From 3f4ecf32291779d9f75493a5e75cdbea2bc51adb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Sun, 20 Mar 2016 22:44:03 +0100 Subject: [PATCH] gexp: Add #:disallowed-references. * guix/gexp.scm (gexp->derivation): Add #:disallowed-references and honor it. * tests/gexp.scm ("gexp->derivation #:disallowed-references, allowed") ("gexp->derivation #:disallowed-references"): New tests. * doc/guix.texi (G-Expressions): Adjust accordingly. --- doc/guix.texi | 3 +++ guix/gexp.scm | 10 +++++++++- tests/gexp.scm | 24 ++++++++++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 075839eadf..913545f1a7 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -3670,6 +3670,7 @@ information about monads.) [#:recursive? #f] [#:env-vars '()] [#:modules '()] @ [#:module-path @var{%load-path}] @ [#:references-graphs #f] [#:allowed-references #f] @ + [#:disallowed-references #f] @ [#:leaked-env-vars #f] @ [#:script-name (string-append @var{name} "-builder")] @ [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f] @@ -3707,6 +3708,8 @@ text format. @var{allowed-references} must be either @code{#f} or a list of output names and packages. In the latter case, the list denotes store items that the result is allowed to refer to. Any reference to another store item will lead to a build error. +Similarly for @var{disallowed-references}, which can list items that must not be +referenced by the outputs. The other arguments are as for @code{derivation} (@pxref{Derivations}). @end deffn diff --git a/guix/gexp.scm b/guix/gexp.scm index 87bc316f97..7cbc79c31c 100644 --- a/guix/gexp.scm +++ b/guix/gexp.scm @@ -463,7 +463,7 @@ (define* (gexp->derivation name exp (guile-for-build (%guile-for-build)) (graft? (%graft?)) references-graphs - allowed-references + allowed-references disallowed-references leaked-env-vars local-build? (substitutable? #t) (script-name (string-append name "-builder"))) @@ -497,6 +497,8 @@ (define* (gexp->derivation name exp ALLOWED-REFERENCES must be either #f or a list of output names and packages. In the latter case, the list denotes store items that the result is allowed to refer to. Any reference to another store item will lead to a build error. +Similarly for DISALLOWED-REFERENCES, which can list items that must not be +referenced by the outputs. The other arguments are as for 'derivation'." (define %modules modules) @@ -557,6 +559,11 @@ (define (graphs-file-names graphs) #:system system #:target target) (return #f))) + (disallowed (if disallowed-references + (lower-references disallowed-references + #:system system + #:target target) + (return #f))) (guile (if guile-for-build (return guile-for-build) (default-guile-derivation system)))) @@ -585,6 +592,7 @@ (define (graphs-file-names graphs) #:hash hash #:hash-algo hash-algo #:recursive? recursive? #:references-graphs (and=> graphs graphs-file-names) #:allowed-references allowed + #:disallowed-references disallowed #:leaked-env-vars leaked-env-vars #:local-build? local-build? #:substitutable? substitutable?)))) diff --git a/tests/gexp.scm b/tests/gexp.scm index d343dc3329..75b907abee 100644 --- a/tests/gexp.scm +++ b/tests/gexp.scm @@ -600,6 +600,30 @@ (define (match-input thing) (build-derivations %store (list drv)) #f))) +(test-assertm "gexp->derivation #:disallowed-references, allowed" + (mlet %store-monad ((drv (gexp->derivation "disallowed-refs" + #~(begin + (mkdir #$output) + (chdir #$output) + (symlink #$output "self") + (symlink #$%bootstrap-guile + "guile")) + #:disallowed-references '()))) + (built-derivations (list drv)))) + + +(test-assert "gexp->derivation #:disallowed-references" + (let ((drv (run-with-store %store + (gexp->derivation "disallowed-refs" + #~(begin + (mkdir #$output) + (chdir #$output) + (symlink #$%bootstrap-guile "guile")) + #:disallowed-references (list %bootstrap-guile))))) + (guard (c ((nix-protocol-error? c) #t)) + (build-derivations %store (list drv)) + #f))) + (define shebang (string-append "#!" (derivation->output-path (%guile-for-build)) "/bin/guile --no-auto-compile"))