feat(3p/nix): add --trace-file-access to nix-instantiate r/1603

This builds on edef's work with depot-scan by adding a dedicated
flag to the command. We piggyback on upstream's restricted-mode
implementation, the checkSourcePath function.

Change-Id: I52bb613549f40dbca1e8caa036635910c1a3d6d0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1654
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>

1 files changed, 15 insertions, 0 deletions

diff --git a/third_party/nix/src/libexpr/eval.cc b/third_party/nix/src/libexpr/eval.cc
index 5f272b62b8..f068b6ba6a 100644
--- a/third_party/nix/src/libexpr/eval.cc
+++ b/third_party/nix/src/libexpr/eval.cc
@@ -379,6 +379,7 @@ EvalState::EvalState(const Strings& _searchPath, const ref<Store>& store)
 EvalState::~EvalState() = default;
 
 Path EvalState::checkSourcePath(const Path& path_) {
+  TraceFileAccess(path_);
   if (!allowedPaths) {
     return path_;
   }
@@ -1819,6 +1820,20 @@ void EvalState::printStats() {
   }
 }
 
+void EvalState::TraceFileAccess(const Path& realPath) {
+  if (file_access_trace_fn.has_value()) {
+    if (last_traced_file != realPath) {
+      (*file_access_trace_fn)(realPath);
+      // Basic deduplication.
+      last_traced_file = std::string(realPath);
+    }
+  }
+}
+
+void EvalState::EnableFileAccessTracing(std::function<void(const Path&)> fn) {
+  file_access_trace_fn = fn;
+}
+
 size_t valueSize(const Value& v) {
   traceable_flat_hash_set<const Bindings*> seenBindings;
   traceable_flat_hash_set<const Env*> seenEnvs;