clarifying comment
This commit is contained in:
parent
76f3ba42fd
commit
992cda1b11
1 changed files with 5 additions and 1 deletions
|
@ -2488,7 +2488,11 @@ void DerivationGoal::runChild()
|
||||||
sandboxProfile += ")\n";
|
sandboxProfile += ")\n";
|
||||||
|
|
||||||
/* Our ancestry. N.B: this uses literal on folders, instead of subpath. Without that,
|
/* Our ancestry. N.B: this uses literal on folders, instead of subpath. Without that,
|
||||||
you open up the entire filesystem because you end up with (subpath "/") */
|
you open up the entire filesystem because you end up with (subpath "/")
|
||||||
|
Note: file-read-metadata* is not sufficiently permissive for GHC. file-read* is but may
|
||||||
|
be a security hazard.
|
||||||
|
TODO: figure out a more appropriate directive.
|
||||||
|
*/
|
||||||
sandboxProfile += "(allow file-read*\n";
|
sandboxProfile += "(allow file-read*\n";
|
||||||
for (auto & i : ancestry) {
|
for (auto & i : ancestry) {
|
||||||
sandboxProfile += (format("\t(literal \"%1%\")\n") % i.c_str()).str();
|
sandboxProfile += (format("\t(literal \"%1%\")\n") % i.c_str()).str();
|
||||||
|
|
Loading…
Reference in a new issue