pre-build-hook: Provide it with a JSON serialization of the BasicDerivation

The hook gets the path of the derivation as an argument, but the
derivation typically doesn't exist when called as a remote build.

Author: edolstra

src/libstore/include/nix/store/globals.hh

@@ -1081,10 +1081,24 @@ public:
           captured by the derivation model itself and are too variable between
           different versions of the same system to be hard-coded into nix.
 
-          The hook is passed the derivation path and, if sandboxes are
-          enabled, the sandbox directory. It can then modify the sandbox and
-          send a series of commands to modify various settings to stdout. The
-          currently recognized commands are:
+          The hook receives the derivation to be built as JSON in the file
+          pointed to by the environment variable `NIX_DERIVATION_V4`. See
+          [@docroot@/protocols/json/derivation/index.md](@docroot@/protocols/json/derivation/index.md)
+          for the format. For example, to read the `requiredSystemFeatures`
+          attribute:
+
+          ```sh
+          jq -r '.env.requiredSystemFeatures' < "$NIX_DERIVATION_V4"
+          ```
+
+          > **Deprecated**
+          > Using the derivation store path passed as `argv[1]` to inspect the
+          > derivation is deprecated and not recommended. This path may not
+          > exist when Nix is invoked as a remote builder.
+
+          If sandboxes are enabled, the hook also receives the sandbox
+          directory as `argv[2]`. It can send a series of commands to modify
+          various settings to stdout. The currently recognized commands are:
 
             - `extra-sandbox-paths`\
               Pass a list of files and directories to be included in the

src/libstore/unix/build/derivation-builder.cc

@@ -22,6 +22,7 @@
 #include "nix/util/terminal.hh"
 #include "nix/store/provenance.hh"
 
+#include <nlohmann/json.hpp>
 #include <queue>
 
 #include <sys/un.h>
@@ -932,8 +933,27 @@ PathsInChroot DerivationBuilderImpl::getPathsInSandbox()
 
         enum BuildHookState { stBegin, stExtraChrootDirs };
 
+        nlohmann::json drvJson = drv;
+
+        auto [tmpFd, drvJsonPath] = createTempFile("nix-drv-json");
+        writeFile(drvJsonPath, drvJson.dump());
+        AutoDelete drvJsonFile(drvJsonPath, false);
+
+        auto hookEnv = getEnv();
+        static_assert(expectedJsonVersionDerivation == 4);
+        hookEnv["NIX_DERIVATION_V4"] = drvJsonPath;
+
+        auto [hookStatus, lines] = runProgram(
+            RunOptions{
+                .program = settings.preBuildHook,
+                .lookupPath = false,
+                .args = getPreBuildHookArgs(),
+                .environment = std::move(hookEnv),
+            });
+        if (!statusOk(hookStatus))
+            throw ExecError(hookStatus, "pre-build hook '%1%' %2%", settings.preBuildHook, statusToString(hookStatus));
+
         auto state = stBegin;
-        auto lines = runProgram(settings.preBuildHook, false, getPreBuildHookArgs());
         auto lastPos = std::string::size_type{0};
         for (auto nlPos = lines.find('\n'); nlPos != std::string::npos; nlPos = lines.find('\n', lastPos)) {
             auto line = lines.substr(lastPos, nlPos - lastPos);

tests/functional/linux-sandbox.sh

@@ -102,3 +102,24 @@ nix-sandbox-build symlink-derivation.nix -A test_sandbox_paths \
 expectStderr 1 nix-sandbox-build --option extra-sandbox-paths '/does-not-exist' \
     -E 'with import '"${config_nix}"'; mkDerivation { name = "trivial"; buildCommand = "echo > $out"; }' |
     grepQuiet "path '/does-not-exist' is configured as part of the \`sandbox-paths\` option, but is inaccessible"
+
+# Test pre-build-hook.
+DEST="$TEST_ROOT/hook-output"
+HOOK="$TEST_ROOT/pre-build-hook"
+
+echo foo > "$TEST_ROOT"/fnord
+
+cat > "$HOOK" <<EOF
+#! $SHELL -e
+jq -r .env.name < "\$NIX_DERIVATION_V4" > "$DEST"
+echo "hello from hook!" >&2
+echo "extra-sandbox-paths"
+echo "/foo/bar=$TEST_ROOT/fnord"
+EOF
+chmod +x "$HOOK"
+
+outPath=$(nix-build --no-out-link --sandbox-paths /nix/store --pre-build-hook "$HOOK" symlink-derivation.nix -A test_sandbox_paths_2)
+
+[[ $(cat "$TEST_ROOT/store0/nix/store/$(basename "$outPath")/xyzzy") = foo ]]
+
+[[ "$(cat "$DEST")" == "test-sandbox-paths-2" ]]

tests/functional/symlink-derivation.nix

@@ -56,4 +56,12 @@ in
       touch $out
     '';
   };
+
+  test_sandbox_paths_2 = mkDerivation {
+    name = "test-sandbox-paths-2";
+    buildCommand = ''
+      mkdir $out
+      cat /foo/bar > $out/xyzzy
+    '';
+  };
 }