Add option to disable import-from-derivation completely, even if the drv is already realized

3 files changed, 7 insertions, 0 deletions

diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
index 5a570cefb..93097f3d1 100644
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -59,6 +59,8 @@ void EvalState::realiseContext(const PathSet & context)
             drvs.insert(decoded.first + "!" + decoded.second);
     }
     if (!drvs.empty()) {
+        if (!settings.enableImportFromDerivation)
+            throw EvalError(format("attempted to realize ‘%1%’ during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin()));
         /* For performance, prefetch all substitute info. */
         PathSet willBuild, willSubstitute, unknown;
         unsigned long long downloadSize, narSize;
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index fcd634729..df537a512 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -70,6 +70,7 @@ Settings::Settings()
     enableImportNative = false;
     netrcFile = fmt("%s/%s", nixConfDir, "netrc");
     caFile = getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt"));
+    enableImportFromDerivation = true;
 }
 
 
@@ -185,6 +186,7 @@ void Settings::update()
     _get(keepGoing, "keep-going");
     _get(keepFailed, "keep-failed");
     _get(netrcFile, "netrc-file");
+    _get(enableImportFromDerivation, "allow-import-from-derivation");
 }
 
 
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 1e6b7c083..7a9a9f6c0 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -198,6 +198,9 @@ struct Settings {
     /* Path to the SSL CA file used */
     Path caFile;
 
+    /* Whether we allow import-from-derivation */
+    bool enableImportFromDerivation;
+
 private:
     SettingsMap settings, overrides;