From a91c4ca01f720711d80a6f7d16ead70ce8f5f741 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 9 May 2018 15:45:05 +0200 Subject: [PATCH] In restricted eval mode, allow access to the closure of store paths E.g. this makes nix eval --restrict-eval -I /nix/store/foo '(builtins.readFile "/nix/store/foo/symlink/bla")' (where /nix/store/foo/symlink is a symlink to another path in the closure of /nix/store/foo) succeed. This fixes a regression in Hydra compared to Nix 1.x (where there were no restrictions at all on access to the Nix store). --- src/libexpr/eval.cc | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index a2cce162b..353097f89 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -317,10 +317,20 @@ EvalState::EvalState(const Strings & _searchPath, ref store) if (settings.restrictEval || settings.pureEval) { allowedPaths = PathSet(); + for (auto & i : searchPath) { auto r = resolveSearchPathElem(i); if (!r.first) continue; - allowedPaths->insert(r.second); + + auto path = r.second; + + if (store->isInStore(r.second)) { + PathSet closure; + store->computeFSClosure(store->toStorePath(r.second), closure); + for (auto & path : closure) + allowedPaths->insert(path); + } else + allowedPaths->insert(r.second); } }