Add referrer checks for access status

balsoft · balsoft · commit 5333b2590a01 · 2024-02-13T15:53:05.000+04:00
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
@@ -1460,6 +1460,8 @@ static void derivationStrictInternal(EvalState & state, const std::string & drvN
                 state.forceAttrs(*outputs->value, noPos,
                                 "while evaluating the `__permissions.outputs` "
                                 "attribute passed to builtins.derivationStrict");
+                auto outputMap = state.store->queryPartialDerivationOutputMap(drvPath);
+                std::map<StorePath, LocalGranularAccessStore::AccessStatus> accessMap;
                 for (auto & output : *outputs->value->attrs) {
                     if (!drv.outputs.contains(state.symbols[output.name]))
                         state.debugThrowLastTrace(EvalError({
@@ -1468,8 +1470,13 @@ static void derivationStrictInternal(EvalState & state, const std::string & drvN
                         }));
                     LocalGranularAccessStore::AccessStatus status;
                     readAccessStatus(state, output, &status, fmt("__permissions.outputs.%s", state.symbols[output.name]), "builtins.derivationStrict");
-                    require<LocalGranularAccessStore>(*state.store).setAccessStatus(StoreObjectDerivationOutput {drvPath, std::string(state.symbols[{output.name}])}, status, true);
+                    auto outputName = std::string(state.symbols[{output.name}]);
+                    if (auto path = outputMap.at(outputName))
+                        accessMap[*path] = status;
+                    else
+                        require<LocalGranularAccessStore>(*state.store).setAccessStatus(StoreObjectDerivationOutput {drvPath, outputName}, status, true);
                 }
+                require<LocalGranularAccessStore>(*state.store).setAccessStatus(accessMap);
             }
             auto log = attr->value->attrs->find(state.sLog);
             if (log != attr->value->attrs->end()) {
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
@@ -3023,7 +3023,8 @@ void LocalDerivationGoal::deleteTmpDir(bool force)
             if (experimentalFeatureSettings.isEnabled(Xp::ACLs))
                 if (auto store = dynamic_cast<LocalGranularAccessStore*>(&worker.store))
                     if (store->effectiveUser) {
-                        chown(tmpDir.c_str(), store->effectiveUser->uid, info.st_gid);
+                        if (chown(tmpDir.c_str(), store->effectiveUser->uid, info.st_gid) == -1)
+                            throw SysError("cannot change ownership %s", tmpDir.c_str());
                         chowned = true;
                     }
             if (!chowned)
diff --git a/src/libstore/granular-access-store.hh b/src/libstore/granular-access-store.hh
@@ -57,6 +57,17 @@ struct GranularAccessStore : public virtual Store
     virtual void setAccessStatus(const StoreObject & storeObject, const AccessStatus & status, const bool & ensureAccessCheck) = 0;
     virtual AccessStatus getAccessStatus(const StoreObject & storeObject) = 0;
 
+    virtual void setAccessStatus(const std::map<StorePath, AccessStatus> pathMap)
+    {
+        StorePathSet pathSet;
+        for (auto [path, _] : pathMap)
+            pathSet.insert(path);
+        auto paths = topoSortPaths(pathSet);
+        for (auto path : paths) {
+            setAccessStatus(path, pathMap.at(path), true);
+        }
+    }
+
     virtual std::set<AccessControlGroup> getSubjectGroupsUncached(AccessControlSubject subject) = 0;
 
     std::set<AccessControlGroup> getSubjectGroups(AccessControlSubject subject)
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
@@ -858,11 +858,11 @@ StorePathSet LocalStore::queryAllValidPaths()
 }
 
 
-void LocalStore::queryReferrers(State & state, const StorePath & path, StorePathSet & referrers)
+void LocalStore::queryReferrers(State & state, const StorePath & path, StorePathSet & referrers, bool accessCheck)
 {
     auto useQueryReferrers(state.stmts->QueryReferrers.use()(printStorePath(path)));
 
-    if (!canAccess(path)) throw AccessDenied("Access Denied");
+    if (accessCheck && !canAccess(path)) throw AccessDenied("Access Denied");
 
     while (useQueryReferrers.next())
         referrers.insert(parseStorePath(useQueryReferrers.getStr(0)));
@@ -1086,7 +1086,7 @@ void LocalStore::setCurrentAccessStatus(const Path & path, const LocalStore::Acc
 
             auto info = promise.get_future().get();
 
-            if (info){
+            if (info) {
                 for (auto reference : info->references) {
                     if (reference == storePath) continue;
                     auto otherStatus = getCurrentAccessStatus(printStorePath(reference));
@@ -1103,6 +1103,28 @@ void LocalStore::setCurrentAccessStatus(const Path & path, const LocalStore::Acc
                     }
                 }
             }
+
+            StorePathSet referrers;
+            retrySQLite<void>([&]() {
+                auto state(_state.lock());
+                queryReferrers(*state, storePath, referrers, false);
+            });
+
+            for (auto referrer : referrers) {
+                if (referrer == storePath) continue;
+                auto otherStatus = getAccessStatus(referrer);
+                if (!status.isProtected) continue;
+                if (!otherStatus.isProtected)
+                    throw AccessDenied("can not make %s protected because it is referenced by a non-protected path %s", path, printStorePath(referrer));
+                std::vector<AccessControlEntity> difference;
+                std::set_difference(otherStatus.entities.begin(), otherStatus.entities.end(), status.entities.begin(), status.entities.end(),std::inserter(difference, difference.begin()));
+
+                if (! difference.empty()) {
+                    std::string entities;
+                    for (auto entity : difference) entities += ACL::printTag(entity) + ", ";
+                    throw AccessDenied("can not deny %s access to %s because it is referenced by a path %s to which they do not have access", entities.substr(0, entities.size()-2), path, printStorePath(referrer));
+                }
+            }
         }
     }
 
diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh
@@ -371,7 +371,7 @@ private:
 
     // Internal versions that are not wrapped in retry_sqlite.
     bool isValidPath_(State & state, const StorePath & path);
-    void queryReferrers(State & state, const StorePath & path, StorePathSet & referrers);
+    void queryReferrers(State & state, const StorePath & path, StorePathSet & referrers, bool accessCheck = true);
 
     /**
      * Add signatures to a ValidPathInfo or Realisation using the secret keys
diff --git a/tests/nixos/acls.nix b/tests/nixos/acls.nix
@@ -13,6 +13,7 @@ let
         permissions = {
           protected = true;
           users = ["root"];
+          groups = ["root"];
         };
       };
       buildCommand = "echo Example > $out; cat $exampleSource >> $out";
@@ -34,6 +35,7 @@ let
         permissions = {
           protected = true;
           users = ["root"];
+          groups = ["root"];
         };
       };
       buildCommand = "echo Example > $out; cat $exampleSource >> $out";
