ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2024-11-07 07:26:13 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

derivations: Add #:disallowed-references.

Browse source 
* guix/derivations.scm (derivation): Add #:disallowed-references.
[user+system-env-vars]: Honor it.
(build-expression->derivation): Likewise.
* tests/derivations.scm ("derivation #:disallowed-references, ok")
("derivation #:disallowed-references, not ok"): New tests.
* doc/guix.texi (Derivations): Adjust accordingly.
This commit is contained in:
Ludovic Courtès 2016-03-20 22:40:31 +01:00
parent e71ef7adae
commit 35b5ca7869
3 changed files with 40 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
doc/guix.texi
View file

@ -3075,7 +3075,8 @@ a derivation is the @code{derivation} procedure:
@var{args} [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @ @var{args} [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
[#:recursive? #f] [#:inputs '()] [#:env-vars '()] @ [#:recursive? #f] [#:inputs '()] [#:env-vars '()] @
[#:system (%current-system)] [#:references-graphs #f] @ [#:system (%current-system)] [#:references-graphs #f] @
[#:allowed-references #f] [#:leaked-env-vars #f] [#:local-build? #f] @ [#:allowed-references #f] [#:disallowed-references #f] @
[#:leaked-env-vars #f] [#:local-build? #f] @
[#:substitutable? #t] [#:substitutable? #t]
Build a derivation with the given arguments, and return the resulting Build a derivation with the given arguments, and return the resulting
@code{<derivation>} object. @code{<derivation>} object.
@ -3093,7 +3094,9 @@ path is exported in the build environment in the corresponding file, in
a simple text format. a simple text format.
When @var{allowed-references} is true, it must be a list of store items When @var{allowed-references} is true, it must be a list of store items
or outputs that the derivation's output may refer to. or outputs that the derivation's output may refer to. Likewise,
@var{disallowed-references}, if true, must be a list of things the
outputs may @emph{not} refer to.
When @var{leaked-env-vars} is true, it must be a list of strings When @var{leaked-env-vars} is true, it must be a list of strings
denoting environment variables that are allowed to ``leak'' from the denoting environment variables that are allowed to ``leak'' from the
@ -3150,6 +3153,7 @@ is now deprecated in favor of the much nicer @code{gexp->derivation}.
[#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @ [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
[#:recursive? #f] [#:env-vars '()] [#:modules '()] @ [#:recursive? #f] [#:env-vars '()] [#:modules '()] @
[#:references-graphs #f] [#:allowed-references #f] @ [#:references-graphs #f] [#:allowed-references #f] @
[#:disallowed-references #f] @
[#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f] [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f]
Return a derivation that executes Scheme expression @var{exp} as a Return a derivation that executes Scheme expression @var{exp} as a
builder for derivation @var{name}. @var{inputs} must be a list of builder for derivation @var{name}. @var{inputs} must be a list of
@ -3173,8 +3177,9 @@ terminates by passing the result of @var{exp} to @code{exit}; thus, when
@code{%guile-for-build} fluid is used instead. @code{%guile-for-build} fluid is used instead.
See the @code{derivation} procedure for the meaning of See the @code{derivation} procedure for the meaning of
@var{references-graphs}, @var{allowed-references}, @var{local-build?}, @var{references-graphs}, @var{allowed-references},
and @var{substitutable?}. @var{disallowed-references}, @var{local-build?}, and
@var{substitutable?}.
@end deffn @end deffn
@noindent @noindent

