Ludovic Courtès <ludovic.cour...@inria.fr> writes:
> Roel Janssen <r...@gnu.org> skribis:
>
>> Ludovic Courtès <ludovic.cour...@inria.fr> writes:
>
> [...]
>
>>>> diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.cc
>>>> index deb7003d7..65770ba95 100644
>>>> --- a/nix/nix-daemon/nix-daemon.cc
>>>> +++ b/nix/nix-daemon/nix-daemon.cc
>>>> @@ -529,6 +529,11 @@ static void performOp(bool trusted, unsigned int
>>>> clientVersion,
>>>> }
>>>>
>>>> case wopCollectGarbage: {
>>>> + if (settings.isRemoteConnection) {
>>>> + throw Error("Garbage collection is disabled for remote
>>>> hosts.");
>>>> + break;
>>>> + }
>>>> GCOptions options;
>>>> options.action = (GCOptions::GCAction) readInt(from);
>>>> options.pathsToDelete = readStorePaths<PathSet>(from);
>>>
>>> I was wondering if we would like to allow some of the ‘GCAction’ values,
>>> but maybe it’s better to disallow them altogether like this code does.
>>
>> Could we please start with a “disable any GC” and start allowing cases
>> on a case-by-case basis?
>
> Sure, that’s what I was suggesting. :-)
>
>>> Last thing: could you add a couple of tests? tests/guix-daemon.sh
>>> already has tests for ‘--listen’, so you could take inspiration from
>>> those.
>>
>> I included a test, but I don't know how I can properly run this test.
>> Could you elaborate on how I can test the test(s)?
>
> Run:
>
> make check TESTS=tests/guix-daemon.sh
>
> See
> <https://www.gnu.org/software/guix/manual/html_node/Running-the-Test-Suite.html>.
That is really nice. Thanks for pointing to the manual.
>> From b29d3a90e1487ebda5ac5b6bc146f8c95218eab6 Mon Sep 17 00:00:00 2001
>> From: Roel Janssen <r...@gnu.org>
>> Date: Thu, 19 Apr 2018 14:01:49 +0200
>> Subject: [PATCH] guix-daemon: Disable garbage collection for remote hosts.
>>
>> * nix/nix-daemon/nix-daemon.cc (performOp): Display appropriate error
>> message;
>> (acceptConnection): Set isRemoteConnection when connection is over TCP.
>
> Rather:
>
> * nix/nix-daemon/nix-daemon.cc (isRemoteConnection): New variable.
> (performOp): For wopCollectGarbage, throw an error when
> isRemoteConnection is set.
> (acceptConnection): Set isRemoteConnection when connection is not AF_UNIX.
>
>> +output=`GUIX_DAEMON_SOCKET="$socket" guix gc`
>> +if [[ "$output" != *"GUIX_DAEMON_SOCKET=$socket" ]];
>> +then
>> + exit 1
>> +fi
>
> Perhaps simply check the exit code of ‘guix gc’ and fail if it succeeds?
Right.
> Like:
>
> if guix gc; then false; else true; fi
>
> Also please try to avoid Bash-specific constructs like [[ this ]].
Right.
> Could you send an updated patch?
The attached patch should be fine.
Kind regards,
Roel Janssen
>From fcbe7ebb3d205cf7310700e62b78b9aafd94f76f Mon Sep 17 00:00:00 2001
From: Roel Janssen <r...@gnu.org>
Date: Thu, 19 Apr 2018 17:11:30 +0200
Subject: [PATCH] guix-daemon: Disable garbage collection for remote
connections.
* nix/nix-daemon/nix-daemon.cc (isRemoteConnection): New variable.
(performOp): For wopCollectGarbage, throw an error when isRemoteConnection
is set.
(acceptConnection): Set isRemoteConnection when connection is not AF_UNIX.
* tests/guix-daemon.sh: Add a test for the new behavior.
---
nix/nix-daemon/nix-daemon.cc | 10 +++++++++-
tests/guix-daemon.sh | 14 ++++++++++++++
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.cc
index deb7003d7..782e4acfc 100644
--- a/nix/nix-daemon/nix-daemon.cc
+++ b/nix/nix-daemon/nix-daemon.cc
@@ -54,7 +54,9 @@ static FdSink to(STDOUT_FILENO);
bool canSendStderr;
-
+/* This variable is used to keep track of whether a connection
+ comes from a host other than the host running guix-daemon. */
+static bool isRemoteConnection;
/* This function is called anytime we want to write something to
stderr. If we're in a state where the protocol allows it (i.e.,
@@ -529,6 +531,11 @@ static void performOp(bool trusted, unsigned int clientVersion,
}
case wopCollectGarbage: {
+ if (isRemoteConnection) {
+ throw Error("Garbage collection is disabled for remote hosts.");
+ break;
+ }
+
GCOptions options;
options.action = (GCOptions::GCAction) readInt(from);
options.pathsToDelete = readStorePaths<PathSet>(from);
@@ -934,6 +941,7 @@ static void acceptConnection(int fdSocket)
connection. Setting these to -1 means: do not change. */
settings.clientUid = clientUid;
settings.clientGid = clientGid;
+ isRemoteConnection = (remoteAddr.ss_family != AF_UNIX);
/* Handle the connection. */
from.fd = remote;
diff --git a/tests/guix-daemon.sh b/tests/guix-daemon.sh
index 6f91eb58b..9ae6e0b77 100644
--- a/tests/guix-daemon.sh
+++ b/tests/guix-daemon.sh
@@ -194,6 +194,20 @@ do
kill "$daemon_pid"
done
+# Make sure garbage collection from a TCP connection does not work.
+
+tcp_socket="127.0.0.1:9999"
+guix-daemon --listen="$tcp_socket" &
+daemon_pid=$!
+
+GUIX_DAEMON_SOCKET="guix://$tcp_socket"
+export GUIX_DAEMON_SOCKET
+
+if guix gc; then false; else true; fi
+
+unset GUIX_DAEMON_SOCKET
+kill "$daemon_pid"
+
# Log compression.
guix-daemon --listen="$socket" --disable-chroot --debug --log-compression=gzip &
--
2.17.0
