M doc/guix.texi => doc/guix.texi +9 -4
@@ 3075,7 3075,8 @@ a derivation is the @code{derivation} procedure:
@var{args} [#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
[#:recursive? #f] [#:inputs '()] [#:env-vars '()] @
[#:system (%current-system)] [#:references-graphs #f] @
- [#:allowed-references #f] [#:leaked-env-vars #f] [#:local-build? #f] @
+ [#:allowed-references #f] [#:disallowed-references #f] @
+ [#:leaked-env-vars #f] [#:local-build? #f] @
[#:substitutable? #t]
Build a derivation with the given arguments, and return the resulting
@code{<derivation>} object.
@@ 3093,7 3094,9 @@ path is exported in the build environment in the corresponding file, in
a simple text format.
When @var{allowed-references} is true, it must be a list of store items
-or outputs that the derivation's output may refer to.
+or outputs that the derivation's output may refer to. Likewise,
+@var{disallowed-references}, if true, must be a list of things the
+outputs may @emph{not} refer to.
When @var{leaked-env-vars} is true, it must be a list of strings
denoting environment variables that are allowed to ``leak'' from the
@@ 3150,6 3153,7 @@ is now deprecated in favor of the much nicer @code{gexp->derivation}.
[#:outputs '("out")] [#:hash #f] [#:hash-algo #f] @
[#:recursive? #f] [#:env-vars '()] [#:modules '()] @
[#:references-graphs #f] [#:allowed-references #f] @
+ [#:disallowed-references #f] @
[#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f]
Return a derivation that executes Scheme expression @var{exp} as a
builder for derivation @var{name}. @var{inputs} must be a list of
@@ 3173,8 3177,9 @@ terminates by passing the result of @var{exp} to @code{exit}; thus, when
@code{%guile-for-build} fluid is used instead.
See the @code{derivation} procedure for the meaning of
-@var{references-graphs}, @var{allowed-references}, @var{local-build?},
-and @var{substitutable?}.
+@var{references-graphs}, @var{allowed-references},
+@var{disallowed-references}, @var{local-build?}, and
+@var{substitutable?}.
@end deffn
@noindent
M guix/derivations.scm => guix/derivations.scm +12 -4
@@ 1,5 1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ 695,7 695,8 @@ HASH-ALGO, of the derivation NAME. RECURSIVE? has the same meaning as for
(system (%current-system)) (env-vars '())
(inputs '()) (outputs '("out"))
hash hash-algo recursive?
- references-graphs allowed-references
+ references-graphs
+ allowed-references disallowed-references
leaked-env-vars local-build?
(substitutable? #t))
"Build a derivation with the given arguments, and return the resulting
@@ 710,7 711,8 @@ pairs. In that case, the reference graph of each store path is exported in
the build environment in the corresponding file, in a simple text format.
When ALLOWED-REFERENCES is true, it must be a list of store items or outputs
-that the derivation's output may refer to.
+that the derivation's outputs may refer to. Likewise, DISALLOWED-REFERENCES,
+if true, must be a list of things the outputs may not refer to.
When LEAKED-ENV-VARS is true, it must be a list of strings denoting
environment variables that are allowed to \"leak\" from the daemon's
@@ 768,6 770,10 @@ output should not be used."
`(("allowedReferences"
. ,(string-join allowed-references)))
'())
+ ,@(if disallowed-references
+ `(("disallowedReferences"
+ . ,(string-join disallowed-references)))
+ '())
,@(if leaked-env-vars
`(("impureEnvVars"
. ,(string-join leaked-env-vars)))
@@ 1112,6 1118,7 @@ they can refer to each other."
guile-for-build
references-graphs
allowed-references
+ disallowed-references
local-build? (substitutable? #t))
"Return a derivation that executes Scheme expression EXP as a builder
for derivation NAME. INPUTS must be a list of (NAME DRV-PATH SUB-DRV)
@@ 1132,7 1139,7 @@ EXP is built using GUILE-FOR-BUILD (a derivation). When GUILE-FOR-BUILD is
omitted or is #f, the value of the `%guile-for-build' fluid is used instead.
See the `derivation' procedure for the meaning of REFERENCES-GRAPHS,
-ALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?."
+ALLOWED-REFERENCES, DISALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?."
(define guile-drv
(or guile-for-build (%guile-for-build)))
@@ 1258,6 1265,7 @@ ALLOWED-REFERENCES, LOCAL-BUILD?, and SUBSTITUTABLE?."
#:outputs outputs
#:references-graphs references-graphs
#:allowed-references allowed-references
+ #:disallowed-references disallowed-references
#:local-build? local-build?
#:substitutable? substitutable?)))
M tests/derivations.scm => tests/derivations.scm +19 -0
@@ 504,6 504,25 @@
(build-derivations %store (list drv))
#f)))
+(test-assert "derivation #:disallowed-references, ok"
+ (let ((drv (derivation %store "disallowed" %bash
+ '("-c" "echo hello > $out")
+ #:inputs `((,%bash))
+ #:disallowed-references '("out"))))
+ (build-derivations %store (list drv))))
+
+(test-assert "derivation #:disallowed-references, not ok"
+ (let* ((txt (add-text-to-store %store "foo" "Hello, world."))
+ (drv (derivation %store "disdisallowed" %bash
+ `("-c" ,(string-append "echo " txt "> $out"))
+ #:inputs `((,%bash) (,txt))
+ #:disallowed-references (list txt))))
+ (guard (c ((nix-protocol-error? c)
+ ;; There's no specific error message to check for.
+ #t))
+ (build-derivations %store (list drv))
+ #f)))
+
;; Here we should get the value of $NIX_STATE_DIR that the daemon sees, which
;; is a unique value for each test process; this value is the same as the one
;; we see in the process executing this file since it is set by 'test-env'.