diff options
| author | Eelco Dolstra <edolstra@gmail.com> | 2018-11-07T16·08+0100 |
|---|---|---|
| committer | Eelco Dolstra <edolstra@gmail.com> | 2018-11-07T16·08+0100 |
| commit | 812e39313c2bcf8909b83e1e8bc548a85dcd626c (patch) | |
| tree | 74e4b7bffd4db2e6fd3063d8e05da5af7e643610 | |
| parent | 5a3f140856185ae0c6ee9270ad5d5fbc0505e3f2 (diff) | |
Enable sandboxing by default
Closes #179.
| -rw-r--r-- | doc/manual/release-notes/release-notes.xml | 1 | ||||
| -rw-r--r-- | doc/manual/release-notes/rl-2.3.xml | 19 | ||||
| -rw-r--r-- | src/libstore/globals.hh | 8 | ||||
| -rw-r--r-- | tests/common.sh.in | 15 | ||||
| -rw-r--r-- | tests/init.sh | 1 |
5 files changed, 34 insertions, 10 deletions
diff --git a/doc/manual/release-notes/release-notes.xml b/doc/manual/release-notes/release-notes.xml index e8ff586fa43f..2655d68e354b 100644 --- a/doc/manual/release-notes/release-notes.xml +++ b/doc/manual/release-notes/release-notes.xml @@ -12,6 +12,7 @@ </partintro> --> +<xi:include href="rl-2.3.xml" /> <xi:include href="rl-2.2.xml" /> <xi:include href="rl-2.1.xml" /> <xi:include href="rl-2.0.xml" /> diff --git a/doc/manual/release-notes/rl-2.3.xml b/doc/manual/release-notes/rl-2.3.xml new file mode 100644 index 000000000000..6b68fbfd7e7d --- /dev/null +++ b/doc/manual/release-notes/rl-2.3.xml @@ -0,0 +1,19 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="ssec-relnotes-2.3"> + +<title>Release 2.3 (2019-??-??)</title> + +<para>This release has the following changes:</para> + +<itemizedlist> + + <listitem> + <para>Sandbox builds are now enabled by default on Linux.</para> + </listitem> + +</itemizedlist> + +</section> diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 6b3e204536f1..53efc6a90fb6 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -195,7 +195,13 @@ public: Setting<bool> showTrace{this, false, "show-trace", "Whether to show a stack trace on evaluation errors."}; - Setting<SandboxMode> sandboxMode{this, smDisabled, "sandbox", + Setting<SandboxMode> sandboxMode{this, + #if __linux__ + smEnabled + #else + smDisabled + #endif + , "sandbox", "Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".", {"build-use-chroot", "build-use-sandbox"}}; diff --git a/tests/common.sh.in b/tests/common.sh.in index 2ee2f589dae4..6a523ca9d832 100644 --- a/tests/common.sh.in +++ b/tests/common.sh.in @@ -85,16 +85,13 @@ killDaemon() { trap "" EXIT } -canUseSandbox() { - if [[ $(uname) != Linux ]]; then return 1; fi - - if [ ! -L /proc/self/ns/user ]; then - echo "Kernel doesn't support user namespaces, skipping this test..." - return 1 - fi +if [[ $(uname) == Linux ]] && [[ -L /proc/self/ns/user ]] && unshare --user true; then + _canUseSandbox=1 +fi - if ! unshare --user true ; then - echo "Unprivileged user namespaces disabled by sysctl, skipping this test..." +canUseSandbox() { + if [[ ! $_canUseSandbox ]]; then + echo "Sandboxing not supported, skipping this test..." return 1 fi diff --git a/tests/init.sh b/tests/init.sh index e5353598bcc4..19a12c1e2d9e 100644 --- a/tests/init.sh +++ b/tests/init.sh @@ -16,6 +16,7 @@ mkdir "$NIX_CONF_DIR" cat > "$NIX_CONF_DIR"/nix.conf <<EOF build-users-group = keep-derivations = false +sandbox = false include nix.conf.extra EOF |