mirrors/nix-darwin
1
0
Fork 0
mirror of https://github.com/LnL7/nix-darwin.git synced 2024-12-14 11:57:34 +00:00
Code Activity

write-text: remove support for copy

Browse source 
This is a huge anti‐declarative footgun; `copy` files cannot
distinguish if a previous version is managed by nix-darwin, so they
can’t check the hash, so they’re prone to destroying data, and
copied files are not deleted when they’re removed from the system
configuration, which led to a security bug. Nothing else in‐tree
was using this functionality, so let’s make sure it doesn’t
cause any more bugs.
This commit is contained in:
Emily 2023-07-16 17:02:10 +01:00
parent b833d4a32d
commit 36a15e8c6c
2 changed files with 5 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
modules/lib/write-text.nix
View file

@ -45,14 +45,6 @@ in
''; '';
}; };
copy = mkOption {
type = types.bool;
default = false;
description = ''
Whether this file should be copied instead of symlinking.
'';
};
knownSha256Hashes = mkOption { knownSha256Hashes = mkOption {
internal = true; internal = true;
type = types.listOf types.str; type = types.listOf types.str;

19
modules/system/etc.nix
View file

@ -10,7 +10,6 @@ let
}; };
etc = filter (f: f.enable) (attrValues config.environment.etc); etc = filter (f: f.enable) (attrValues config.environment.etc);
etcCopy = filter (f: f.copy) (attrValues config.environment.etc);
in in
@ -34,9 +33,10 @@ in
'' ''
mkdir -p $out/etc mkdir -p $out/etc
cd $out/etc cd $out/etc
${concatMapStringsSep "\n" (attr: "mkdir -p $(dirname '${attr.target}')") etc} ${concatMapStringsSep "\n" (attr: ''
${concatMapStringsSep "\n" (attr: "ln -s '${attr.source}' '${attr.target}'") etc} mkdir -p "$(dirname ${escapeShellArg attr.target})"
${concatMapStringsSep "\n" (attr: "touch '${attr.target}'.copy") etcCopy} ln -s ${escapeShellArgs [ attr.source attr.target ]}
'') etc}
''; '';
system.activationScripts.etcChecks.text = '' system.activationScripts.etcChecks.text = ''
@ -55,10 +55,6 @@ in
etcStaticFile=/etc/static/$subPath etcStaticFile=/etc/static/$subPath
etcFile=/etc/$subPath etcFile=/etc/$subPath
if [[ -e $configFile.copy ]]; then
continue
fi
# We need to check files that exist and aren't already links to # We need to check files that exist and aren't already links to
# $etcStaticFile for known hashes. # $etcStaticFile for known hashes.
if [[ if [[
@ -109,11 +105,6 @@ in
mkdir -p "$etcDir" mkdir -p "$etcDir"
fi fi
if [[ -e $etcStaticFile.copy ]]; then
cp "$etcStaticFile" "$etcFile"
continue
fi
if [[ -e $etcFile ]]; then if [[ -e $etcFile ]]; then
if [[ $(readlink -- "$etcFile") == "$etcStaticFile" ]]; then if [[ $(readlink -- "$etcFile") == "$etcStaticFile" ]]; then
continue continue
@ -130,7 +121,7 @@ in
# Delete stale links into /etc/static. # Delete stale links into /etc/static.
if [[ if [[
$(readlink "$etcFile") == "$etcStaticFile" $(readlink -- "$etcFile") == "$etcStaticFile"
&& ! -e $etcStaticFile && ! -e $etcStaticFile
]]; then ]]; then
rm "$etcFile" rm "$etcFile"