Fix import-from-derivation in restricted eval mode

This relaxes restricted mode to allow access to anything in the store. In the future, it would be better to allow access to only paths that have been constructed in the current evaluation (so a hard-coded /nix/store/blabla in a Nix expression would still be rejected). However, note that reading /nix/store itself is still rejected, so you can't use this so get access to things you don't know about.
2015-05-22 12:18:23 +02:00 · 2015-05-22 12:18:23 +02:00 · 920f5fd4dd
parent 7a411e01cf
commit 920f5fd4dd
1 changed files with 7 additions and 0 deletions
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -292,10 +292,17 @@ Path EvalState::checkSourcePath(const Path & path_)
        if (path == i.second || isInDir(path, i.second))
            return path;

+    /* To support import-from-derivation, allow access to anything in
+       the store. FIXME: only allow access to paths that have been
+       constructed by this evaluation. */
+    if (isInStore(path)) return path;
+
+#if 0
    /* Hack to support the chroot dependencies of corepkgs (see
       corepkgs/config.nix.in). */
    if (path == settings.nixPrefix && isStorePath(settings.nixPrefix))
        return path;
+#endif

    throw RestrictedPathError(format("access to path ‘%1%’ is forbidden in restricted mode") % path_);
 }