Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2017-06-06 | Always use the Darwin sandbox | Eelco Dolstra | 5 | -86/+99 | |
Even with "build-use-sandbox = false", we now use sandboxing with a permissive profile that allows everything except the creation of setuid/setgid binaries. | |||||
2017-06-06 | Merge pull request #1399 from Mic92/master | Eelco Dolstra | 1 | -0/+26 | |
Add .editorconfig | |||||
2017-06-05 | Add .editorconfig | Jörg Thalheim | 1 | -0/+26 | |
- Automatically adjust editor to nix coding style -> less nitpiks/styling issues in pull requests -> profit(!) see also nixpkgs' editorconfig: https://github.com/NixOS/nixpkgs/blob/master/.editorconfig | |||||
2017-06-01 | Fix coverage job | Eelco Dolstra | 1 | -1/+1 | |
2017-06-01 | RPM, Deb: Add dependency on libseccomp | Eelco Dolstra | 2 | -3/+5 | |
2017-05-31 | Remove listxattr assertion | Eelco Dolstra | 1 | -2/+0 | |
It appears that sometimes, listxattr() returns a different value for the query case (i.e. when the buffer size is 0). | |||||
2017-05-31 | OS X sandbox: Improve builtin sandbox profile | Eelco Dolstra | 5 | -59/+77 | |
Also, add rules to allow fixed-output derivations to access the network. These rules are sufficient to build stdenvDarwin without any __sandboxProfile magic. | |||||
2017-05-31 | resolve-system-dependencies: Misc fixes | Eelco Dolstra | 1 | -22/+20 | |
This fixes Could not find any mach64 blobs in file ‘/usr/lib/libSystem.B.dylib’, continuing... | |||||
2017-05-31 | resolve-system-dependencies: Simplify | Eelco Dolstra | 1 | -10/+1 | |
2017-05-31 | OS X sandbox: Don't use a deterministic $TMPDIR | Eelco Dolstra | 1 | -3/+0 | |
This doesn't work because the OS X sandbox cannot bind-mount path to a different location. | |||||
2017-05-31 | OS X sandbox: Store .sb file in $TMPDIR rather than the Nix store | Eelco Dolstra | 1 | -4/+1 | |
The filename used was not unique and owned by the build user, so builds could fail with error: while setting up the build environment: cannot unlink ‘/nix/store/99i210ihnsjacajaw8r33fmgjvzpg6nr-bison-3.0.4.drv.sb’: Permission denied | |||||
2017-05-30 | resolve-system-dependencies: Fix another segfault | Eelco Dolstra | 1 | -0/+5 | |
runResolver() was barfing on directories like /System/Library/Frameworks/Security.framework/Versions/Current/PlugIns. It should probably do something sophisticated for frameworks, but let's ignore them for now. | |||||
2017-05-30 | Darwin sandbox: Use sandbox-defaults.sb | Eelco Dolstra | 5 | -16/+19 | |
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration. | |||||
2017-05-30 | Darwin sandbox: Disallow creating setuid/setgid binaries | Eelco Dolstra | 1 | -0/+4 | |
Suggested by Daiderd Jordan. | |||||
2017-05-30 | resolve-system-dependencies: Several fixes | Eelco Dolstra | 1 | -53/+65 | |
This fixes error: getting attributes of path ‘Versions/Current/CoreFoundation’: No such file or directory when /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation is a symlink. Also fixes a segfault when encounting a file that is not a MACH binary (such as /dev/null, which is included in __impureHostDeps in Nixpkgs). Possibly fixes #786. | |||||
2017-05-30 | Only pass --with-sandbox-shell on Linux | Eelco Dolstra | 1 | -0/+1 | |
2017-05-30 | Fix seccomp build failure on clang | Eelco Dolstra | 1 | -3/+3 | |
Fixes src/libstore/build.cc:2321:45: error: non-constant-expression cannot be narrowed from type 'int' to 'scmp_datum_t' (aka 'unsigned long') in initializer list [-Wc++11-narrowing] | |||||
2017-05-30 | Shut up some clang warnings | Eelco Dolstra | 1 | -7/+7 | |
2017-05-30 | Add a seccomp rule to disallow setxattr() | Eelco Dolstra | 1 | -1/+9 | |
2017-05-30 | canonicalisePathMetaData(): Remove extended attributes / ACLs | Eelco Dolstra | 1 | -0/+22 | |
EAs/ACLs are not part of the NAR canonicalisation. Worse, setting an ACL allows a builder to create writable files in the Nix store. So get rid of them. Closes #185. | |||||
2017-05-30 | Require seccomp only in multi-user setups | Eelco Dolstra | 1 | -1/+5 | |
2017-05-29 | Add test for setuid seccomp filter | Eelco Dolstra | 2 | -0/+113 | |
