summary refs log tree commit diff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2016-03-20 22:40:31 +0100
committerLudovic Courtès <ludo@gnu.org>2016-03-20 22:45:35 +0100
commit35b5ca7869396b8d37539b9279147c100eee12f1 (patch)
tree92ba732e7f85918091ad6a76e7959dd79b580e01
parente71ef7adaece7e132a5059139122b45083ea1b39 (diff)
downloadguix-35b5ca7869396b8d37539b9279147c100eee12f1.tar.gz
derivations: Add #:disallowed-references.
* guix/derivations.scm (derivation): Add #:disallowed-references.
[user+system-env-vars]: Honor it.
(build-expression->derivation): Likewise.
* tests/derivations.scm ("derivation #:disallowed-references, ok")
("derivation #:disallowed-references, not ok"): New tests.
* doc/guix.texi (Derivations): Adjust accordingly.
-rw-r--r--doc/guix.texi13
-rw-r--r--guix/derivations.scm16
-rw-r--r--tests/derivations.scm19
3 files changed, 40 insertions, 8 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 868948adfc..075839eadf 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -3075,7 +3075,8 @@ a derivation is the @code{derivation} procedure:
   @var{args} [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
   [#:recursive? #f] [#:inputs '()] [#:env-vars '()] @
   [#:system (%current-system)] [#:references-graphs #f] @
-  [#:allowed-references #f] [#:leaked-env-vars #f] [#:local-build? #f] @
+  [#:allowed-references #f] [#:disallowed-references #f] @
+  [#:leaked-env-vars #f] [#:local-build? #f] @
   [#:substitutable? #t]
 Build a derivation with the given arguments, and return the resulting
 @code{<derivation>} object.
@@ -3093,7 +3094,9 @@ path is exported in the build environment in the corresponding file, in
 a simple text format.
 
 When @var{allowed-references} is true, it must be a list of store items
-or outputs that the derivation's output may refer to.
+or outputs that the derivation's output may refer to.  Likewise,
+@var{disallowed-references}, if true, must be a list of things the
+outputs may @emph{not} refer to.
 
 When @var{leaked-env-vars} is true, it must be a list of strings
 denoting environment variables that are allowed to ``leak'' from the
@@ -3150,6 +3153,7 @@ is now deprecated in favor of the much nicer @code{gexp->derivation}.
        [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
        [#:recursive? #f] [#:env-vars '()] [#:modules '()] @
        [#:references-graphs #f] [#:allowed-references #f] @
+       [#:disallowed-references #f] @
        [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f]
 Return a derivation that executes Scheme expression @var{exp} as a
 builder for derivation @var{name}.  @var{inputs} must be a list of
@@ -3173,8 +3177,9 @@ terminates by passing the result of @var{exp} to @code{exit}; thus, when
 @code{%guile-for-build} fluid is used instead.
 
 See the @code{derivation} procedure for the meaning of
-@var{references-graphs}, @var{allowed-references}, @var{local-build?},
-and @var{substitutable?}.
+@var{references-graphs}, @var{allowed-references},
+@var{disallowed-references}, @var{local-build?}, and
+@var{substitutable?}.
 @end deffn
 
 @noindent
diff --git a/guix/derivations.scm b/guix/derivations.scm
index 1164774009..f24e3c6f92 100644
--- a/guix/derivations.scm
+++ b/guix/derivations.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -695,7 +695,8 @@ HASH-ALGO, of the derivation NAME.  RECURSIVE? has the same meaning as for
                      (system (%current-system)) (env-vars '())
                      (inputs '()) (outputs '("out"))
                      hash hash-algo recursive?
-                     references-graphs allowed-references
+                     references-graphs
+                     allowed-references disallowed-references
                      leaked-env-vars local-build?
                      (substitutable? #t))
   "Build a derivation with the given arguments, and return the resulting
@@ -710,7 +711,8 @@ pairs.  In that case, the reference graph of each store path is exported in
 the build environment in the corresponding file, in a simple text format.
 
 When ALLOWED-REFERENCES is true, it must be a list of store items or outputs
-that the derivation's output may refer to.
+that the derivation's outputs may refer to.  Likewise, DISALLOWED-REFERENCES,
+if true, must be a list of things the outputs may not refer to.
 
 When LEAKED-ENV-VARS is true, it must be a list of strings denoting
 environment variables that are allowed to \"leak\" from the daemon's
@@ -768,6 +770,10 @@ output should not be used."
                             `(("allowedReferences"
                                . ,(string-join allowed-references)))
                             '())
+                      ,@(if disallowed-references
+                            `(("disallowedReferences"
+                               . ,(string-join disallowed-references)))
+                            '())
                       ,@(if leaked-env-vars
                             `(("impureEnvVars"
                                . ,(string-join leaked-env-vars)))
@@ -1112,6 +1118,7 @@ they can refer to each other."
                                        guile-for-build
                                        references-graphs
                                        allowed-references
+                                       disallowed-references
                                        local-build? (substitutable? #t))
   "Return a derivation that executes Scheme expression EXP as a builder
 for derivation NAME.  INPUTS must be a list of (NAME DRV-PATH SUB-DRV)
@@ -1132,7 +1139,7 @@ EXP is built using GUILE-FOR-BUILD (a derivation).  When GUILE-FOR-BUILD is
 omitted or is #f, the value of the `%guile-for-build' fluid is used instead.
 
 See the `derivation' procedure for the meaning of REFERENCES-GRAPHS,
-ALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?."
+ALLOWED-REFERENCES, DISALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?."
   (define guile-drv
     (or guile-for-build (%guile-for-build)))
 
@@ -1258,6 +1265,7 @@ ALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?."
                 #:outputs outputs
                 #:references-graphs references-graphs
                 #:allowed-references allowed-references
+                #:disallowed-references disallowed-references
                 #:local-build? local-build?
                 #:substitutable? substitutable?)))
 
diff --git a/tests/derivations.scm b/tests/derivations.scm
index 3c35218040..4d3b82fe1a 100644
--- a/tests/derivations.scm
+++ b/tests/derivations.scm
@@ -504,6 +504,25 @@
       (build-derivations %store (list drv))
       #f)))
 
+(test-assert "derivation #:disallowed-references, ok"
+  (let ((drv (derivation %store "disallowed" %bash
+                         '("-c" "echo hello > $out")
+                         #:inputs `((,%bash))
+                         #:disallowed-references '("out"))))
+    (build-derivations %store (list drv))))
+
+(test-assert "derivation #:disallowed-references, not ok"
+  (let* ((txt (add-text-to-store %store "foo" "Hello, world."))
+         (drv (derivation %store "disdisallowed" %bash
+                          `("-c" ,(string-append "echo " txt "> $out"))
+                          #:inputs `((,%bash) (,txt))
+                          #:disallowed-references (list txt))))
+    (guard (c ((nix-protocol-error? c)
+               ;; There's no specific error message to check for.
+               #t))
+      (build-derivations %store (list drv))
+      #f)))
+
 ;; Here we should get the value of $NIX_STATE_DIR that the daemon sees, which
 ;; is a unique value for each test process; this value is the same as the one
 ;; we see in the process executing this file since it is set by 'test-env'.