diff --git a/tests/local.mk b/tests/local.mk
index 66b87e86b..471821b27 100644
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -11,7 +11,7 @@ nix_tests = \
   timeout.sh secure-drv-outputs.sh nix-channel.sh \
   multiple-outputs.sh import-derivation.sh fetchurl.sh optimise-store.sh \
   binary-cache.sh nix-profile.sh repair.sh dump-db.sh case-hack.sh \
-  check-reqs.sh pass-as-file.sh tarball.sh
+  check-reqs.sh pass-as-file.sh tarball.sh restricted.sh
   # parallel.sh
 
 install-tests += $(foreach x, $(nix_tests), tests/$(x))
diff --git a/tests/restricted.sh b/tests/restricted.sh
new file mode 100644
index 000000000..19096a9f8
--- /dev/null
+++ b/tests/restricted.sh
@@ -0,0 +1,18 @@
+source common.sh
+
+clearStore
+
+nix-instantiate --option restrict-eval true --eval -E '1 + 2'
+(! nix-instantiate --option restrict-eval true ./simple.nix)
+nix-instantiate --option restrict-eval true ./simple.nix -I src=.
+nix-instantiate --option restrict-eval true ./simple.nix -I src1=simple.nix -I src2=config.nix -I src3=./simple.builder.sh
+
+(! nix-instantiate --option restrict-eval true --eval -E 'builtins.readFile ./simple.nix')
+nix-instantiate --option restrict-eval true --eval -E 'builtins.readFile ./simple.nix' -I src=..
+
+(! nix-instantiate --option restrict-eval true --eval -E 'builtins.readDir ../src/boost')
+nix-instantiate --option restrict-eval true --eval -E 'builtins.readDir ../src/boost' -I src=../src
+
+(! nix-instantiate --option restrict-eval true --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
+nix-instantiate --option restrict-eval true --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
+