nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-17 16:02:43 +01:00
Code Activity

Trustless remote building

Browse source 
Co-authored-by: Matthew Bauer <mjbauer95@gmail.com>
This commit is contained in:
John Ericson 2020-08-12 03:47:36 +00:00
parent 53f92c779a
commit cbc4344297
15 changed files with 181 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/nix-daemon/nix-daemon.cc
View file

@ -268,6 +268,7 @@ static int _main(int argc, char * * argv)
{
{
auto stdio = false;
std::optional<TrustedFlag> isTrustedOpt;
parseCmdLine(argc, argv, [&](Strings::iterator & arg, const Strings::iterator & end) {
if (*arg == "--daemon")
@ -278,14 +279,26 @@ static int _main(int argc, char * * argv)
printVersion("nix-daemon");
else if (*arg == "--stdio")
stdio = true;
else return false;
else if (*arg == "--trust") {
settings.requireExperimentalFeature("nix-testing");
isTrustedOpt = Trusted;
} else if (*arg == "--no-trust") {
settings.requireExperimentalFeature("nix-testing");
isTrustedOpt = NotTrusted;
} else return false;
return true;
});
initPlugins();
auto ensureNoTrustedFlag = [&]() {
if (isTrustedOpt)
throw Error("--trust and --no-trust flags are only for use with --stdio when this nix-daemon process is not proxying another");
};
if (stdio) {
if (getStoreType() == tDaemon) {
ensureNoTrustedFlag();
// Forward on this connection to the real daemon
auto socketPath = settings.nixDaemonSocketFile;
auto s = socket(PF_UNIX, SOCK_STREAM, 0);
@ -335,9 +348,11 @@ static int _main(int argc, char * * argv)
/* Auth hook is empty because in this mode we blindly trust the
standard streams. Limitting access to thoses is explicitly
not `nix-daemon`'s responsibility. */
processConnection(openUncachedStore(), from, to, Trusted, NotRecursive, [&](Store & _){});
auto isTrusted = isTrustedOpt.value_or(Trusted);
processConnection(openUncachedStore(), from, to, isTrusted, NotRecursive, [&](Store & _){});
}
} else {
ensureNoTrustedFlag();
daemonLoop(argv);
}