gexp: Add #:disallowed-references.

* guix/gexp.scm (gexp->derivation): Add #:disallowed-references and
honor it.
* tests/gexp.scm ("gexp->derivation #:disallowed-references, allowed")
("gexp->derivation #:disallowed-references"): New tests.
* doc/guix.texi (G-Expressions): Adjust accordingly.

diff --git a/doc/guix.texi b/doc/guix.texi
index 075839e..913545f 100644 (file)
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -3670,6 +3670,7 @@ information about monads.)
        [#:recursive? #f] [#:env-vars '()] [#:modules '()] @
        [#:module-path @var{%load-path}] @
        [#:references-graphs #f] [#:allowed-references #f] @
+       [#:disallowed-references #f] @
        [#:leaked-env-vars #f] @
        [#:script-name (string-append @var{name} "-builder")] @
        [#:local-build? #f] [#:substitutable? #t] [#:guile-for-build #f]
@@ -3707,6 +3708,8 @@ text format.
 @var{allowed-references} must be either @code{#f} or a list of output names and packages.
 In the latter case, the list denotes store items that the result is allowed to
 refer to.  Any reference to another store item will lead to a build error.
+Similarly for @var{disallowed-references}, which can list items that must not be
+referenced by the outputs.
 
 The other arguments are as for @code{derivation} (@pxref{Derivations}).
 @end deffn

diff --git a/guix/gexp.scm b/guix/gexp.scm
index 87bc316..7cbc79c 100644 (file)
--- a/guix/gexp.scm
+++ b/guix/gexp.scm
@@ -463,7 +463,7 @@ names and file names suitable for the #:allowed-references argument to
                            (guile-for-build (%guile-for-build))
                            (graft? (%graft?))
                            references-graphs
-                           allowed-references
+                           allowed-references disallowed-references
                            leaked-env-vars
                            local-build? (substitutable? #t)
                            (script-name (string-append name "-builder")))
@@ -497,6 +497,8 @@ text format.
 ALLOWED-REFERENCES must be either #f or a list of output names and packages.
 In the latter case, the list denotes store items that the result is allowed to
 refer to.  Any reference to another store item will lead to a build error.
+Similarly for DISALLOWED-REFERENCES, which can list items that must not be
+referenced by the outputs.
 
 The other arguments are as for 'derivation'."
   (define %modules modules)
@@ -557,6 +559,11 @@ The other arguments are as for 'derivation'."
                                                        #:system system
                                                        #:target target)
                                      (return #f)))
+                       (disallowed (if disallowed-references
+                                       (lower-references disallowed-references
+                                                         #:system system
+                                                         #:target target)
+                                       (return #f)))
                        (guile    (if guile-for-build
                                      (return guile-for-build)
                                      (default-guile-derivation system))))
@@ -585,6 +592,7 @@ The other arguments are as for 'derivation'."
                       #:hash hash #:hash-algo hash-algo #:recursive? recursive?
                       #:references-graphs (and=> graphs graphs-file-names)
                       #:allowed-references allowed
+                      #:disallowed-references disallowed
                       #:leaked-env-vars leaked-env-vars
                       #:local-build? local-build?
                       #:substitutable? substitutable?))))

diff --git a/tests/gexp.scm b/tests/gexp.scm
index d343dc3..75b907a 100644 (file)
--- a/tests/gexp.scm
+++ b/tests/gexp.scm
@@ -600,6 +600,30 @@
       (build-derivations %store (list drv))
       #f)))
 
+(test-assertm "gexp->derivation #:disallowed-references, allowed"
+  (mlet %store-monad ((drv (gexp->derivation "disallowed-refs"
+                                             #~(begin
+                                                 (mkdir #$output)
+                                                 (chdir #$output)
+                                                 (symlink #$output "self")
+                                                 (symlink #$%bootstrap-guile
+                                                          "guile"))
+                                             #:disallowed-references '())))
+    (built-derivations (list drv))))
+
+
+(test-assert "gexp->derivation #:disallowed-references"
+  (let ((drv (run-with-store %store
+               (gexp->derivation "disallowed-refs"
+                                 #~(begin
+                                     (mkdir #$output)
+                                     (chdir #$output)
+                                     (symlink #$%bootstrap-guile "guile"))
+                                 #:disallowed-references (list %bootstrap-guile)))))
+    (guard (c ((nix-protocol-error? c) #t))
+      (build-derivations %store (list drv))
+      #f)))
+
 (define shebang
   (string-append "#!" (derivation->output-path (%guile-for-build))
                  "/bin/guile --no-auto-compile"))