Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/ofborg
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 7d368c2baff1
Choose a base ref
...
head repository: NixOS/ofborg
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: da43bc05b753
Choose a head ref
  • 3 commits
  • 3 files changed
  • 2 contributors

Commits on Nov 21, 2018

  1. eval-checker: use explicit 'nixpkgs' argument for release.nix express… 

    …ions

Using builtins.fetchGit is not allowed in restricted mode, but it's
desirable for eg. the tarball build. So we avoid it for the evaluation
checks.

See NixOS/nixpkgs#43042
    @LnL7
    LnL7 committed Nov 21, 2018

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    rnhmjoj Michele Guerini Rocco
    GPG key ID: BFBAF4C975F76450
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    a30df46 View commit details

  2. add test for builtins.fetchGit restricted mode

    @LnL7
    LnL7 committed Nov 21, 2018

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    b8975bc View commit details

Commits on Nov 22, 2018

  1. Merge pull request #189 from LnL7/nixpkgs-restricted-mode 

     eval-checker: use explicit 'nixpkgs' argument for release.nix expressions
    @grahamc
    grahamc authored Nov 22, 2018
    Copy the full SHA
    da43bc0 View commit details
Showing with 53 additions and 2 deletions.
  1. +20 −1 ofborg/src/nix.rs
  2. +15 −0 ofborg/src/tasks/massrebuilder.rs
  3. +18 −1 ofborg/test-srcs/eval-mixed-failure/default.nix
21 changes: 20 additions & 1 deletion ofborg/src/nix.rs
View file
Original file line number Diff line number Diff line change
@@ -675,7 +675,7 @@ mod tests {
}

#[test]
fn instantiation() {
fn instantiation_success() {
let ret: Result<File, File> = nix().safely(
Operation::Instantiate,
passing_eval_path().as_path(),
@@ -693,4 +693,23 @@ mod tests {
],
);
}

#[test]
fn instantiation_nixpkgs_restricted_mode() {
let ret: Result<File, File> = nix().safely(
Operation::Instantiate,
individual_eval_path().as_path(),
vec![String::from("-A"), String::from("nixpkgs-restricted-mode")],
true,
);

assert_run(
ret,
Expect::Fail,
vec![
"access to path '/fake'",
"is forbidden in restricted mode",
],
);
}
}
15 changes: 15 additions & 0 deletions ofborg/src/tasks/massrebuilder.rs
View file
Original file line number Diff line number Diff line change
@@ -348,6 +348,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
"nixos-options",
nix::Operation::Instantiate,
vec![
String::from("--arg"),
String::from("nixpkgs"),
String::from("./."),
String::from("./nixos/release.nix"),
String::from("-A"),
String::from("options"),
@@ -359,6 +362,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
"nixos-manual",
nix::Operation::Instantiate,
vec![
String::from("--arg"),
String::from("nixpkgs"),
String::from("./."),
String::from("./nixos/release.nix"),
String::from("-A"),
String::from("manual"),
@@ -370,6 +376,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
"nixpkgs-manual",
nix::Operation::Instantiate,
vec![
String::from("--arg"),
String::from("nixpkgs"),
String::from("./."),
String::from("./pkgs/top-level/release.nix"),
String::from("-A"),
String::from("manual"),
@@ -381,6 +390,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
"nixpkgs-tarball",
nix::Operation::Instantiate,
vec![
String::from("--arg"),
String::from("nixpkgs"),
String::from("./."),
String::from("./pkgs/top-level/release.nix"),
String::from("-A"),
String::from("tarball"),
@@ -392,6 +404,9 @@ impl<E: stats::SysEvents + 'static> worker::SimpleWorker for MassRebuildWorker<E
"nixpkgs-unstable-jobset",
nix::Operation::Instantiate,
vec![
String::from("--arg"),
String::from("nixpkgs"),
String::from("./."),
String::from("./pkgs/top-level/release.nix"),
String::from("-A"),
String::from("unstable"),
19 changes: 18 additions & 1 deletion ofborg/test-srcs/eval-mixed-failure/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
let
fetchGit = builtins.fetchGit or (path: assert builtins.trace ''
error: access to path '/fake' is forbidden in restricted mode
'' false; path);

nix = import <nix/config.nix>;
in rec {
in

{ nixpkgs ? fetchGit /fake }:

rec {
success = derivation {
name = "success";
system = builtins.currentSystem;
@@ -28,6 +36,15 @@ in rec {
"echo this ones cool" ];
};

nixpkgs-restricted-mode = derivation {
name = "nixpkgs-restricted-mode-fetchgit";
system = builtins.currentSystem;
builder = nix.shell;
args = [
"-c"
"echo hi; echo ${toString nixpkgs} > $out" ];
};

fails-instantiation = assert builtins.trace ''
You just can't frooble the frozz on this particular system.
'' false; {};