Fix import-from-derivation in restricted eval mode

This relaxes restricted mode to allow access to anything in the
store. In the future, it would be better to allow access to only paths
that have been constructed in the current evaluation (so a hard-coded
/nix/store/blabla in a Nix expression would still be
rejected). However, note that reading /nix/store itself is still
rejected, so you can't use this so get access to things you don't know
about.
This commit is contained in:
Eelco Dolstra 2015-05-22 12:18:23 +02:00
parent 7a411e01cf
commit 920f5fd4dd

View file

@ -292,10 +292,17 @@ Path EvalState::checkSourcePath(const Path & path_)
if (path == i.second || isInDir(path, i.second)) if (path == i.second || isInDir(path, i.second))
return path; return path;
/* To support import-from-derivation, allow access to anything in
the store. FIXME: only allow access to paths that have been
constructed by this evaluation. */
if (isInStore(path)) return path;
#if 0
/* Hack to support the chroot dependencies of corepkgs (see /* Hack to support the chroot dependencies of corepkgs (see
corepkgs/config.nix.in). */ corepkgs/config.nix.in). */
if (path == settings.nixPrefix && isStorePath(settings.nixPrefix)) if (path == settings.nixPrefix && isStorePath(settings.nixPrefix))
return path; return path;
#endif
throw RestrictedPathError(format("access to path %1% is forbidden in restricted mode") % path_); throw RestrictedPathError(format("access to path %1% is forbidden in restricted mode") % path_);
} }