Move RestrictedStore into its own file+header

Perhaps more significantly, it no longer knows about `LocalDerivationGoal`, and without any effort it also compiles on Windows just fine. (`local-derivation-goal.{cc,hh}` is currently skipped on Windows.)
2025-12-12 20:11:03 +01:00 · 2025-03-14 02:17:24 -04:00 · 2025-03-14 02:17:24 -04:00 · 5026d5af95
commit 5026d5af95
parent 2cfd031511
4 changed files with 368 additions and 281 deletions
--- a/src/libstore/restricted-store.hh
+++ b/src/libstore/restricted-store.hh
@ -0,0 +1,60 @@
+#pragma once
+///@file
+
+#include "local-store.hh"
+
+namespace nix {
+
+/**
+ * A restricted store has a pointer to one of these, which manages the
+ * restrictions that are in place.
+ *
+ * This is a separate data type so the whitelists can be mutated before
+ * the restricted store is created: put differently, someones we don't
+ * know whether we will in fact create a restricted store, but we need
+ * to prepare the whitelists just in case.
+ *
+ * It is possible there are other ways to solve this problem. This was
+ * just the easiest place to begin, when this was extracted from
+ * `LocalDerivationGoal`.
+ */
+struct RestrictionContext
+{
+    /**
+     * Paths that are already allowed to begin with
+     */
+    virtual const StorePathSet & originalPaths() = 0;
+
+    /**
+     * Paths that were added via recursive Nix calls.
+     */
+    StorePathSet addedPaths;
+
+    /**
+     * Realisations that were added via recursive Nix calls.
+     */
+    std::set<DrvOutput> addedDrvOutputs;
+
+    /**
+     * Recursive Nix calls are only allowed to build or realize paths
+     * in the original input closure or added via a recursive Nix call
+     * (so e.g. you can't do 'nix-store -r /nix/store/<bla>' where
+     * /nix/store/<bla> is some arbitrary path in a binary cache).
+     */
+    virtual bool isAllowed(const StorePath &) = 0;
+    virtual bool isAllowed(const DrvOutput & id) = 0;
+    bool isAllowed(const DerivedPath & id);
+
+    /**
+     * Add 'path' to the set of paths that may be referenced by the
+     * outputs, and make it appear in the sandbox.
+     */
+    virtual void addDependency(const StorePath & path) = 0;
+};
+
+/**
+ * Create a shared pointer to a restricted store.
+ */
+ref<Store> makeRestrictedStore(const Store::Params & params, ref<LocalStore> next, RestrictionContext & context);
+
+}