maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

clarifying comment

Browse source
This commit is contained in:
Jude Taylor 2015-10-21 14:39:16 -07:00
parent 76f3ba42fd
commit 992cda1b11
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/libstore/build.cc
View file

@ -2488,7 +2488,11 @@ void DerivationGoal::runChild()
sandboxProfile += ")\n";
/* Our ancestry. N.B: this uses literal on folders, instead of subpath. Without that,
you open up the entire filesystem because you end up with (subpath "/") */
you open up the entire filesystem because you end up with (subpath "/")
Note: file-read-metadata* is not sufficiently permissive for GHC. file-read* is but may
be a security hazard.
TODO: figure out a more appropriate directive.
*/
sandboxProfile += "(allow file-read*\n";
for (auto & i : ancestry) {
sandboxProfile += (format("\t(literal \"%1%\")\n") % i.c_str()).str();