator_restrict_eval", true);
/* When building a flake, use pure evaluation (no access to
'getEnv', 'currentSystem' etc. */ And inside hydra.conf:
In my NixOS configuration: services.hydra = {
// ...
package = pkgs.hydra.overrideAttrs (old: {
patches = (if old ? patches then old.patches else []) ++ [
./hydra.patch // With the above content
];
});
extraConfig = ''
evaluator_restrict_eval = false
'';
}; Hope this helps someone :) |
I think that this isn't the case anymore, so the original issue is probably resolved: |
Yeah I don't know of any trailing slash restriction; I think as of 2.19 (not |
Well, it really seems to be fixed on all tags newer than |
Describe the bug
(might be a dup of #7090, not sure)
Steps To Reproduce
nix build --restrict-eval github:lheckemann-dump/fetcher-issues-a/39ad58c862ba4b2a53dbe659a03df4c9a64a464f#test1
Expected behavior
Building just fine. I'm particularly surprised because the
test3
andtest4
inputs (github:
instead of git) are allowed.Actual behaviour
nix-env --version
outputnix-env (Nix) 2.12.0pre20220913_2a1c63c
(lazy-trees branch)Also tested on
nix-env (Nix) 2.8.1
.flake.nix for reference: https://github.com/lheckemann-dump/fetcher-issues-a/blob/39ad58c862ba4b2a53dbe659a03df4c9a64a464f/flake.nix
The text was updated successfully, but these errors were encountered: