In restricted eval mode, allow access to the closure of store paths

E.g. this makes

  nix eval --restrict-eval -I /nix/store/foo '(builtins.readFile "/nix/store/foo/symlink/bla")'

(where /nix/store/foo/symlink is a symlink to another path in the
closure of /nix/store/foo) succeed.

This fixes a regression in Hydra compared to Nix 1.x (where there were
no restrictions at all on access to the Nix store).
This commit is contained in:
Eelco Dolstra 2018-05-09 15:45:05 +02:00
parent a1adcdf087
commit a91c4ca01f
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE

View file

@ -317,9 +317,19 @@ EvalState::EvalState(const Strings & _searchPath, ref<Store> store)
if (settings.restrictEval || settings.pureEval) { if (settings.restrictEval || settings.pureEval) {
allowedPaths = PathSet(); allowedPaths = PathSet();
for (auto & i : searchPath) { for (auto & i : searchPath) {
auto r = resolveSearchPathElem(i); auto r = resolveSearchPathElem(i);
if (!r.first) continue; if (!r.first) continue;
auto path = r.second;
if (store->isInStore(r.second)) {
PathSet closure;
store->computeFSClosure(store->toStorePath(r.second), closure);
for (auto & path : closure)
allowedPaths->insert(path);
} else
allowedPaths->insert(r.second); allowedPaths->insert(r.second);
} }
} }