diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-05-22T10·18+0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-05-22T10·18+0200 |
commit | 920f5fd4dda16374a6c25ae91c5f17ed749c067c (patch) | |
tree | b355bb275b0c45f4bcdc69c23790a485dd349a2f | |
parent | 7a411e01cfa71604b7b831103e206f338b2fc675 (diff) |
Fix import-from-derivation in restricted eval mode
This relaxes restricted mode to allow access to anything in the store. In the future, it would be better to allow access to only paths that have been constructed in the current evaluation (so a hard-coded /nix/store/blabla in a Nix expression would still be rejected). However, note that reading /nix/store itself is still rejected, so you can't use this so get access to things you don't know about.
-rw-r--r-- | src/libexpr/eval.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index 301f991b7ab9..88cf9f45342c 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -292,10 +292,17 @@ Path EvalState::checkSourcePath(const Path & path_) if (path == i.second || isInDir(path, i.second)) return path; + /* To support import-from-derivation, allow access to anything in + the store. FIXME: only allow access to paths that have been + constructed by this evaluation. */ + if (isInStore(path)) return path; + +#if 0 /* Hack to support the chroot dependencies of corepkgs (see corepkgs/config.nix.in). */ if (path == settings.nixPrefix && isStorePath(settings.nixPrefix)) return path; +#endif throw RestrictedPathError(format("access to path ‘%1%’ is forbidden in restricted mode") % path_); } |