16
guix/derivations.scm
View file

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -695,7 +695,8 @@ (define* (derivation store name builder args
(system (%current-system)) (env-vars '()) (system (%current-system)) (env-vars '())
(inputs '()) (outputs '("out")) (inputs '()) (outputs '("out"))
hash hash-algo recursive? hash hash-algo recursive?
references-graphs allowed-references references-graphs
allowed-references disallowed-references
leaked-env-vars local-build? leaked-env-vars local-build?
(substitutable? #t)) (substitutable? #t))
"Build a derivation with the given arguments, and return the resulting "Build a derivation with the given arguments, and return the resulting
@ -710,7 +711,8 @@ (define* (derivation store name builder args
the build environment in the corresponding file, in a simple text format. the build environment in the corresponding file, in a simple text format.
When ALLOWED-REFERENCES is true, it must be a list of store items or outputs When ALLOWED-REFERENCES is true, it must be a list of store items or outputs
that the derivation's output may refer to. that the derivation's outputs may refer to. Likewise, DISALLOWED-REFERENCES,
if true, must be a list of things the outputs may not refer to.
When LEAKED-ENV-VARS is true, it must be a list of strings denoting When LEAKED-ENV-VARS is true, it must be a list of strings denoting
environment variables that are allowed to \"leak\" from the daemon's environment variables that are allowed to \"leak\" from the daemon's
@ -768,6 +770,10 @@ (define (user+system-env-vars)
`(("allowedReferences" `(("allowedReferences"
. ,(string-join allowed-references))) . ,(string-join allowed-references)))
'()) '())
,@(if disallowed-references
`(("disallowedReferences"
. ,(string-join disallowed-references)))
'())
,@(if leaked-env-vars ,@(if leaked-env-vars
`(("impureEnvVars" `(("impureEnvVars"
. ,(string-join leaked-env-vars))) . ,(string-join leaked-env-vars)))
@ -1112,6 +1118,7 @@ (define* (build-expression->derivation store name exp ;deprecated
guile-for-build guile-for-build
references-graphs references-graphs
allowed-references allowed-references
disallowed-references
local-build? (substitutable? #t)) local-build? (substitutable? #t))
"Return a derivation that executes Scheme expression EXP as a builder "Return a derivation that executes Scheme expression EXP as a builder
for derivation NAME. INPUTS must be a list of (NAME DRV-PATH SUB-DRV) for derivation NAME. INPUTS must be a list of (NAME DRV-PATH SUB-DRV)
@ -1132,7 +1139,7 @@ (define* (build-expression->derivation store name exp ;deprecated
omitted or is #f, the value of the `%guile-for-build' fluid is used instead. omitted or is #f, the value of the `%guile-for-build' fluid is used instead.
See the `derivation' procedure for the meaning of REFERENCES-GRAPHS, See the `derivation' procedure for the meaning of REFERENCES-GRAPHS,
ALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?." ALLOWED-REFERENCES, DISALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?."
(define guile-drv (define guile-drv
(or guile-for-build (%guile-for-build))) (or guile-for-build (%guile-for-build)))
@ -1258,6 +1265,7 @@ (define %build-inputs
#:outputs outputs #:outputs outputs
#:references-graphs references-graphs #:references-graphs references-graphs
#:allowed-references allowed-references #:allowed-references allowed-references
#:disallowed-references disallowed-references
#:local-build? local-build? #:local-build? local-build?
#:substitutable? substitutable?))) #:substitutable? substitutable?)))

19
tests/derivations.scm
View file

@ -504,6 +504,25 @@ (define (deps path . deps)
(build-derivations %store (list drv)) (build-derivations %store (list drv))
#f))) #f)))
(test-assert "derivation #:disallowed-references, ok"
(let ((drv (derivation %store "disallowed" %bash
'("-c" "echo hello > $out")
#:inputs `((,%bash))
#:disallowed-references '("out"))))
(build-derivations %store (list drv))))
(test-assert "derivation #:disallowed-references, not ok"
(let* ((txt (add-text-to-store %store "foo" "Hello, world."))
(drv (derivation %store "disdisallowed" %bash
`("-c" ,(string-append "echo " txt "> $out"))
#:inputs `((,%bash) (,txt))
#:disallowed-references (list txt))))
(guard (c ((nix-protocol-error? c)
;; There's no specific error message to check for.
#t))
(build-derivations %store (list drv))
#f)))
;; Here we should get the value of $NIX_STATE_DIR that the daemon sees, which ;; Here we should get the value of $NIX_STATE_DIR that the daemon sees, which
;; is a unique value for each test process; this value is the same as the one ;; is a unique value for each test process; this value is the same as the one
;; we see in the process executing this file since it is set by 'test-env'. ;; we see in the process executing this file since it is set by 'test-env'.