From 5a61aefe4f61bf54926557b05be386ba23b7aa43 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 14 Apr 2015 15:16:00 +0200
Subject: [PATCH] Use Nix's restricted evaluation mode

---
 src/c/hydra-eval-jobs.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/c/hydra-eval-jobs.cc b/src/c/hydra-eval-jobs.cc
index 6b5a12bb..0eacecd0 100644
--- a/src/c/hydra-eval-jobs.cc
+++ b/src/c/hydra-eval-jobs.cc
@@ -242,6 +242,10 @@ int main(int argc, char * * argv)
             return true;
         });
 
+        /* Prevent access to paths outside of the Nix search path and
+           to the environment. */
+        settings.set("restrict-eval", "true");
+
         if (releaseExpr == "") throw UsageError("no expression specified");
 
         if (gcRootsDir == "") printMsg(lvlError, "warning: `--gc-roots-dir' not specified");