diff options
| author | Ross Burton <ross.burton@arm.com> | 2025-05-01 15:02:34 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2025-05-05 17:22:11 +0100 |
| commit | 24efa3786c612a6c63ae31e18f74965187bce21f (patch) | |
| tree | b91411ef795a0adfac8a31244e81c1421b5fc382 | |
| parent | e4c9b45a98e406dfa979cec34692c4dde047d367 (diff) | |
| download | poky-24efa3786c612a6c63ae31e18f74965187bce21f.tar.gz | |
classes/yocto-check-layer: add check for tasks that allow network access
Add a new test that checks that no tasks between do_fetch (exclusive)
and do_build (inclusive) are allowed to use the network, with rare
exceptions.
The only exception currently is build-appliance-image's do_image task,
as that currently usese pip to install the required Toaster dependencies.
Note that this will mean layers that have Go-based recipes will fail
unless they're using the gomod fetcher and have a complete list of
modules in the SRC_URI.
(From OE-Core rev: e95b3bd194e294412bc0419c9c74abfc2f37406f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes-global/yocto-check-layer.bbclass | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/meta/classes-global/yocto-check-layer.bbclass b/meta/classes-global/yocto-check-layer.bbclass index 92a392af9c..ba93085325 100644 --- a/meta/classes-global/yocto-check-layer.bbclass +++ b/meta/classes-global/yocto-check-layer.bbclass | |||
| @@ -27,6 +27,36 @@ def check_insane_skip(d): | |||
| 27 | d.setVar("QA_ERRORS_FOUND", "True") | 27 | d.setVar("QA_ERRORS_FOUND", "True") |
| 28 | 28 | ||
| 29 | 29 | ||
| 30 | # Check that no tasks (with rare exceptions) between do_fetch and do_build | ||
| 31 | # use the network. | ||
| 32 | def check_network_flag(d): | ||
| 33 | # BPN:task names that are allowed to reach the network, using fnmatch to compare. | ||
| 34 | allowed = [] | ||
| 35 | # build-appliance-image uses pip at image time | ||
| 36 | allowed += ["build-appliance-image:do_image"] | ||
| 37 | |||
| 38 | def is_allowed(bpn, task): | ||
| 39 | from fnmatch import fnmatch | ||
| 40 | name = f"{bpn}:{task}" | ||
| 41 | return any(fnmatch(name, pattern) for pattern in allowed) | ||
| 42 | |||
| 43 | bpn = d.getVar("BPN") | ||
| 44 | seen = set() | ||
| 45 | stack = {"do_build"} | ||
| 46 | while stack: | ||
| 47 | task = stack.pop() | ||
| 48 | if task == "do_fetch": | ||
| 49 | continue | ||
| 50 | |||
| 51 | seen.add(task) | ||
| 52 | deps = d.getVarFlag(task, "deps") or [] | ||
| 53 | stack |= {d for d in deps if d not in seen} | ||
| 54 | |||
| 55 | network = bb.utils.to_boolean(d.getVarFlag(task, "network")) | ||
| 56 | if network and not is_allowed(bpn, task): | ||
| 57 | bb.error(f"QA Issue: task {task} has network enabled") | ||
| 58 | |||
| 30 | python () { | 59 | python () { |
| 31 | check_insane_skip(d) | 60 | check_insane_skip(d) |
| 61 | check_network_flag(d) | ||
| 32 | } | 62 | } |