Merge pull request NixOS#14534 from NixOS/backport-14531-to-2.32-maintenance

internal-nix-ci[bot] · web-flow · commit d7fc293353fc · 2025-11-10T20:47:31.000Z
[Backport 2.32-maintenance] Restore isAllowed check in ChrootLinuxDerivationBuilder
diff --git a/src/libstore/include/nix/store/restricted-store.hh b/src/libstore/include/nix/store/restricted-store.hh
@@ -52,7 +52,21 @@ struct RestrictionContext
      * Add 'path' to the set of paths that may be referenced by the
      * outputs, and make it appear in the sandbox.
      */
-    virtual void addDependency(const StorePath & path) = 0;
+    void addDependency(const StorePath & path)
+    {
+        if (isAllowed(path))
+            return;
+        addDependencyImpl(path);
+    }
+
+protected:
+
+    /**
+     * This is the underlying implementation to be defined. The caller
+     * will ensure that this is only called on newly added dependencies,
+     * and that idempotent calls are a no-op.
+     */
+    virtual void addDependencyImpl(const StorePath & path) = 0;
 };
 
 /**
diff --git a/src/libstore/unix/build/derivation-builder.cc b/src/libstore/unix/build/derivation-builder.cc
@@ -325,7 +325,7 @@ class DerivationBuilderImpl : public DerivationBuilder, public DerivationBuilder
 
 protected:
 
-    void addDependency(const StorePath & path) override;
+    void addDependencyImpl(const StorePath & path) override;
 
     /**
      * Make a file owned by the builder.
@@ -1181,11 +1181,8 @@ void DerivationBuilderImpl::stopDaemon()
     daemonSocket.close();
 }
 
-void DerivationBuilderImpl::addDependency(const StorePath & path)
+void DerivationBuilderImpl::addDependencyImpl(const StorePath & path)
 {
-    if (isAllowed(path))
-        return;
-
     addedPaths.insert(path);
 }
 
diff --git a/src/libstore/unix/build/linux-derivation-builder.cc b/src/libstore/unix/build/linux-derivation-builder.cc
@@ -703,8 +703,11 @@ struct ChrootLinuxDerivationBuilder : ChrootDerivationBuilder, LinuxDerivationBu
         DerivationBuilderImpl::killSandbox(getStats);
     }
 
-    void addDependency(const StorePath & path) override
+    void addDependencyImpl(const StorePath & path) override
     {
+        if (isAllowed(path))
+            return;
+
         auto [source, target] = ChrootDerivationBuilder::addDependencyPrep(path);
 
         /* Bind-mount the path into the sandbox. This requires

Original file line number	Diff line number	Diff line change
`@@ -325,7 +325,7 @@ class DerivationBuilderImpl : public DerivationBuilder, public DerivationBuilder`
`325`	`325`
`326`	`326`	`protected:`
`327`	`327`
`328`		`- void addDependency(const StorePath & path) override;`
	`328`	`+ void addDependencyImpl(const StorePath & path) override;`
`329`	`329`
`330`	`330`	`/**`
`331`	`331`	`* Make a file owned by the builder.`
`@@ -1181,11 +1181,8 @@ void DerivationBuilderImpl::stopDaemon()`
`1181`	`1181`	`daemonSocket.close();`
`1182`	`1182`	`}`
`1183`	`1183`
`1184`		`-void DerivationBuilderImpl::addDependency(const StorePath & path)`
	`1184`	`+void DerivationBuilderImpl::addDependencyImpl(const StorePath & path)`
`1185`	`1185`	`{`
`1186`		`- if (isAllowed(path))`
`1187`		`- return;`
`1188`		`-`
`1189`	`1186`	`addedPaths.insert(path);`
`1190`	`1187`	`}`
`1191`	`1188`
Original file line number	Diff line number	Diff line change
`@@ -703,8 +703,11 @@ struct ChrootLinuxDerivationBuilder : ChrootDerivationBuilder, LinuxDerivationBu`
`703`	`703`	`DerivationBuilderImpl::killSandbox(getStats);`
`704`	`704`	`}`
`705`	`705`
`706`		`- void addDependency(const StorePath & path) override`
	`706`	`+ void addDependencyImpl(const StorePath & path) override`
`707`	`707`	`{`
	`708`	`+ if (isAllowed(path))`
	`709`	`+ return;`
	`710`	`+`
`708`	`711`	`auto [source, target] = ChrootDerivationBuilder::addDependencyPrep(path);`
`709`	`712`
`710`	`713`	`/* Bind-mount the path into the sandbox. This requires`