libutil-tests: Add tests for makeFSSourceAccessor

Should be pretty self-explanatory. We didn't really have unit tests for the filesystem source accessor. Now we do and this will be immensely useful for implementing a unix-only smarter accessor that doesn't suffer from TOCTOU on symlinks.
2025-12-23 01:11:07 +01:00 · 2025-12-17 04:42:31 +03:00 · 2025-12-17 04:42:31 +03:00 · 017fae3f14
commit 017fae3f14
parent 8cf8a9151a
6 changed files with 169 additions and 21 deletions
--- a/src/libutil/include/nix/util/file-descriptor.hh
+++ b/src/libutil/include/nix/util/file-descriptor.hh
@ -2,7 +2,6 @@
 ///@file

 #include "nix/util/canon-path.hh"
-#include "nix/util/types.hh"
 #include "nix/util/error.hh"

 #ifdef _WIN32
@ -236,18 +235,6 @@ std::wstring handleToFileName(Descriptor handle);
 #ifndef _WIN32
 namespace unix {

-struct SymlinkNotAllowed : public Error
-{
-    CanonPath path;
-
-    SymlinkNotAllowed(CanonPath path)
-        /* Can't provide better error message, since the parent directory is only known to the caller. */
-        : Error("relative path '%s' points to a symlink, which is not allowed", path.rel())
-        , path(std::move(path))
-    {
-    }
-};
-
 /**
 * Safe(r) function to open \param path file relative to \param dirFd, while
 * disallowing escaping from a directory and resolving any symlinks in the
--- a/src/libutil/include/nix/util/source-accessor.hh
+++ b/src/libutil/include/nix/util/source-accessor.hh
@ -222,6 +222,24 @@ ref<SourceAccessor> makeEmptySourceAccessor();
 */
 MakeError(RestrictedPathError, Error);

+struct SymlinkNotAllowed : public Error
+{
+    CanonPath path;
+
+    SymlinkNotAllowed(CanonPath path)
+        : Error("relative path '%s' points to a symlink, which is not allowed", path.rel())
+        , path(std::move(path))
+    {
+    }
+
+    template<typename... Args>
+    SymlinkNotAllowed(CanonPath path, const std::string & fs, Args &&... args)
+        : Error(fs, std::forward<Args>(args)...)
+        , path(std::move(path))
+    {
+    }
+};
+
 /**
 * Return an accessor for the root filesystem.
 */
@ -233,7 +251,7 @@ ref<SourceAccessor> getFSSourceAccessor();
 * elements, and that absolute symlinks are resolved relative to
 * `root`.
 */
-ref<SourceAccessor> makeFSSourceAccessor(std::filesystem::path root);
+ref<SourceAccessor> makeFSSourceAccessor(std::filesystem::path root, bool trackLastModified = false);

 /**
 * Construct an accessor that presents a "union" view of a vector of
--- a/src/libutil/posix-source-accessor.cc
+++ b/src/libutil/posix-source-accessor.cc
@ -208,7 +208,7 @@ void PosixSourceAccessor::assertNoSymlinks(CanonPath path)
    while (!path.isRoot()) {
        auto st = cachedLstat(path);
        if (st && S_ISLNK(st->st_mode))
-            throw Error("path '%s' is a symlink", showPath(path));
+            throw SymlinkNotAllowed(path, "path '%s' is a symlink", showPath(path));
        path.pop();
    }
 }
@ -219,8 +219,8 @@ ref<SourceAccessor> getFSSourceAccessor()
    return rootFS;
 }

-ref<SourceAccessor> makeFSSourceAccessor(std::filesystem::path root)
+ref<SourceAccessor> makeFSSourceAccessor(std::filesystem::path root, bool trackLastModified)
 {
-    return make_ref<PosixSourceAccessor>(std::move(root));
+    return make_ref<PosixSourceAccessor>(std::move(root), trackLastModified);
 }
 } // namespace nix
--- a/src/libutil/unix/file-descriptor.cc
+++ b/src/libutil/unix/file-descriptor.cc
@ -3,6 +3,7 @@
 #include "nix/util/signals.hh"
 #include "nix/util/finally.hh"
 #include "nix/util/serialise.hh"
+#include "nix/util/source-accessor.hh"

 #include <fcntl.h>
 #include <unistd.h>
@ -301,10 +302,10 @@ openFileEnsureBeneathNoSymlinksIterative(Descriptor dirFd, const CanonPath & pat
            if (errno == ENOTDIR) /* Path component might be a symlink. */ {
                struct ::stat st;
                if (::fstatat(getParentFd(), component.c_str(), &st, AT_SYMLINK_NOFOLLOW) == 0 && S_ISLNK(st.st_mode))
-                    throw unix::SymlinkNotAllowed(path2);
+                    throw SymlinkNotAllowed(path2);
                errno = ENOTDIR; /* Restore the errno. */
            } else if (errno == ELOOP) {
-                throw unix::SymlinkNotAllowed(path2);
+                throw SymlinkNotAllowed(path2);
            }

            return INVALID_DESCRIPTOR;
@ -315,7 +316,7 @@ openFileEnsureBeneathNoSymlinksIterative(Descriptor dirFd, const CanonPath & pat

    auto res = ::openat(getParentFd(), std::string(path.baseName().value()).c_str(), flags | O_NOFOLLOW, mode);
    if (res < 0 && errno == ELOOP)
-        throw unix::SymlinkNotAllowed(path);
+        throw SymlinkNotAllowed(path);
    return res;
 }

@ -328,7 +329,7 @@ Descriptor unix::openFileEnsureBeneathNoSymlinks(Descriptor dirFd, const CanonPa
        dirFd, path.rel_c_str(), flags, static_cast<uint64_t>(mode), RESOLVE_BENEATH | RESOLVE_NO_SYMLINKS);
    if (maybeFd) {
        if (*maybeFd < 0 && errno == ELOOP)
-            throw unix::SymlinkNotAllowed(path);
+            throw SymlinkNotAllowed(path);
        return *maybeFd;
    }
 #endif