Add tests for restricted eval mode

tests/local.mk

@@ -11,7 +11,7 @@ nix_tests = \
   timeout.sh secure-drv-outputs.sh nix-channel.sh \
   multiple-outputs.sh import-derivation.sh fetchurl.sh optimise-store.sh \
   binary-cache.sh nix-profile.sh repair.sh dump-db.sh case-hack.sh \
-  check-reqs.sh pass-as-file.sh tarball.sh
+  check-reqs.sh pass-as-file.sh tarball.sh restricted.sh
   # parallel.sh
 
 install-tests += $(foreach x, $(nix_tests), tests/$(x))

tests/restricted.sh

@@ -0,0 +1,18 @@
+source common.sh
+
+clearStore
+
+nix-instantiate --option restrict-eval true --eval -E '1 + 2'
+(! nix-instantiate --option restrict-eval true ./simple.nix)
+nix-instantiate --option restrict-eval true ./simple.nix -I src=.
+nix-instantiate --option restrict-eval true ./simple.nix -I src1=simple.nix -I src2=config.nix -I src3=./simple.builder.sh
+
+(! nix-instantiate --option restrict-eval true --eval -E 'builtins.readFile ./simple.nix')
+nix-instantiate --option restrict-eval true --eval -E 'builtins.readFile ./simple.nix' -I src=..
+
+(! nix-instantiate --option restrict-eval true --eval -E 'builtins.readDir ../src/boost')
+nix-instantiate --option restrict-eval true --eval -E 'builtins.readDir ../src/boost' -I src=../src
+
+(! nix-instantiate --option restrict-eval true --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
+nix-instantiate --option restrict-eval true --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
+