2017-05-29 | Fix seccomp initialisation on i686-linux | Eelco Dolstra | 1 | -1/+2 | |
2017-05-29 | Add a seccomp filter to prevent creating setuid/setgid binaries | Eelco Dolstra | 5 | -1/+54 | |
This prevents builders from setting the S_ISUID or S_ISGID bits, preventing users from using a nixbld* user to create a setuid/setgid binary to interfere with subsequent builds under the same nixbld* uid. This is based on aszlig's seccomp code (47f587700d646f5b03a42f2fa57c28875a31efbe). Reported by Linus Heckemann. | |||||
2017-05-29 | Fix nix-copy-closure test | Eelco Dolstra | 1 | -0/+1 | |
Fixes client# error: size mismatch importing path ‘/nix/store/ywf5fihjlxwijm6ygh6s0a353b5yvq4d-libidn2-0.16’; expected 0, got 120264 This is mostly an artifact of the NixOS VM test environment, where the Nix database doesn't contain hashes/sizes. http://hydra.nixos.org/build/53537471 | |||||
2017-05-29 | Fix build failure on Debian/Ubuntu | Eelco Dolstra | 3 | -2/+2 | |
http://hydra.nixos.org/build/53537463 | |||||
2017-05-29 | Fix typo | Eelco Dolstra | 1 | -1/+1 | |
2017-05-29 | Merge pull request #1393 from pyrtsa/patch-1 | Eelco Dolstra | 1 | -1/+1 | |
Fix variable name typo in derivations doc | |||||
2017-05-29 | Merge pull request #1394 from pyrtsa/patch-2 | Eelco Dolstra | 1 | -1/+1 | |
Remove stray `>` in builtins doc | |||||
2017-05-28 | Remove stray `>` in builtins doc | Pyry Jahkola | 1 | -1/+1 | |
2017-05-28 | Fix variable name typo in derivations doc | Pyry Jahkola | 1 | -1/+1 | |
2017-05-24 | Fix #1314 | Eelco Dolstra | 1 | -1/+2 | |
Also, make nix-shell respect --option. (Previously it only passed it along to nix-instantiate and nix-build.) | |||||
2017-05-24 | Merge branch 'topic/cores-master' of https://github.com/neilmayhew/nix | Eelco Dolstra | 1 | -0/+1 | |
2017-05-24 | Merge pull request #1376 from Mic92/patch-1 | Eelco Dolstra | 1 | -1/+1 | |
nix-profile.sh: remove sbin from PATH | |||||
2017-05-24 | Fix #1380 | Eelco Dolstra | 1 | -1/+1 | |
It lacked a backslash. Use a raw string and single quotes around PS1 to simplify this. | |||||
2017-05-24 | Merge branch 'prompt-terminator' of https://github.com/lheckemann/nix | Eelco Dolstra | 1 | -1/+1 | |
2017-05-24 | Merge pull request #1382 from FRidh/patch-1 | Eelco Dolstra | 1 | -0/+18 | |
Document fetchTarball can take a sha256 | |||||
2017-05-24 | Merge branch 'nar-accessor-tree' of https://github.com/bennofs/nix | Eelco Dolstra | 4 | -34/+123 | |
2017-05-17 | Document that builtins.match takes a POSIX extended RE | Eelco Dolstra | 2 | -4/+13 | |
2017-05-17 | builtins.match: Improve error message for bad regular expression | Eelco Dolstra | 1 | -16/+23 | |
Issue #1331. | |||||
2017-05-16 | Improve progress indicator | Eelco Dolstra | 26 | -168/+339 | |
2017-05-15 | nar-accessor.cc: remove unused member NarIndexer::currentName | Benno Fünfstück | 1 | -2/+1 | |
2017-05-15 | nar-accessor: non-recursive NarMember::find | Benno Fünfstück | 1 | -21/+21 | |
This avoids a possible stack overflow if directories are very deeply nested. | |||||
2017-05-15 | Simplify fixed-output check | Eelco Dolstra | 1 | -6/+2 | |
2017-05-15 | Disallow outputHash being null or an empty string | Eelco Dolstra | 1 | -4/+5 | |
Fixes #1384. | |||||
2017-05-15 | Add --with-sandbox-shell configure flag | Eelco Dolstra | 7 | -12/+38 | |
And add a 116 KiB ash shell from busybox to the release build. This helps to make sandbox builds work out of the box on non-NixOS systems and with diverted stores. | |||||
2017-05-15 | Linux sandbox: Don't barf on invalid paths | Eelco Dolstra | 1 | -0/+1 | |
This is useful when we're using a diverted store (e.g. "--store local?root=/tmp/nix") in conjunction with a statically-linked sh from the host store (e.g. "sandbox-paths =/bin/sh=/nix/store/.../bin/busybox"). | |||||
2017-05-15 | Make fmt() non-recursive | Eelco Dolstra | 2 | -12/+7 | |
2017-05-15 | nar-archive.cc: add tests for the nar index | Benno Fünfstück | 3 | -1/+48 | |
2017-05-15 | Merge pull request #1387 from bennofs/nix-ls-slash | Eelco Dolstra | 1 | -0/+4 | |
nix ls: support '/' for the root directory |