Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nix
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: a1adcdf08785
Choose a base ref
...
head repository: NixOS/nix
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: a91c4ca01f72
Choose a head ref
  • 1 commit
  • 1 file changed
  • 1 contributor

Commits on May 9, 2018

  1. In restricted eval mode, allow access to the closure of store paths 

    E.g. this makes

  nix eval --restrict-eval -I /nix/store/foo '(builtins.readFile "/nix/store/foo/symlink/bla")'

(where /nix/store/foo/symlink is a symlink to another path in the
closure of /nix/store/foo) succeed.

This fixes a regression in Hydra compared to Nix 1.x (where there were
no restrictions at all on access to the Nix store).
    @edolstra
    edolstra committed May 9, 2018

    Verified

    This commit was signed with the committer’s verified signature.
    almeidx Almeida
    SSH Key Fingerprint: qS0Cyf/f5WBfKn8/H4i/7ypvfzpDKWVUeWx0miBkikA
    Verified
    Learn about vigilant mode
    Copy the full SHA
    a91c4ca View commit details
Showing with 11 additions and 1 deletion.
  1. +11 −1 src/libexpr/eval.cc
12 changes: 11 additions & 1 deletion src/libexpr/eval.cc
View file
Original file line number Diff line number Diff line change
@@ -317,10 +317,20 @@ EvalState::EvalState(const Strings & _searchPath, ref<Store> store)

if (settings.restrictEval || settings.pureEval) {
allowedPaths = PathSet();

for (auto & i : searchPath) {
auto r = resolveSearchPathElem(i);
if (!r.first) continue;
allowedPaths->insert(r.second);

auto path = r.second;

if (store->isInStore(r.second)) {
PathSet closure;
store->computeFSClosure(store->toStorePath(r.second), closure);
for (auto & path : closure)
allowedPaths->insert(path);
} else
allowedPaths->insert(r.second);
}
}