Fix import-from-derivation in restricted eval mode
This relaxes restricted mode to allow access to anything in the store. In the future, it would be better to allow access to only paths that have been constructed in the current evaluation (so a hard-coded /nix/store/blabla in a Nix expression would still be rejected). However, note that reading /nix/store itself is still rejected, so you can't use this so get access to things you don't know about.
This commit is contained in:
parent
7a411e01cf
commit
920f5fd4dd
|
@ -292,10 +292,17 @@ Path EvalState::checkSourcePath(const Path & path_)
|
||||||
if (path == i.second || isInDir(path, i.second))
|
if (path == i.second || isInDir(path, i.second))
|
||||||
return path;
|
return path;
|
||||||
|
|
||||||
|
/* To support import-from-derivation, allow access to anything in
|
||||||
|
the store. FIXME: only allow access to paths that have been
|
||||||
|
constructed by this evaluation. */
|
||||||
|
if (isInStore(path)) return path;
|
||||||
|
|
||||||
|
#if 0
|
||||||
/* Hack to support the chroot dependencies of corepkgs (see
|
/* Hack to support the chroot dependencies of corepkgs (see
|
||||||
corepkgs/config.nix.in). */
|
corepkgs/config.nix.in). */
|
||||||
if (path == settings.nixPrefix && isStorePath(settings.nixPrefix))
|
if (path == settings.nixPrefix && isStorePath(settings.nixPrefix))
|
||||||
return path;
|
return path;
|
||||||
|
#endif
|
||||||
|
|
||||||
throw RestrictedPathError(format("access to path ‘%1%’ is forbidden in restricted mode") % path_);
|
throw RestrictedPathError(format("access to path ‘%1%’ is forbidden in restricted mode") % path_);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue