Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
This prevents builders from setting the S_ISUID or S_ISGID bits,
preventing users from using a nixbld* user to create a setuid/setgid
binary to interfere with subsequent builds under the same nixbld* uid.
This is based on aszlig's seccomp code
(47f587700d646f5b03a42f2fa57c28875a31efbe).
Reported by Linus Heckemann.
|
|
And add a 116 KiB ash shell from busybox to the release build. This
helps to make sandbox builds work out of the box on non-NixOS systems
and with diverted stores.
|
|
Using linenoise avoids a license compatibility issue (#1356), is a lot
smaller and doesn't pull in ncurses.
|
|
http://hydra.nixos.org/build/52420073
|
|
http://hydra.nixos.org/build/52401151
|
|
|
|
|
|
|
|
Somehow this came back after d1da6967b8891763ce04d668027cf300c9bbf0b2.
|
|
|
|
|
|
|
|
Build logs on cache.nixos.org are compressed using Brotli (since this
allows them to be decompressed automatically by Chrome and Firefox),
so it's handy if "nix log" can decompress them.
|
|
|
|
|
|
http://hydra.nixos.org/build/49130529
|
|
|
|
|
|
|
|
Disabled hardened build because it makes the linker fail with messages like
relocation R_X86_64_PC32 against undefined symbol `BZ2_bzWriteOpen' can not be used when making a shared object; recompile with -fPIC
See https://fedoraproject.org/wiki/Changes/Harden_All_Packages.
|
|
|
|
Fixes #341
|
|
|
|
This reverts commit 9f3f2e21edb17dbcd674539dff96efb6cceca10c, reversing
changes made to 47f587700d646f5b03a42f2fa57c28875a31efbe.
|
|
|
|
|
|
Right now it only tests whether seccomp correctly forges the return
value of chown, but the long-term goal is to test the full sandboxing
functionality at some point in the future.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|
We're going to use libseccomp instead of creating the raw BPF program,
because we have different syscall numbers on different architectures.
Although our initial seccomp rules will be quite small it really doesn't
make sense to generate the raw BPF program because we need to duplicate
it and/or make branches on every single architecture we want to suuport.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|
The SSHStore PR adds this functionality to the daemon, but we have to
handle the case where the Nix daemon is 1.11.
Also, don't require signatures for trusted users. This restores 1.11
behaviour.
Fixes https://github.com/NixOS/hydra/issues/398.
|
|
These don't support regex_replace either.
|
|
These don't support regex_replace.
http://hydra.nixos.org/build/39363999
http://hydra.nixos.org/build/39363981
|
|
This variable has no reason to exist, given $NIX_STATE_DIR.
|
|
http://hydra.nixos.org/build/36462209
|
|
|
|
http://hydra.nixos.org/build/36462150
|
|
Apparently opinion is divided on whether [[noreturn]] is allowed on a
lambda: http://stackoverflow.com/questions/26888805/how-to-declare-a-lambdas-operator-as-noreturn
http://hydra.nixos.org/build/36462100
|
|
|
|
add Ubuntu 16.03 .deb builds
|
|
|
|
This allows running arbitrary Nix commands against an S3 binary cache.
To do: make this a compile time option to prevent a dependency on
aws-sdk-cpp.
|
|
More spring cleaning.
|
|
The issues have been resolved upstream in the main nixpkgs channel now
|
|
|
|
|
|
|
|
|
|
|
|
This was observed in the deb_debian7x86_64 build:
http://hydra.nixos.org/build/29973215
Calling c_str() on a temporary should be fine because the temporary
shouldn't be destroyed until after the execl() call, but who knows...
|
|
Otherwise nix-env fails to start if it is not installed
|