blob: 3e361114bc4cbb426460e6cccd74b70cfcdead47 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
# Use exportReferencesGraph to capture the possible dependencies of the
# drivers (e.g. libc linked through DT_RUNPATH) and ensure they are mounted
# in the sandbox as well. In practice, things seemed to have worked without
# this as well, but we go with the safe option until we understand why.
{
lib,
runCommand,
python3Packages,
allowedPatterns,
}:
runCommand "allowed-patterns.json"
{
nativeBuildInputs = [ python3Packages.python ];
exportReferencesGraph = builtins.concatMap (
name:
builtins.concatMap (
path:
let
prefix = "${builtins.storeDir}/";
# Has to start with a letter: https://github.com/NixOS/nix/blob/516e7ddc41f39ff939b5d5b5dc71e590f24890d4/src/libstore/build/local-derivation-goal.cc#L568
exportName = ''references-${lib.strings.removePrefix prefix "${path}"}'';
isStorePath = lib.isStorePath path && (lib.hasPrefix prefix "${path}");
in
lib.optionals isStorePath [
exportName
path
]
) allowedPatterns.${name}.paths
) (builtins.attrNames allowedPatterns);
env.storeDir = "${builtins.storeDir}/";
shallowConfig = builtins.toJSON allowedPatterns;
passAsFile = [ "shallowConfig" ];
}
''
python ${./scripts/nix_required_mounts_closure.py}
''
|
