about summary refs log tree commit diff
AgeCommit message (Collapse)AuthorFilesLines
2017-06-06 Always use the Darwin sandboxEelco Dolstra5-86/+99
Even with "build-use-sandbox = false", we now use sandboxing with a permissive profile that allows everything except the creation of setuid/setgid binaries.
2017-06-06 Merge pull request #1399 from Mic92/masterEelco Dolstra1-0/+26
Add .editorconfig
2017-06-05 Add .editorconfigJörg Thalheim1-0/+26
- Automatically adjust editor to nix coding style -> less nitpiks/styling issues in pull requests -> profit(!) see also nixpkgs' editorconfig: https://github.com/NixOS/nixpkgs/blob/master/.editorconfig
2017-06-01 Fix coverage jobEelco Dolstra1-1/+1
2017-06-01 RPM, Deb: Add dependency on libseccompEelco Dolstra2-3/+5
2017-05-31 Remove listxattr assertionEelco Dolstra1-2/+0
It appears that sometimes, listxattr() returns a different value for the query case (i.e. when the buffer size is 0).
2017-05-31 OS X sandbox: Improve builtin sandbox profileEelco Dolstra5-59/+77
Also, add rules to allow fixed-output derivations to access the network. These rules are sufficient to build stdenvDarwin without any __sandboxProfile magic.
2017-05-31 resolve-system-dependencies: Misc fixesEelco Dolstra1-22/+20
This fixes Could not find any mach64 blobs in file ‘/usr/lib/libSystem.B.dylib’, continuing...
2017-05-31 resolve-system-dependencies: SimplifyEelco Dolstra1-10/+1
2017-05-31 OS X sandbox: Don't use a deterministic $TMPDIREelco Dolstra1-3/+0
This doesn't work because the OS X sandbox cannot bind-mount path to a different location.
2017-05-31 OS X sandbox: Store .sb file in $TMPDIR rather than the Nix storeEelco Dolstra1-4/+1
The filename used was not unique and owned by the build user, so builds could fail with error: while setting up the build environment: cannot unlink ‘/nix/store/99i210ihnsjacajaw8r33fmgjvzpg6nr-bison-3.0.4.drv.sb’: Permission denied
2017-05-30 resolve-system-dependencies: Fix another segfaultEelco Dolstra1-0/+5
runResolver() was barfing on directories like /System/Library/Frameworks/Security.framework/Versions/Current/PlugIns. It should probably do something sophisticated for frameworks, but let's ignore them for now.
2017-05-30 Darwin sandbox: Use sandbox-defaults.sbEelco Dolstra5-16/+19
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
2017-05-30 Darwin sandbox: Disallow creating setuid/setgid binariesEelco Dolstra1-0/+4
Suggested by Daiderd Jordan.
2017-05-30 resolve-system-dependencies: Several fixesEelco Dolstra1-53/+65
This fixes error: getting attributes of path ‘Versions/Current/CoreFoundation’: No such file or directory when /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation is a symlink. Also fixes a segfault when encounting a file that is not a MACH binary (such as /dev/null, which is included in __impureHostDeps in Nixpkgs). Possibly fixes #786.
2017-05-30 Only pass --with-sandbox-shell on LinuxEelco Dolstra1-0/+1
2017-05-30 Fix seccomp build failure on clangEelco Dolstra1-3/+3
Fixes src/libstore/build.cc:2321:45: error: non-constant-expression cannot be narrowed from type 'int' to 'scmp_datum_t' (aka 'unsigned long') in initializer list [-Wc++11-narrowing]
2017-05-30 Shut up some clang warningsEelco Dolstra1-7/+7
2017-05-30 Add a seccomp rule to disallow setxattr()Eelco Dolstra1-1/+9
2017-05-30 canonicalisePathMetaData(): Remove extended attributes / ACLsEelco Dolstra1-0/+22
EAs/ACLs are not part of the NAR canonicalisation. Worse, setting an ACL allows a builder to create writable files in the Nix store. So get rid of them. Closes #185.
