nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-15 06:52:43 +01:00
Code Activity

In restricted eval mode, allow access to the closure of store paths

Browse source 
E.g. this makes

  nix eval --restrict-eval -I /nix/store/foo '(builtins.readFile "/nix/store/foo/symlink/bla")'

(where /nix/store/foo/symlink is a symlink to another path in the
closure of /nix/store/foo) succeed.

This fixes a regression in Hydra compared to Nix 1.x (where there were
no restrictions at all on access to the Nix store).

(cherry picked from commit a91c4ca01f)
This commit is contained in:
Eelco Dolstra 2018-05-09 15:45:05 +02:00
parent e96b498791
commit cf2a751a93
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
1 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/libexpr/eval.cc
View file

@ -317,9 +317,19 @@ EvalState::EvalState(const Strings & _searchPath, ref<Store> store)
if (settings.restrictEval || settings.pureEval) {
allowedPaths = PathSet();
for (auto & i : searchPath) {
auto r = resolveSearchPathElem(i);
if (!r.first) continue;
auto path = r.second;
if (store->isInStore(r.second)) {
PathSet closure;
store->computeFSClosure(store->toStorePath(r.second), closure);
for (auto & path : closure)
allowedPaths->insert(path);
} else
allowedPaths->insert(r.second);
}
}