From 15d2d3c34e454fb7795998a3a2d73010dfbdec38 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Mon, 23 Feb 2015 14:41:53 +0100
Subject: Add restricted evaluation mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If ‘--option restrict-eval true’ is given, the evaluator will throw an
exception if an attempt is made to access any file outside of the Nix
search path. This is primarily intended for Hydra, where we don't want
people doing ‘builtins.readFile ~/.ssh/id_dsa’ or stuff like that.
---
 src/libexpr/parser.y | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/libexpr/parser.y')

diff --git a/src/libexpr/parser.y b/src/libexpr/parser.y
index d70d29be8ba7..664d6692f51e 100644
--- a/src/libexpr/parser.y
+++ b/src/libexpr/parser.y
@@ -614,7 +614,8 @@ void EvalState::addToSearchPath(const string & s, bool warn)
     path = absPath(path);
     if (pathExists(path)) {
         debug(format("adding path ‘%1%’ to the search path") % path);
-        searchPath.push_back(std::pair<string, Path>(prefix, path));
+        /* Resolve symlinks in the path to support restricted mode. */
+        searchPath.push_back(std::pair<string, Path>(prefix, canonPath(path, true)));
     } else if (warn)
         printMsg(lvlError, format("warning: Nix search path entry ‘%1%’ does not exist, ignoring") % path);
 }
-- 
cgit 1.4.1