forked from the-distro/ofborg
Merge pull request #189 from LnL7/nixpkgs-restricted-mode
eval-checker: use explicit 'nixpkgs' argument for release.nix expressions
This commit is contained in:
commit
da43bc05b7
3 changed files with 53 additions and 2 deletions
|
@ -675,7 +675,7 @@ mod tests {
|
|||
}
|
||||
|
||||
#[test]
|
||||
fn instantiation() {
|
||||
fn instantiation_success() {
|
||||
let ret: Result<File, File> = nix().safely(
|
||||
Operation::Instantiate,
|
||||
passing_eval_path().as_path(),
|
||||
|
@ -693,4 +693,23 @@ mod tests {
|
|||
],
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn instantiation_nixpkgs_restricted_mode() {
|
||||
let ret: Result<File, File> = nix().safely(
|
||||
Operation::Instantiate,
|
||||
individual_eval_path().as_path(),
|
||||
vec![String::from("-A"), String::from("nixpkgs-restricted-mode")],
|
||||
true,
|
||||
);
|
||||
|
||||
assert_run(
|
||||
ret,
|
||||
Expect::Fail,
|
||||
vec![
|
||||
"access to path '/fake'",
|
||||
"is forbidden in restricted mode",
|
||||
],
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -348,6 +348,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
|
|||
"nixos-options",
|
||||
nix::Operation::Instantiate,
|
||||
vec![
|
||||
String::from("--arg"),
|
||||
String::from("nixpkgs"),
|
||||
String::from("./."),
|
||||
String::from("./nixos/release.nix"),
|
||||
String::from("-A"),
|
||||
String::from("options"),
|
||||
|
@ -359,6 +362,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
|
|||
"nixos-manual",
|
||||
nix::Operation::Instantiate,
|
||||
vec![
|
||||
String::from("--arg"),
|
||||
String::from("nixpkgs"),
|
||||
String::from("./."),
|
||||
String::from("./nixos/release.nix"),
|
||||
String::from("-A"),
|
||||
String::from("manual"),
|
||||
|
@ -370,6 +376,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
|
|||
"nixpkgs-manual",
|
||||
nix::Operation::Instantiate,
|
||||
vec![
|
||||
String::from("--arg"),
|
||||
String::from("nixpkgs"),
|
||||
String::from("./."),
|
||||
String::from("./pkgs/top-level/release.nix"),
|
||||
String::from("-A"),
|
||||
String::from("manual"),
|
||||
|
@ -381,6 +390,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
|
|||
"nixpkgs-tarball",
|
||||
nix::Operation::Instantiate,
|
||||
vec![
|
||||
String::from("--arg"),
|
||||
String::from("nixpkgs"),
|
||||
String::from("./."),
|
||||
String::from("./pkgs/top-level/release.nix"),
|
||||
String::from("-A"),
|
||||
String::from("tarball"),
|
||||
|
@ -392,6 +404,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
|
|||
"nixpkgs-unstable-jobset",
|
||||
nix::Operation::Instantiate,
|
||||
vec![
|
||||
String::from("--arg"),
|
||||
String::from("nixpkgs"),
|
||||
String::from("./."),
|
||||
String::from("./pkgs/top-level/release.nix"),
|
||||
String::from("-A"),
|
||||
String::from("unstable"),
|
||||
|
|
|
@ -1,6 +1,14 @@
|
|||
let
|
||||
fetchGit = builtins.fetchGit or (path: assert builtins.trace ''
|
||||
error: access to path '/fake' is forbidden in restricted mode
|
||||
'' false; path);
|
||||
|
||||
nix = import <nix/config.nix>;
|
||||
in rec {
|
||||
in
|
||||
|
||||
{ nixpkgs ? fetchGit /fake }:
|
||||
|
||||
rec {
|
||||
success = derivation {
|
||||
name = "success";
|
||||
system = builtins.currentSystem;
|
||||
|
@ -28,6 +36,15 @@ in rec {
|
|||
"echo this ones cool" ];
|
||||
};
|
||||
|
||||
nixpkgs-restricted-mode = derivation {
|
||||
name = "nixpkgs-restricted-mode-fetchgit";
|
||||
system = builtins.currentSystem;
|
||||
builder = nix.shell;
|
||||
args = [
|
||||
"-c"
|
||||
"echo hi; echo ${toString nixpkgs} > $out" ];
|
||||
};
|
||||
|
||||
fails-instantiation = assert builtins.trace ''
|
||||
You just can't frooble the frozz on this particular system.
|
||||
'' false; {};
|
||||
|
|
Loading…
Reference in a new issue