2017-05-30 Require seccomp only in multi-user setupsEelco Dolstra1-1/+5
2017-05-29 Add test for setuid seccomp filterEelco Dolstra2-0/+113
2017-05-29 Fix seccomp initialisation on i686-linuxEelco Dolstra1-1/+2
2017-05-29 Add a seccomp filter to prevent creating setuid/setgid binariesEelco Dolstra5-1/+54
This prevents builders from setting the S_ISUID or S_ISGID bits, preventing users from using a nixbld* user to create a setuid/setgid binary to interfere with subsequent builds under the same nixbld* uid. This is based on aszlig's seccomp code (47f587700d646f5b03a42f2fa57c28875a31efbe). Reported by Linus Heckemann.
2017-05-29 Fix nix-copy-closure testEelco Dolstra1-0/+1
Fixes client# error: size mismatch importing path ‘/nix/store/ywf5fihjlxwijm6ygh6s0a353b5yvq4d-libidn2-0.16’; expected 0, got 120264 This is mostly an artifact of the NixOS VM test environment, where the Nix database doesn't contain hashes/sizes. http://hydra.nixos.org/build/53537471
2017-05-29 Fix build failure on Debian/UbuntuEelco Dolstra3-2/+2
http://hydra.nixos.org/build/53537463
2017-05-29 Fix typoEelco Dolstra1-1/+1
2017-05-29 Merge pull request #1393 from pyrtsa/patch-1Eelco Dolstra1-1/+1
Fix variable name typo in derivations doc
2017-05-29 Merge pull request #1394 from pyrtsa/patch-2Eelco Dolstra1-1/+1
Remove stray `>` in builtins doc
2017-05-28 Remove stray `>` in builtins docPyry Jahkola1-1/+1
2017-05-28 Fix variable name typo in derivations docPyry Jahkola1-1/+1
2017-05-24 Fix #1314Eelco Dolstra1-1/+2
Also, make nix-shell respect --option. (Previously it only passed it along to nix-instantiate and nix-build.)
2017-05-24 Merge branch 'topic/cores-master' of https://github.com/neilmayhew/nixEelco Dolstra1-0/+1
2017-05-24 Merge pull request #1376 from Mic92/patch-1Eelco Dolstra1-1/+1
nix-profile.sh: remove sbin from PATH
2017-05-24 Fix #1380Eelco Dolstra1-1/+1
It lacked a backslash. Use a raw string and single quotes around PS1 to simplify this.
2017-05-24 Merge branch 'prompt-terminator' of https://github.com/lheckemann/nixEelco Dolstra1-1/+1
2017-05-24 Merge pull request #1382 from FRidh/patch-1Eelco Dolstra1-0/+18
Document fetchTarball can take a sha256
2017-05-24 Merge branch 'nar-accessor-tree' of https://github.com/bennofs/nixEelco Dolstra4-34/+123
2017-05-17 Document that builtins.match takes a POSIX extended REEelco Dolstra2-4/+13
2017-05-17 builtins.match: Improve error message for bad regular expressionEelco Dolstra1-16/+23
Issue #1331.
2017-05-16 Improve progress indicatorEelco Dolstra26-168/+339
2017-05-15 nar-accessor.cc: remove unused member NarIndexer::currentNameBenno Fünfstück1-2/+1
2017-05-15 nar-accessor: non-recursive NarMember::findBenno Fünfstück1-21/+21
This avoids a possible stack overflow if directories are very deeply nested.
2017-05-15 Simplify fixed-output checkEelco Dolstra1-6/+2
2017-05-15 Disallow outputHash being null or an empty stringEelco Dolstra1-4/+5
Fixes #1384.
2017-05-15 Add --with-sandbox-shell configure flagEelco Dolstra7-12/+38
And add a 116 KiB ash shell from busybox to the release build. This helps to make sandbox builds work out of the box on non-NixOS systems and with diverted stores.
2017-05-15 Linux sandbox: Don't barf on invalid pathsEelco Dolstra1-0/+1
This is useful when we're using a diverted store (e.g. "--store local?root=/tmp/nix") in conjunction with a statically-linked sh from the host store (e.g. "sandbox-paths =/bin/sh=/nix/store/.../bin/busybox").
2017-05-15 Make fmt() non-recursiveEelco Dolstra2-12/+7
2017-05-15 nar-archive.cc: add tests for the nar indexBenno Fünfstück3-1/+48
2017-05-15 Merge pull request #1387 from bennofs/nix-ls-slashEelco Dolstra1-0/+4
nix ls: support '/' for the root directory