diff options
| author | Dan Peebles <pumpkin@me.com> | 2017-10-17T23·15-0400 |
|---|---|---|
| committer | Dan Peebles <pumpkin@me.com> | 2017-10-17T23·15-0400 |
| commit | 6e5165b77370c76bfa39d4b55e9f83673f3bd466 (patch) | |
| tree | 2647351258a0de9d3b120f61f6687a8b2142dfe0 /src | |
| parent | 1dd29d7aebae706f3e90a18bbfae727f2ed03c70 (diff) | |
Shift Darwin sandbox to separate installed files
This makes it slightly more manageable to see at a glance what in a build's sandbox profile is unique to the build and what is standard. Also a first step to factoring more of our Darwin logic into scheme functions that will allow us a bit more flexibility. And of course less of that nasty codegen in C++! 😀
Diffstat (limited to 'src')
| -rw-r--r-- | src/libstore/build.cc | 14 | ||||
| -rw-r--r-- | src/libstore/local.mk | 10 |
2 files changed, 11 insertions, 13 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 64cbc19bd96f..88c51654614a 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2774,14 +2774,10 @@ void DerivationGoal::runChild() sandboxProfile += "(deny default (with no-log))\n"; } - sandboxProfile += - #include "sandbox-defaults.sb.gen.hh" - ; + sandboxProfile += "(import \"sandbox-defaults.sb\")"; if (fixedOutput) - sandboxProfile += - #include "sandbox-network.sb.gen.hh" - ; + sandboxProfile += "(import \"sandbox-network.sb\")"; /* Our rwx outputs */ sandboxProfile += "(allow file-read* file-write* process-exec\n"; @@ -2824,9 +2820,7 @@ void DerivationGoal::runChild() sandboxProfile += additionalSandboxProfile; } else - sandboxProfile += - #include "sandbox-minimal.sb.gen.hh" - ; + sandboxProfile += "(import \"sandbox-minimal.sb\")"; debug("Generated sandbox profile:"); debug(sandboxProfile); @@ -2848,6 +2842,8 @@ void DerivationGoal::runChild() args.push_back(sandboxFile); args.push_back("-D"); args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir); + args.push_back("-D"); + args.push_back("IMPORT_DIR=" + settings.nixDataDir + "/nix/sandbox/"); args.push_back(drv->builder); } #endif diff --git a/src/libstore/local.mk b/src/libstore/local.mk index 36b270f2e078..50c46ce6fe99 100644 --- a/src/libstore/local.mk +++ b/src/libstore/local.mk @@ -10,6 +10,10 @@ libstore_LIBS = libutil libformat libstore_LDFLAGS = $(SQLITE3_LIBS) -lbz2 $(LIBCURL_LIBS) $(SODIUM_LIBS) -pthread +libstore_FILES = sandbox-defaults.sb sandbox-minimal.sb sandbox-network.sb + +$(foreach file,$(libstore_FILES),$(eval $(call install-data-in,$(d)/$(file),$(datadir)/nix/sandbox))) + ifeq ($(ENABLE_S3), 1) libstore_LDFLAGS += -laws-cpp-sdk-s3 -laws-cpp-sdk-core endif @@ -36,9 +40,7 @@ libstore_CXXFLAGS = \ $(d)/local-store.cc: $(d)/schema.sql.gen.hh -sandbox-headers = $(d)/sandbox-defaults.sb.gen.hh $(d)/sandbox-network.sb.gen.hh $(d)/sandbox-minimal.sb.gen.hh - -$(d)/build.cc: $(sandbox-headers) +$(d)/build.cc: %.gen.hh: % @echo 'R"foo(' >> $@.tmp @@ -46,6 +48,6 @@ $(d)/build.cc: $(sandbox-headers) @echo ')foo"' >> $@.tmp @mv $@.tmp $@ -clean-files += $(d)/schema.sql.gen.hh $(sandbox-headers) +clean-files += $(d)/schema.sql.gen.hh $(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644)) |