clarifying comment

2015-10-21 14:39:16 -07:00 · 2015-10-21 14:39:16 -07:00 · 992cda1b11
parent 76f3ba42fd
commit 992cda1b11
1 changed files with 5 additions and 1 deletions
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@ -2488,7 +2488,11 @@ void DerivationGoal::runChild()
            sandboxProfile += ")\n";

            /* Our ancestry. N.B: this uses literal on folders, instead of subpath. Without that,
-               you open up the entire filesystem because you end up with (subpath "/") */
+               you open up the entire filesystem because you end up with (subpath "/")
+               Note: file-read-metadata* is not sufficiently permissive for GHC. file-read* is but may
+               be a security hazard.
+               TODO: figure out a more appropriate directive.
+             */
            sandboxProfile += "(allow file-read*\n";
            for (auto & i : ancestry) {
                sandboxProfile += (format("\t(literal \"%1%\")\n") % i.c_str()).str();