diff options
| -rw-r--r-- | Makefile.config.in | 2 | ||||
| -rw-r--r-- | doc/manual/release-notes/rl-1.8.xml | 2 | ||||
| -rw-r--r-- | mk/lib.mk | 4 | ||||
| -rw-r--r-- | release.nix | 2 | ||||
| -rwxr-xr-x | scripts/resolve-system-dependencies.pl.in | 2 | ||||
| -rw-r--r-- | src/libexpr/local.mk | 5 | ||||
| -rw-r--r-- | src/libstore/build.cc | 5 | ||||
| -rw-r--r-- | src/libstore/local.mk | 3 | ||||
| -rw-r--r-- | src/libstore/sandbox-defaults.sb.in | 63 | ||||
| -rw-r--r-- | src/nix-daemon/nix-daemon.cc | 4 |
10 files changed, 84 insertions, 8 deletions
diff --git a/Makefile.config.in b/Makefile.config.in index df18e9336d1f..f0de4da37855 100644 --- a/Makefile.config.in +++ b/Makefile.config.in @@ -4,10 +4,12 @@ CFLAGS = @CFLAGS@ CXX = @CXX@ CXXFLAGS = @CXXFLAGS@ HAVE_SODIUM = @HAVE_SODIUM@ +LIBCURL_LIBS = @LIBCURL_LIBS@ OPENSSL_LIBS = @OPENSSL_LIBS@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ SODIUM_LIBS = @SODIUM_LIBS@ +SQLITE3_LIBS = @SQLITE3_LIBS@ bash = @bash@ bindir = @bindir@ bsddiff_compat_include = @bsddiff_compat_include@ diff --git a/doc/manual/release-notes/rl-1.8.xml b/doc/manual/release-notes/rl-1.8.xml index e551ee06055f..b7acc1773baa 100644 --- a/doc/manual/release-notes/rl-1.8.xml +++ b/doc/manual/release-notes/rl-1.8.xml @@ -60,7 +60,7 @@ $ nix-store -l $(which xterm) <listitem><para><command>nix-copy-closure</command> now uses <command>nix-store --serve</command> on the remote side to send or receive closures. This fixes a race condition between - <command>nix-copy-closureE</command> and the garbage + <command>nix-copy-closure</command> and the garbage collector.</para></listitem> <listitem><para>Derivations can specify the new special attribute diff --git a/mk/lib.mk b/mk/lib.mk index 4ad5c636c8d4..bb82801d3b4e 100644 --- a/mk/lib.mk +++ b/mk/lib.mk @@ -61,7 +61,9 @@ ifeq ($(BUILD_SHARED_LIBS), 1) endif ifneq ($(OS), Darwin) ifneq ($(OS), SunOS) - GLOBAL_LDFLAGS += -Wl,--no-copy-dt-needed-entries + ifneq ($(OS), FreeBSD) + GLOBAL_LDFLAGS += -Wl,--no-copy-dt-needed-entries + endif endif endif SET_RPATH_TO_LIBS ?= 1 diff --git a/release.nix b/release.nix index 8935cfa19680..0ee75e9a8b76 100644 --- a/release.nix +++ b/release.nix @@ -97,7 +97,7 @@ let enableParallelBuilding = true; - __sandboxProfile = lib.sandbox.allowFileRead [ + sandboxProfile = lib.sandbox.allowFileRead [ "/etc" "/etc/nix/nix.conf" "/private/etc/nix/nix.conf" ]; diff --git a/scripts/resolve-system-dependencies.pl.in b/scripts/resolve-system-dependencies.pl.in index 23416b75c023..a20f0dc020fe 100755 --- a/scripts/resolve-system-dependencies.pl.in +++ b/scripts/resolve-system-dependencies.pl.in @@ -113,7 +113,7 @@ if (defined $ARGV[0]) { my $depset = reduce { union($a, $b) } (map { resolve_tree($_, $depcache) } @files); print "extra-chroot-dirs\n"; print join("\n", keys %$depset); - print "\n\n"; + print "\n"; } lock_store($DEPS, $cache); } else { diff --git a/src/libexpr/local.mk b/src/libexpr/local.mk index d1b1987fb037..5de9ccc6d011 100644 --- a/src/libexpr/local.mk +++ b/src/libexpr/local.mk @@ -10,7 +10,10 @@ libexpr_CXXFLAGS := -Wno-deprecated-register libexpr_LIBS = libutil libstore libformat -libexpr_LDFLAGS = -ldl +libexpr_LDFLAGS = +ifneq ($(OS), FreeBSD) + libexpr_LDFLAGS += -ldl +endif # The dependency on libgc must be propagated (i.e. meaning that # programs/libraries that use libexpr must explicitly pass -lgc), diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 9614bb1c3eb2..9b6f40f54217 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1276,6 +1276,8 @@ static bool canBuildLocally(const BasicDerivation & drv) || (drv.platform == "i686-linux" && settings.thisSystem == "x86_64-linux") || (drv.platform == "armv6l-linux" && settings.thisSystem == "armv7l-linux") #endif + || (platform == "i686-linux" && settings.thisSystem == "x86_64-freebsd") + || (platform == "i686-linux" && settings.thisSystem == "i686-freebsd") ; } @@ -1927,7 +1929,7 @@ void DerivationGoal::startBuilder() #if SANDBOX_ENABLED additionalSandboxProfile = get(drv->env, "__sandboxProfile"); -#else +#endif string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES)); PathSet allowedPaths = tokenizeString<StringSet>(allowed); @@ -1953,7 +1955,6 @@ void DerivationGoal::startBuilder() dirsInChroot[i] = i; } -#endif #if CHROOT_ENABLED /* Create a temporary directory in which we set up the chroot diff --git a/src/libstore/local.mk b/src/libstore/local.mk index bf5c256c949e..e78f47949ad3 100644 --- a/src/libstore/local.mk +++ b/src/libstore/local.mk @@ -8,7 +8,7 @@ libstore_SOURCES := $(wildcard $(d)/*.cc) libstore_LIBS = libutil libformat -libstore_LDFLAGS = -lsqlite3 -lbz2 -lcurl +libstore_LDFLAGS = $(SQLITE3_LIBS) -lbz2 $(LIBCURL_LIBS) ifeq ($(OS), SunOS) libstore_LDFLAGS += -lsocket @@ -33,3 +33,4 @@ $(d)/local-store.cc: $(d)/schema.sql.hh clean-files += $(d)/schema.sql.hh $(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644)) +$(eval $(call install-file-in, $(d)/sandbox-defaults.sb, $(datadir)/nix, 0644)) diff --git a/src/libstore/sandbox-defaults.sb.in b/src/libstore/sandbox-defaults.sb.in new file mode 100644 index 000000000000..b5e80085fbe2 --- /dev/null +++ b/src/libstore/sandbox-defaults.sb.in @@ -0,0 +1,63 @@ +(allow file-read* file-write-data (literal "/dev/null")) +(allow ipc-posix*) +(allow mach-lookup (global-name "com.apple.SecurityServer")) + +(allow file-read* + (literal "/dev/dtracehelper") + (literal "/dev/tty") + (literal "/dev/autofs_nowait") + (literal "/System/Library/CoreServices/SystemVersion.plist") + (literal "/private/var/run/systemkeychaincheck.done") + (literal "/private/etc/protocols") + (literal "/private/var/tmp") + (literal "/private/var/db") + (subpath "/private/var/db/mds")) + +(allow file-read* + (subpath "/usr/share/icu") + (subpath "/usr/share/locale") + (subpath "/usr/share/zoneinfo")) + +(allow file-write* + (literal "/dev/tty") + (literal "/dev/dtracehelper") + (literal "/mds")) + +(allow file-ioctl (literal "/dev/dtracehelper")) + +(allow file-read-metadata + (literal "/var") + (literal "/tmp") + ; symlinks + (literal "@sysconfdir@") + (literal "@sysconfdir@/nix") + (literal "@sysconfdir@/nix/nix.conf") + (literal "/etc/resolv.conf") + (literal "/private/etc/resolv.conf")) + +(allow file-read* + (literal "/private@sysconfdir@/nix/nix.conf") + (literal "/private/var/run/resolv.conf")) + +; some builders use filehandles other than stdin/stdout +(allow file* + (subpath "/dev/fd") + (literal "/dev/ptmx") + (regex #"^/dev/[pt]ty.*$")) + +; allow everything inside TMP +(allow file* process-exec + (subpath (param "_GLOBAL_TMP_DIR")) + (subpath "/private/tmp")) + +(allow process-fork) +(allow sysctl-read) +(allow signal (target same-sandbox)) + +; allow getpwuid (for git and other packages) +(allow mach-lookup + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.opendirectoryd.libinfo")) + +; allow local networking +(allow network* (local ip) (remote unix-socket)) diff --git a/src/nix-daemon/nix-daemon.cc b/src/nix-daemon/nix-daemon.cc index b4d1401d95cf..e97d1dab17b2 100644 --- a/src/nix-daemon/nix-daemon.cc +++ b/src/nix-daemon/nix-daemon.cc @@ -692,6 +692,10 @@ static PeerInfo getPeerInfo(int remote) #elif defined(LOCAL_PEERCRED) +#if !defined(SOL_LOCAL) +#define SOL_LOCAL 0 +#endif + xucred cred; socklen_t credLen = sizeof(cred); if (getsockopt(remote, SOL_LOCAL, LOCAL_PEERCRED, &cred, &credLen) == -1) |