diff options
-rw-r--r-- | misc/docker/Dockerfile | 4 | ||||
-rw-r--r-- | misc/docker/README.md | 8 | ||||
-rw-r--r-- | src/libexpr/eval.cc | 12 |
3 files changed, 21 insertions, 3 deletions
diff --git a/misc/docker/Dockerfile b/misc/docker/Dockerfile index 2f8e3dd7a679..0f69d02df25f 100644 --- a/misc/docker/Dockerfile +++ b/misc/docker/Dockerfile @@ -4,8 +4,8 @@ FROM alpine RUN apk add --update openssl # Download Nix and install it into the system. -RUN wget https://nixos.org/releases/nix/nix-2.0/nix-2.0-x86_64-linux.tar.bz2 \ - && echo "6312837aee33306cdbb351b75ba1638b89d21b30f0caf0346f9a742425f197ee nix-2.0-x86_64-linux.tar.bz2" | sha256sum -c \ +RUN wget https://nixos.org/releases/nix/nix-2.0.2/nix-2.0.2-x86_64-linux.tar.bz2 \ + && echo "d0c2492d7d8f824e3b1ace15a1a58f64a0a8faacc59936ebedfe18905d982d7c nix-2.0.2-x86_64-linux.tar.bz2" | sha256sum -c \ && tar xjf nix-*-x86_64-linux.tar.bz2 \ && addgroup -g 30000 -S nixbld \ && for i in $(seq 1 30); do adduser -S -D -h /var/empty -g "Nix build user $i" -u $((30000 + i)) -G nixbld nixbld$i ; done \ diff --git a/misc/docker/README.md b/misc/docker/README.md new file mode 100644 index 000000000000..491be7408964 --- /dev/null +++ b/misc/docker/README.md @@ -0,0 +1,8 @@ +To update https://hub.docker.com/r/nixos/nix/ + + $ docker build . -t nixos/nix:2.0 + $ docker tag nixos/nix:2.0 nixos/nix:latest + $ docker push nixos/nix:latest + $ docker push nixos/nix:2.0 + +Write access: @domenkozar diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index a2cce162b90c..353097f89713 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -317,10 +317,20 @@ EvalState::EvalState(const Strings & _searchPath, ref<Store> store) if (settings.restrictEval || settings.pureEval) { allowedPaths = PathSet(); + for (auto & i : searchPath) { auto r = resolveSearchPathElem(i); if (!r.first) continue; - allowedPaths->insert(r.second); + + auto path = r.second; + + if (store->isInStore(r.second)) { + PathSet closure; + store->computeFSClosure(store->toStorePath(r.second), closure); + for (auto & path : closure) + allowedPaths->insert(path); + } else + allowedPaths->insert(r.second); } } |