Can't build home-manager: /nixos/modules/installer/tools/nixos-option' is forbidden in restricted mode

[ratsclub]

Issue description

When building a HM configuration through flakes with the command nix build .#homeConfigurations.home.activationPackage I'm getting the following error:

error: access to path '/nix/store/mn2xjw5xb0v7n2bnhl8w4nbxpqv82zsg-p5d2qhw8hw4ishxpwznx2lm48jgwqb3d-source/nixos/modules/installer/tools/nixos-option' is forbidden in restricted mode

I was using the commit 63af2d3 and rolling back to e92f5bb fixed it.

Meta

Technical details

 - system: `"x86_64-linux"`
 - host os: `Linux 5.10.43, NixOS, 21.11.20210613.fa0326c (Porcupine)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.4pre20210601_5985b8b`
 - channels(root): `"nixos-21.11pre295280.fa0326ce523"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[berbiche]

cc @bb010g

[fufexan]

I have the same issue. I've tested multiple combinations of nixpkgs-unstable and home-manager and have come to the conclusion that the latest commit is at fault. Specifically this line:

nixosOption =
  callPackage "${pkgs.path}/nixos/modules/installer/tools/nixos-option" { };

I don't know anything about it, but it may help you guys pinpoint the problem. Cheers.

[berbiche]

The fix is simple:

callPackage (pkgs.path + "/nixos/modules/installer/tools/nixos-option") { }.

How to test:

$ nix shell --argstr system "$(nix eval --impure --raw --expr builtins.currentSystem)" --expr '
{ system }:
let
  a = builtins.getFlake "github:nixos/nixpkgs/6aa2bb6a818d12d4cf296f736263011611cf2610";
  pkgs = import a { inherit system; };
in
pkgs.callPackage (pkgs.path + "/nixos/modules/installer/tools/nixos-option") {}
'

$ man nixos-option
Works!!

If the callPackage in the expression above is changed to callPackage "${pkgs.path}/....." evaluation will fail :)

[berbiche]

To comment on the fix, I think callPackage is not allowed to import strings in pure evaluation or whatever restricted mode flakes are using.