mirror of
https://github.com/NixOS/nix.git
synced 2024-11-25 16:23:02 +00:00
Add disallowedReferences / disallowedRequisites
For the "stdenv accidentally referring to bootstrap-tools", it seems easier to specify the path that we don't want to depend on, e.g. disallowedRequisites = [ bootstrapTools ];
This commit is contained in:
parent
9eddf6f0b6
commit
b72e93bca8
@ -2318,33 +2318,36 @@ void DerivationGoal::registerOutputs()
|
|||||||
debug(format("referenced input: ‘%1%’") % *i);
|
debug(format("referenced input: ‘%1%’") % *i);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* If the derivation specifies an `allowedReferences'
|
/* Enforce `allowedReferences' and friends. */
|
||||||
attribute (containing a list of paths that the output may
|
auto checkRefs = [&](const string & attrName, bool allowed, bool recursive) {
|
||||||
refer to), check that all references are in that list. !!!
|
if (drv.env.find(attrName) == drv.env.end()) return;
|
||||||
allowedReferences should really be per-output. */
|
|
||||||
if (drv.env.find("allowedReferences") != drv.env.end()) {
|
|
||||||
PathSet allowed = parseReferenceSpecifiers(drv, get(drv.env, "allowedReferences"));
|
|
||||||
foreach (PathSet::iterator, i, references)
|
|
||||||
if (allowed.find(*i) == allowed.end())
|
|
||||||
throw BuildError(format("output (‘%1%’) is not allowed to refer to path ‘%2%’") % actualPath % *i);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If the derivation specifies an `allowedRequisites'
|
PathSet spec = parseReferenceSpecifiers(drv, get(drv.env, attrName));
|
||||||
attribute (containing a list of paths that the output may
|
|
||||||
refer to), check that all requisites are in that list. !!!
|
PathSet used;
|
||||||
allowedRequisites should really be per-output. */
|
if (recursive) {
|
||||||
if (drv.env.find("allowedRequisites") != drv.env.end()) {
|
/* Our requisites are the union of the closures of our references. */
|
||||||
PathSet allowed = parseReferenceSpecifiers(drv, get(drv.env, "allowedRequisites"));
|
for (auto & i : references)
|
||||||
PathSet requisites;
|
/* Don't call computeFSClosure on ourselves. */
|
||||||
/* Our requisites are the union of the closures of our references. */
|
if (actualPath != i)
|
||||||
foreach (PathSet::iterator, i, references)
|
computeFSClosure(worker.store, i, used);
|
||||||
/* Don't call computeFSClosure on ourselves. */
|
} else
|
||||||
if (actualPath != *i)
|
used = references;
|
||||||
computeFSClosure(worker.store, *i, requisites);
|
|
||||||
foreach (PathSet::iterator, i, requisites)
|
for (auto & i : used)
|
||||||
if (allowed.find(*i) == allowed.end())
|
if (allowed) {
|
||||||
throw BuildError(format("output (‘%1%’) is not allowed to refer to requisite path ‘%2%’") % actualPath % *i);
|
if (spec.find(i) == spec.end())
|
||||||
}
|
throw BuildError(format("output (‘%1%’) is not allowed to refer to path ‘%2%’") % actualPath % i);
|
||||||
|
} else {
|
||||||
|
if (spec.find(i) != spec.end())
|
||||||
|
throw BuildError(format("output (‘%1%’) is not allowed to refer to path ‘%2%’") % actualPath % i);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
checkRefs("allowedReferences", true, false);
|
||||||
|
checkRefs("allowedRequisites", true, true);
|
||||||
|
checkRefs("disallowedReferences", false, false);
|
||||||
|
checkRefs("disallowedRequisites", false, true);
|
||||||
|
|
||||||
worker.store.optimisePath(path); // FIXME: combine with scanForReferences()
|
worker.store.optimisePath(path); // FIXME: combine with scanForReferences()
|
||||||
|
|
||||||
|
@ -55,4 +55,16 @@ rec {
|
|||||||
inherit dep;
|
inherit dep;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
test9 = makeTest 9 {
|
||||||
|
builder = builtins.toFile "builder.sh" "mkdir $out; ln -s $dep $out/link";
|
||||||
|
inherit dep;
|
||||||
|
disallowedReferences = [dep];
|
||||||
|
};
|
||||||
|
|
||||||
|
test10 = makeTest 10 {
|
||||||
|
builder = builtins.toFile "builder.sh" "mkdir $out; echo $test5; ln -s $dep $out/link";
|
||||||
|
inherit dep test5;
|
||||||
|
disallowedReferences = [test5];
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -32,3 +32,9 @@ nix-build -o $RESULT check-refs.nix -A test7
