Add option allowed-uris

This allows network access in restricted eval mode.
author: Eelco Dolstra <edolstra@gmail.com> 2017-10-30 12:39:59 +0100
committer: Eelco Dolstra <edolstra@gmail.com> 2017-10-30 12:41:49 +0100
commit: 812e027e1d5a4f83394069edd67bdf8404ffa2bb (patch)
tree: fe11aee398ea3ddfa0a8117c566e2ed1c6435883 /src/libstore
parent: f1c555cef870654cdaf232b5d08fdbba0bf06add (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 538273b54..a4aa842d7 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -225,7 +225,7 @@ public:
 
     Setting<bool> restrictEval{this, false, "restrict-eval",
         "Whether to restrict file system access to paths in $NIX_PATH, "
-        "and to disallow fetching files from the network."};
+        "and network access to the URI prefixes listed in 'allowed-uris'."};
 
     Setting<size_t> buildRepeat{this, 0, "repeat",
         "The number of times to repeat a build in order to verify determinism.",
@@ -353,6 +353,8 @@ public:
     Setting<uint64_t> maxFree{this, std::numeric_limits<uint64_t>::max(), "max-free",
         "Stop deleting garbage when free disk space is above the specified amount."};
 
+    Setting<Strings> allowedUris{this, {}, "allowed-uris",
+        "Prefixes of URIs that builtin functions such as fetchurl and fetchGit are allowed to fetch."};
 };
author	Eelco Dolstra <edolstra@gmail.com>	2017-10-30 12:39:59 +0100
committer	Eelco Dolstra <edolstra@gmail.com>	2017-10-30 12:41:49 +0100
commit	812e027e1d5a4f83394069edd67bdf8404ffa2bb (patch)
tree	fe11aee398ea3ddfa0a8117c566e2ed1c6435883 /src/libstore
parent	f1c555cef870654cdaf232b5d08fdbba0bf06add (diff)