Merge pull request #189 from LnL7/nixpkgs-restricted-mode
eval-checker: use explicit 'nixpkgs' argument for release.nix expressions
This commit is contained in:
Graham Christensen
GitHub
commit
da43bc05b7
|
|
@ -675,7 +675,7 @@ mod tests {
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn instantiation() {
|
fn instantiation_success() {
|
||||||
let ret: Result<File, File> = nix().safely(
|
let ret: Result<File, File> = nix().safely(
|
||||||
Operation::Instantiate,
|
Operation::Instantiate,
|
||||||
passing_eval_path().as_path(),
|
passing_eval_path().as_path(),
|
||||||
|
|
@ -693,4 +693,23 @@ mod tests {
|
||||||
],
|
],
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn instantiation_nixpkgs_restricted_mode() {
|
||||||
|
let ret: Result<File, File> = nix().safely(
|
||||||
|
Operation::Instantiate,
|
||||||
|
individual_eval_path().as_path(),
|
||||||
|
vec![String::from("-A"), String::from("nixpkgs-restricted-mode")],
|
||||||
|
true,
|
||||||
|
);
|
||||||
|
|
||||||
|
assert_run(
|
||||||
|
ret,
|
||||||
|
Expect::Fail,
|
||||||
|
vec![
|
||||||
|
"access to path '/fake'",
|
||||||
|
"is forbidden in restricted mode",
|
||||||
|
],
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -348,6 +348,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
|
||||||
"nixos-options",
|
"nixos-options",
|
||||||
nix::Operation::Instantiate,
|
nix::Operation::Instantiate,
|
||||||
vec![
|
vec![
|
||||||
|
String::from("--arg"),
|
||||||
|
String::from("nixpkgs"),
|
||||||
|
String::from("./."),
|
||||||
String::from("./nixos/release.nix"),
|
String::from("./nixos/release.nix"),
|
||||||
String::from("-A"),
|
String::from("-A"),
|
||||||
String::from("options"),
|
String::from("options"),
|
||||||
|
|
@ -359,6 +362,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
|
||||||
"nixos-manual",
|
"nixos-manual",
|
||||||
nix::Operation::Instantiate,
|
nix::Operation::Instantiate,
|
||||||
vec![
|
vec![
|
||||||
|
String::from("--arg"),
|
||||||
|
String::from("nixpkgs"),
|
||||||
|
String::from("./."),
|
||||||
String::from("./nixos/release.nix"),
|
String::from("./nixos/release.nix"),
|
||||||
String::from("-A"),
|
String::from("-A"),
|
||||||
String::from("manual"),
|
String::from("manual"),
|
||||||
|
|
@ -370,6 +376,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
|
||||||
"nixpkgs-manual",
|
"nixpkgs-manual",
|
||||||
nix::Operation::Instantiate,
|
nix::Operation::Instantiate,
|
||||||
vec![
|
vec![
|
||||||
|
String::from("--arg"),
|
||||||
|
String::from("nixpkgs"),
|
||||||
|
String::from("./."),
|
||||||
String::from("./pkgs/top-level/release.nix"),
|
String::from("./pkgs/top-level/release.nix"),
|
||||||
String::from("-A"),
|
String::from("-A"),
|
||||||
String::from("manual"),
|
String::from("manual"),
|
||||||
|
|
@ -381,6 +390,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
|
||||||
"nixpkgs-tarball",
|
"nixpkgs-tarball",
|
||||||
nix::Operation::Instantiate,
|
nix::Operation::Instantiate,
|
||||||
vec![
|
vec![
|
||||||
|
String::from("--arg"),
|
||||||
|
String::from("nixpkgs"),
|
||||||
|
String::from("./."),
|
||||||
String::from("./pkgs/top-level/release.nix"),
|
String::from("./pkgs/top-level/release.nix"),
|
||||||
String::from("-A"),
|
String::from("-A"),
|
||||||
String::from("tarball"),
|
String::from("tarball"),
|
||||||
|
|
@ -392,6 +404,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
|
||||||
"nixpkgs-unstable-jobset",
|
"nixpkgs-unstable-jobset",
|
||||||
nix::Operation::Instantiate,
|
nix::Operation::Instantiate,
|
||||||
vec![
|
vec![
|
||||||
|
String::from("--arg"),
|
||||||
|
String::from("nixpkgs"),
|
||||||
|
String::from("./."),
|
||||||
String::from("./pkgs/top-level/release.nix"),
|
String::from("./pkgs/top-level/release.nix"),
|
||||||
String::from("-A"),
|
String::from("-A"),
|
||||||
String::from("unstable"),
|
String::from("unstable"),
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,14 @@
|
||||||
let
|
let
|
||||||
|
fetchGit = builtins.fetchGit or (path: assert builtins.trace ''
|
||||||
|
error: access to path '/fake' is forbidden in restricted mode
|
||||||
|
'' false; path);
|
||||||
|
|
||||||
nix = import <nix/config.nix>;
|
nix = import <nix/config.nix>;
|
||||||
in rec {
|
in
|
||||||
|
|
||||||
|
{ nixpkgs ? fetchGit /fake }:
|
||||||
|
|
||||||
|
rec {
|
||||||
success = derivation {
|
success = derivation {
|
||||||
name = "success";
|
name = "success";
|
||||||
system = builtins.currentSystem;
|
system = builtins.currentSystem;
|
||||||
|
|
@ -28,6 +36,15 @@ in rec {
|
||||||
"echo this ones cool" ];
|
"echo this ones cool" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nixpkgs-restricted-mode = derivation {
|
||||||
|
name = "nixpkgs-restricted-mode-fetchgit";
|
||||||
|
system = builtins.currentSystem;
|
||||||
|
builder = nix.shell;
|
||||||
|
args = [
|
||||||
|
"-c"
|
||||||
|
"echo hi; echo ${toString nixpkgs} > $out" ];
|
||||||
|
};
|
||||||
|
|
||||||
fails-instantiation = assert builtins.trace ''
|
fails-instantiation = assert builtins.trace ''
|
||||||
You just can't frooble the frozz on this particular system.
|
You just can't frooble the frozz on this particular system.
|
||||||
'' false; {};
|
'' false; {};
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue