diff options
author | Ludovic Courtès <ludo@gnu.org> | 2016-03-20 22:40:31 +0100 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2016-03-20 22:45:35 +0100 |
commit | 35b5ca7869396b8d37539b9279147c100eee12f1 (patch) | |
tree | 92ba732e7f85918091ad6a76e7959dd79b580e01 | |
parent | e71ef7adaece7e132a5059139122b45083ea1b39 (diff) | |
download | guix-35b5ca7869396b8d37539b9279147c100eee12f1.tar.gz |
derivations: Add #:disallowed-references.
* guix/derivations.scm (derivation): Add #:disallowed-references. [user+system-env-vars]: Honor it. (build-expression->derivation): Likewise. * tests/derivations.scm ("derivation #:disallowed-references, ok") ("derivation #:disallowed-references, not ok"): New tests. * doc/guix.texi (Derivations): Adjust accordingly.
-rw-r--r-- | doc/guix.texi | 13 | ||||
-rw-r--r-- | guix/derivations.scm | 16 | ||||
-rw-r--r-- | tests/derivations.scm | 19 |
3 files changed, 40 insertions, 8 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 868948adfc..075839eadf 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -3075,7 +3075,8 @@ a derivation is the @code{derivation} procedure: @var{args} [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @ [#:recursive? #f] [#:inputs '()] [#:env-vars '()] @ [#:system (%current-system)] [#:references-graphs #f] @ - [#:allowed-references #f] [#:leaked-env-vars #f] [#:local-build? #f] @ + [#:allowed-references #f] [#:disallowed-references #f] @ + [#:leaked-env-vars #f] [#:local-build? #f] @ [#:substitutable? #t] Build a derivation with the given arguments, and return the resulting @code{<derivation>} object. @@ -3093,7 +3094,9 @@ path is exported in the build environment in the corresponding file, in a simple text format. When @var{allowed-references} is true, it must be a list of store items -or outputs that the derivation's output may refer to. +or outputs that the derivation's output may refer to. Likewise, +@var{disallowed-references}, if true, must be a list of things the +outputs may @emph{not} refer to. When @var{leaked-env-vars} is true, it must be a list of strings denoting environment variables that are allowed to ``leak'' from the @@ -3150,6 +3153,7 @@ is now deprecated in favor of the much nicer @code{gexp->derivation}. [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @ [#:recursive? #f] [#:env-vars '()] [#:modules '()] @ [#:references-graphs #f] [#:allowed-references #f] @ + [#:disallowed-references #f] @ [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f] Return a derivation that executes Scheme expression @var{exp} as a builder for derivation @var{name}. @var{inputs} must be a list of @@ -3173,8 +3177,9 @@ terminates by passing the result of @var{exp} to @code{exit}; thus, when @code{%guile-for-build} fluid is used instead. See the @code{derivation} procedure for the meaning of -@var{references-graphs}, @var{allowed-references}, @var{local-build?}, -and @var{substitutable?}. +@var{references-graphs}, @var{allowed-references}, +@var{disallowed-references}, @var{local-build?}, and +@var{substitutable?}. @end deffn @noindent diff --git a/guix/derivations.scm b/guix/derivations.scm index 1164774009..f24e3c6f92 100644 --- a/guix/derivations.scm +++ b/guix/derivations.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -695,7 +695,8 @@ HASH-ALGO, of the derivation NAME. RECURSIVE? has the same meaning as for (system (%current-system)) (env-vars '()) (inputs '()) (outputs '("out")) hash hash-algo recursive? - references-graphs allowed-references + references-graphs + allowed-references disallowed-references leaked-env-vars local-build? (substitutable? #t)) "Build a derivation with the given arguments, and return the resulting @@ -710,7 +711,8 @@ pairs. In that case, the reference graph of each store path is exported in the build environment in the corresponding file, in a simple text format. When ALLOWED-REFERENCES is true, it must be a list of store items or outputs -that the derivation's output may refer to. +that the derivation's outputs may refer to. Likewise, DISALLOWED-REFERENCES, +if true, must be a list of things the outputs may not refer to. When LEAKED-ENV-VARS is true, it must be a list of strings denoting environment variables that are allowed to \"leak\" from the daemon's @@ -768,6 +770,10 @@ output should not be used." `(("allowedReferences" . ,(string-join allowed-references))) '()) + ,@(if disallowed-references + `(("disallowedReferences" + . ,(string-join disallowed-references))) + '()) ,@(if leaked-env-vars `(("impureEnvVars" . ,(string-join leaked-env-vars))) @@ -1112,6 +1118,7 @@ they can refer to each other." guile-for-build references-graphs allowed-references + disallowed-references local-build? (substitutable? #t)) "Return a derivation that executes Scheme expression EXP as a builder for derivation NAME. INPUTS must be a list of (NAME DRV-PATH SUB-DRV) @@ -1132,7 +1139,7 @@ EXP is built using GUILE-FOR-BUILD (a derivation). When GUILE-FOR-BUILD is omitted or is #f, the value of the `%guile-for-build' fluid is used instead. See the `derivation' procedure for the meaning of REFERENCES-GRAPHS, -ALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?." +ALLOWED-REFERENCES, DISALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?." (define guile-drv (or guile-for-build (%guile-for-build))) @@ -1258,6 +1265,7 @@ ALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?." #:outputs outputs #:references-graphs references-graphs #:allowed-references allowed-references + #:disallowed-references disallowed-references #:local-build? local-build? #:substitutable? substitutable?))) diff --git a/tests/derivations.scm b/tests/derivations.scm index 3c35218040..4d3b82fe1a 100644 --- a/tests/derivations.scm +++ b/tests/derivations.scm @@ -504,6 +504,25 @@ (build-derivations %store (list drv)) #f))) +(test-assert "derivation #:disallowed-references, ok" + (let ((drv (derivation %store "disallowed" %bash + '("-c" "echo hello > $out") + #:inputs `((,%bash)) + #:disallowed-references '("out")))) + (build-derivations %store (list drv)))) + +(test-assert "derivation #:disallowed-references, not ok" + (let* ((txt (add-text-to-store %store "foo" "Hello, world.")) + (drv (derivation %store "disdisallowed" %bash + `("-c" ,(string-append "echo " txt "> $out")) + #:inputs `((,%bash) (,txt)) + #:disallowed-references (list txt)))) + (guard (c ((nix-protocol-error? c) + ;; There's no specific error message to check for. + #t)) + (build-derivations %store (list drv)) + #f))) + ;; Here we should get the value of $NIX_STATE_DIR that the daemon sees, which ;; is a unique value for each test process; this value is the same as the one ;; we see in the process executing this file since it is set by 'test-env'. |