In restricted eval mode, allow access to the closure of store paths
E.g. this makes nix eval --restrict-eval -I /nix/store/foo '(builtins.readFile "/nix/store/foo/symlink/bla")' (where /nix/store/foo/symlink is a symlink to another path in the closure of /nix/store/foo) succeed. This fixes a regression in Hydra compared to Nix 1.x (where there were no restrictions at all on access to the Nix store).
This commit is contained in:
parent
a1adcdf087
commit
a91c4ca01f
1 changed files with 11 additions and 1 deletions
|
@ -317,9 +317,19 @@ EvalState::EvalState(const Strings & _searchPath, ref<Store> store)
|
||||||
|
|
||||||
if (settings.restrictEval || settings.pureEval) {
|
if (settings.restrictEval || settings.pureEval) {
|
||||||
allowedPaths = PathSet();
|
allowedPaths = PathSet();
|
||||||
|
|
||||||
for (auto & i : searchPath) {
|
for (auto & i : searchPath) {
|
||||||
auto r = resolveSearchPathElem(i);
|
auto r = resolveSearchPathElem(i);
|
||||||
if (!r.first) continue;
|
if (!r.first) continue;
|
||||||
|
|
||||||
|
auto path = r.second;
|
||||||
|
|
||||||
|
if (store->isInStore(r.second)) {
|
||||||
|
PathSet closure;
|
||||||
|
store->computeFSClosure(store->toStorePath(r.second), closure);
|
||||||
|
for (auto & path : closure)
|
||||||
|
allowedPaths->insert(path);
|
||||||
|
} else
|
||||||
allowedPaths->insert(r.second);
|
allowedPaths->insert(r.second);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue