From 35b5ca7869396b8d37539b9279147c100eee12f1 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 20 Mar 2016 22:40:31 +0100 Subject: derivations: Add #:disallowed-references. * guix/derivations.scm (derivation): Add #:disallowed-references. [user+system-env-vars]: Honor it. (build-expression->derivation): Likewise. * tests/derivations.scm ("derivation #:disallowed-references, ok") ("derivation #:disallowed-references, not ok"): New tests. * doc/guix.texi (Derivations): Adjust accordingly. --- doc/guix.texi | 13 +++++++++---- guix/derivations.scm | 16 ++++++++++++---- tests/derivations.scm | 19 +++++++++++++++++++ 3 files changed, 40 insertions(+), 8 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 868948adfc..075839eadf 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -3075,7 +3075,8 @@ a derivation is the @code{derivation} procedure: @var{args} [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @ [#:recursive? #f] [#:inputs '()] [#:env-vars '()] @ [#:system (%current-system)] [#:references-graphs #f] @ - [#:allowed-references #f] [#:leaked-env-vars #f] [#:local-build? #f] @ + [#:allowed-references #f] [#:disallowed-references #f] @ + [#:leaked-env-vars #f] [#:local-build? #f] @ [#:substitutable? #t] Build a derivation with the given arguments, and return the resulting @code{} object. @@ -3093,7 +3094,9 @@ path is exported in the build environment in the corresponding file, in a simple text format. When @var{allowed-references} is true, it must be a list of store items -or outputs that the derivation's output may refer to. +or outputs that the derivation's output may refer to. Likewise, +@var{disallowed-references}, if true, must be a list of things the +outputs may @emph{not} refer to. When @var{leaked-env-vars} is true, it must be a list of strings denoting environment variables that are allowed to ``leak'' from the @@ -3150,6 +3153,7 @@ is now deprecated in favor of the much nicer @code{gexp->derivation}. [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @ [#:recursive? #f] [#:env-vars '()] [#:modules '()] @ [#:references-graphs #f] [#:allowed-references #f] @ + [#:disallowed-references #f] @ [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f] Return a derivation that executes Scheme expression @var{exp} as a builder for derivation @var{name}. @var{inputs} must be a list of @@ -3173,8 +3177,9 @@ terminates by passing the result of @var{exp} to @code{exit}; thus, when @code{%guile-for-build} fluid is used instead. See the @code{derivation} procedure for the meaning of -@var{references-graphs}, @var{allowed-references}, @var{local-build?}, -and @var{substitutable?}. +@var{references-graphs}, @var{allowed-references}, +@var{disallowed-references}, @var{local-build?}, and +@var{substitutable?}. @end deffn @noindent diff --git a/guix/derivations.scm b/guix/derivations.scm index 1164774009..f24e3c6f92 100644 --- a/guix/derivations.scm +++ b/guix/derivations.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès +;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -695,7 +695,8 @@ (define* (derivation store name builder args (system (%current-system)) (env-vars '()) (inputs '()) (outputs '("out")) hash hash-algo recursive? - references-graphs allowed-references + references-graphs + allowed-references disallowed-references leaked-env-vars local-build? (substitutable? #t)) "Build a derivation with the given arguments, and return the resulting @@ -710,7 +711,8 @@ (define* (derivation store name builder args the build environment in the corresponding file, in a simple text format. When ALLOWED-REFERENCES is true, it must be a list of store items or outputs -that the derivation's output may refer to. +that the derivation's outputs may refer to. Likewise, DISALLOWED-REFERENCES, +if true, must be a list of things the outputs may not refer to. When LEAKED-ENV-VARS is true, it must be a list of strings denoting environment variables that are allowed to \"leak\" from the daemon's @@ -768,6 +770,10 @@ (define (user+system-env-vars) `(("allowedReferences" . ,(string-join allowed-references))) '()) + ,@(if disallowed-references + `(("disallowedReferences" + . ,(string-join disallowed-references))) + '()) ,@(if leaked-env-vars `(("impureEnvVars" . ,(string-join leaked-env-vars))) @@ -1112,6 +1118,7 @@ (define* (build-expression->derivation store name exp ;deprecated guile-for-build references-graphs allowed-references + disallowed-references local-build? (substitutable? #t)) "Return a derivation that executes Scheme expression EXP as a builder for derivation NAME. INPUTS must be a list of (NAME DRV-PATH SUB-DRV) @@ -1132,7 +1139,7 @@ (define* (build-expression->derivation store name exp ;deprecated omitted or is #f, the value of the `%guile-for-build' fluid is used instead. See the `derivation' procedure for the meaning of REFERENCES-GRAPHS, -ALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?." +ALLOWED-REFERENCES, DISALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?." (define guile-drv (or guile-for-build (%guile-for-build))) @@ -1258,6 +1265,7 @@ (define %build-inputs #:outputs outputs #:references-graphs references-graphs #:allowed-references allowed-references + #:disallowed-references disallowed-references #:local-build? local-build? #:substitutable? substitutable?))) diff --git a/tests/derivations.scm b/tests/derivations.scm index 3c35218040..4d3b82fe1a 100644 --- a/tests/derivations.scm +++ b/tests/derivations.scm @@ -504,6 +504,25 @@ (define (deps path . deps) (build-derivations %store (list drv)) #f))) +(test-assert "derivation #:disallowed-references, ok" + (let ((drv (derivation %store "disallowed" %bash + '("-c" "echo hello > $out") + #:inputs `((,%bash)) + #:disallowed-references '("out")))) + (build-derivations %store (list drv)))) + +(test-assert "derivation #:disallowed-references, not ok" + (let* ((txt (add-text-to-store %store "foo" "Hello, world.")) + (drv (derivation %store "disdisallowed" %bash + `("-c" ,(string-append "echo " txt "> $out")) + #:inputs `((,%bash) (,txt)) + #:disallowed-references (list txt)))) + (guard (c ((nix-protocol-error? c) + ;; There's no specific error message to check for. + #t)) + (build-derivations %store (list drv)) + #f))) + ;; Here we should get the value of $NIX_STATE_DIR that the daemon sees, which ;; is a unique value for each test process; this value is the same as the one ;; we see in the process executing this file since it is set by 'test-env'. -- cgit v1.2.3