In restricted eval mode, allow access to the closure of store paths

E.g. this makes nix eval --restrict-eval -I /nix/store/foo '(builtins.readFile "/nix/store/foo/symlink/bla")' (where /nix/store/foo/symlink is a symlink to another path in the closure of /nix/store/foo) succeed. This fixes a regression in Hydra compared to Nix 1.x (where there were no restrictions at all on access to the Nix store).
author: Eelco Dolstra <edolstra@gmail.com> 2018-05-09T13·45+0200
committer: Eelco Dolstra <edolstra@gmail.com> 2018-05-09T13·45+0200
commit: a91c4ca01f720711d80a6f7d16ead70ce8f5f741 (patch)
tree: 8846f467aa1e4b1301de37b11b5c1e4cd3a13842 /src/libexpr/eval.cc
parent: a1adcdf0878501b512d7ab98d713167f035a330d (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc
index a2cce162b90c..353097f89713 100644
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -317,10 +317,20 @@ EvalState::EvalState(const Strings & _searchPath, ref<Store> store)
 
     if (settings.restrictEval || settings.pureEval) {
         allowedPaths = PathSet();
+
         for (auto & i : searchPath) {
             auto r = resolveSearchPathElem(i);
             if (!r.first) continue;
-            allowedPaths->insert(r.second);
+
+            auto path = r.second;
+
+            if (store->isInStore(r.second)) {
+                PathSet closure;
+                store->computeFSClosure(store->toStorePath(r.second), closure);
+                for (auto & path : closure)
+                    allowedPaths->insert(path);
+            } else
+                allowedPaths->insert(r.second);
         }
     }
author	Eelco Dolstra <edolstra@gmail.com>	2018-05-09T13·45+0200
committer	Eelco Dolstra <edolstra@gmail.com>	2018-05-09T13·45+0200
commit	a91c4ca01f720711d80a6f7d16ead70ce8f5f741 (patch)
tree	8846f467aa1e4b1301de37b11b5c1e4cd3a13842 /src/libexpr/eval.cc
parent	a1adcdf0878501b512d7ab98d713167f035a330d (diff)