about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2015-05-22T10·18+0200
committerEelco Dolstra <eelco.dolstra@logicblox.com>2015-05-22T10·18+0200
commit920f5fd4dda16374a6c25ae91c5f17ed749c067c (patch)
treeb355bb275b0c45f4bcdc69c23790a485dd349a2f
parent7a411e01cfa71604b7b831103e206f338b2fc675 (diff)
Fix import-from-derivation in restricted eval mode
This relaxes restricted mode to allow access to anything in the
store. In the future, it would be better to allow access to only paths
that have been constructed in the current evaluation (so a hard-coded
/nix/store/blabla in a Nix expression would still be
rejected). However, note that reading /nix/store itself is still
rejected, so you can't use this so get access to things you don't know
about.
-rw-r--r--src/libexpr/eval.cc7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc
index 301f991b7ab9..88cf9f45342c 100644
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -292,10 +292,17 @@ Path EvalState::checkSourcePath(const Path & path_)
         if (path == i.second || isInDir(path, i.second))
             return path;
 
+    /* To support import-from-derivation, allow access to anything in
+       the store. FIXME: only allow access to paths that have been
+       constructed by this evaluation. */
+    if (isInStore(path)) return path;
+
+#if 0
     /* Hack to support the chroot dependencies of corepkgs (see
        corepkgs/config.nix.in). */
     if (path == settings.nixPrefix && isStorePath(settings.nixPrefix))
         return path;
+#endif
 
     throw RestrictedPathError(format("access to path ‘%1%’ is forbidden in restricted mode") % path_);
 }