forked from lix-project/lix
In restricted eval mode, allow access to the closure of store paths
E.g. this makes nix eval --restrict-eval -I /nix/store/foo '(builtins.readFile "/nix/store/foo/symlink/bla")' (where /nix/store/foo/symlink is a symlink to another path in the closure of /nix/store/foo) succeed. This fixes a regression in Hydra compared to Nix 1.x (where there were no restrictions at all on access to the Nix store).
This commit is contained in:
parent
a1adcdf087
commit
a91c4ca01f
|
@ -317,10 +317,20 @@ EvalState::EvalState(const Strings & _searchPath, ref<Store> store)
|
|||
|
||||
if (settings.restrictEval || settings.pureEval) {
|
||||
allowedPaths = PathSet();
|
||||
|
||||
for (auto & i : searchPath) {
|
||||
auto r = resolveSearchPathElem(i);
|
||||
if (!r.first) continue;
|
||||
allowedPaths->insert(r.second);
|
||||
|
||||
auto path = r.second;
|
||||
|
||||
if (store->isInStore(r.second)) {
|
||||
PathSet closure;
|
||||
store->computeFSClosure(store->toStorePath(r.second), closure);
|
||||
for (auto & path : closure)
|
||||
allowedPaths->insert(path);
|
||||
} else
|
||||
allowedPaths->insert(r.second);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue