Restore isAllowed check in ChrootLinuxDerivationBuilder

xokdvium · Ericson2314 · commit 496e43ec7264 · 2025-11-10T13:43:02.000-05:00
This early return was lost in d4ef822. By doing some https://en.wikipedia.org/wiki/Non-virtual_interface_pattern, we can ensure that we don't make this mistake again --- implementations are no longer responsible for implementing the caching/memoization mechanism.
diff --git a/src/libstore/include/nix/store/restricted-store.hh b/src/libstore/include/nix/store/restricted-store.hh
@@ -52,7 +52,21 @@ struct RestrictionContext
      * Add 'path' to the set of paths that may be referenced by the
      * outputs, and make it appear in the sandbox.
      */
-    virtual void addDependency(const StorePath & path) = 0;
+    void addDependency(const StorePath & path)
+    {
+        if (isAllowed(path))
+            return;
+        addDependencyImpl(path);
+    }
+
+protected:
+
+    /**
+     * This is the underlying implementation to be defined. The caller
+     * will ensure that this is only called on newly added dependencies,
+     * and that idempotent calls are a no-op.
+     */
+    virtual void addDependencyImpl(const StorePath & path) = 0;
 };
 
 /**
diff --git a/src/libstore/unix/build/derivation-builder.cc b/src/libstore/unix/build/derivation-builder.cc
@@ -334,7 +334,7 @@ class DerivationBuilderImpl : public DerivationBuilder, public DerivationBuilder
 
 protected:
 
-    void addDependency(const StorePath & path) override;
+    void addDependencyImpl(const StorePath & path) override;
 
     /**
      * Make a file owned by the builder.
@@ -1203,11 +1203,8 @@ void DerivationBuilderImpl::stopDaemon()
     daemonSocket.close();
 }
 
-void DerivationBuilderImpl::addDependency(const StorePath & path)
+void DerivationBuilderImpl::addDependencyImpl(const StorePath & path)
 {
-    if (isAllowed(path))
-        return;
-
     addedPaths.insert(path);
 }
 
diff --git a/src/libstore/unix/build/linux-derivation-builder.cc b/src/libstore/unix/build/linux-derivation-builder.cc
@@ -709,8 +709,11 @@ struct ChrootLinuxDerivationBuilder : ChrootDerivationBuilder, LinuxDerivationBu
         DerivationBuilderImpl::killSandbox(getStats);
     }
 
-    void addDependency(const StorePath & path) override
+    void addDependencyImpl(const StorePath & path) override
     {
+        if (isAllowed(path))
+            return;
+
         auto [source, target] = ChrootDerivationBuilder::addDependencyPrep(path);
 
         /* Bind-mount the path into the sandbox. This requires

Original file line number	Diff line number	Diff line change
`@@ -334,7 +334,7 @@ class DerivationBuilderImpl : public DerivationBuilder, public DerivationBuilder`
`334`	`334`
`335`	`335`	`protected:`
`336`	`336`
`337`		`- void addDependency(const StorePath & path) override;`
	`337`	`+ void addDependencyImpl(const StorePath & path) override;`
`338`	`338`
`339`	`339`	`/**`
`340`	`340`	`* Make a file owned by the builder.`
`@@ -1203,11 +1203,8 @@ void DerivationBuilderImpl::stopDaemon()`
`1203`	`1203`	`daemonSocket.close();`
`1204`	`1204`	`}`
`1205`	`1205`
`1206`		`-void DerivationBuilderImpl::addDependency(const StorePath & path)`
	`1206`	`+void DerivationBuilderImpl::addDependencyImpl(const StorePath & path)`
`1207`	`1207`	`{`
`1208`		`- if (isAllowed(path))`
`1209`		`- return;`
`1210`		`-`
`1211`	`1208`	`addedPaths.insert(path);`
`1212`	`1209`	`}`
`1213`	`1210`
Original file line number	Diff line number	Diff line change
`@@ -709,8 +709,11 @@ struct ChrootLinuxDerivationBuilder : ChrootDerivationBuilder, LinuxDerivationBu`
`709`	`709`	`DerivationBuilderImpl::killSandbox(getStats);`
`710`	`710`	`}`
`711`	`711`
`712`		`- void addDependency(const StorePath & path) override`
	`712`	`+ void addDependencyImpl(const StorePath & path) override`
`713`	`713`	`{`
	`714`	`+ if (isAllowed(path))`
	`715`	`+ return;`
	`716`	`+`
`714`	`717`	`auto [source, target] = ChrootDerivationBuilder::addDependencyPrep(path);`
`715`	`718`
`716`	`719`	`/* Bind-mount the path into the sandbox. This requires`