|
|||||||
|
|
||||||
# test8 should fail (toFile depending on derivation output).
|
# test8 should fail (toFile depending on derivation output).
|
||||||
(! nix-build -o $RESULT check-refs.nix -A test8)
|
(! nix-build -o $RESULT check-refs.nix -A test8)
|
||||||
|
|
||||||
|
# test9 should fail (disallowed reference).
|
||||||
|
(! nix-build -o $RESULT check-refs.nix -A test9)
|
||||||
|
|
||||||
|
# test10 should succeed (no disallowed references).
|
||||||
|
nix-build -o $RESULT check-refs.nix -A test10
|
||||||
|
@ -40,4 +40,18 @@ rec {
|
|||||||
test3 = makeTest 3 [ dep1 deps ];
|
test3 = makeTest 3 [ dep1 deps ];
|
||||||
test4 = makeTest 4 [ deps ];
|
test4 = makeTest 4 [ deps ];
|
||||||
test5 = makeTest 5 [];
|
test5 = makeTest 5 [];
|
||||||
|
|
||||||
|
test6 = mkDerivation {
|
||||||
|
name = "check-reqs";
|
||||||
|
inherit deps;
|
||||||
|
builder = builtins.toFile "builder.sh" "mkdir $out; ln -s $deps $out/depdir1";
|
||||||
|
disallowedRequisites = [dep1];
|
||||||
|
};
|
||||||
|
|
||||||
|
test7 = mkDerivation {
|
||||||
|
name = "check-reqs";
|
||||||
|
inherit deps;
|
||||||
|
builder = builtins.toFile "builder.sh" "mkdir $out; ln -s $deps $out/depdir1";
|
||||||
|
disallowedRequisites = [test1];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
@ -2,11 +2,12 @@ source common.sh
|
|||||||
|
|
||||||
RESULT=$TEST_ROOT/result
|
RESULT=$TEST_ROOT/result
|
||||||
|
|
||||||
# test1 should succeed.
|
|
||||||
nix-build -o $RESULT check-reqs.nix -A test1
|
nix-build -o $RESULT check-reqs.nix -A test1
|
||||||
|
|
||||||
# test{2,3,4,5} should fail.
|
|
||||||
(! nix-build -o $RESULT check-reqs.nix -A test2)
|
(! nix-build -o $RESULT check-reqs.nix -A test2)
|
||||||
(! nix-build -o $RESULT check-reqs.nix -A test3)
|
(! nix-build -o $RESULT check-reqs.nix -A test3)
|
||||||
(! nix-build -o $RESULT check-reqs.nix -A test4)
|
(! nix-build -o $RESULT check-reqs.nix -A test4)
|
||||||
(! nix-build -o $RESULT check-reqs.nix -A test5)
|
(! nix-build -o $RESULT check-reqs.nix -A test5)
|
||||||
|
(! nix-build -o $RESULT check-reqs.nix -A test6)
|
||||||
|
|
||||||
|
nix-build -o $RESULT check-reqs.nix -A test7
|
||||||
|
Loading…
Reference in New Issue
Block a user