maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add restricted evaluation mode

Browse source 
If ‘--option restrict-eval true’ is given, the evaluator will throw an
exception if an attempt is made to access any file outside of the Nix
search path. This is primarily intended for Hydra, where we don't want
people doing ‘builtins.readFile ~/.ssh/id_dsa’ or stuff like that.
This commit is contained in:
Eelco Dolstra 2015-02-23 14:41:53 +01:00
parent 47bdc52c1b
commit 15d2d3c34e
6 changed files with 65 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/libexpr/parser.y
View file

@ -614,7 +614,8 @@ void EvalState::addToSearchPath(const string & s, bool warn)
path = absPath(path);
if (pathExists(path)) {
debug(format("adding path %1% to the search path") % path);
searchPath.push_back(std::pair<string, Path>(prefix, path));
/* Resolve symlinks in the path to support restricted mode. */
searchPath.push_back(std::pair<string, Path>(prefix, canonPath(path, true)));
} else if (warn)
printMsg(lvlError, format("warning: Nix search path entry %1% does not exist, ignoring") % path);
}