Age | Commit message (Collapse) | Author | Files | Lines |
|
I'm seeing hangs in Glibc's setxid_mark_thread() again. This is
probably because the use of an intermediate process to make clone()
safe from a multi-threaded program (see
524f89f1399724e596f61faba2c6861b1bb7b9c5) is defeated by the use of
vfork(), since the intermediate process will have a copy of Glibc's
threading data structures due to the vfork(). So use a regular fork()
again.
|
|
Make the default impure prefix include all of /System/Library
|
|
of /System/Library, since we also want PrivateFrameworks from there and (briefly) TextEncodings, and who knows what else. Yay infectious impurities?
|
|
|
|
|
|
If ‘build-use-chroot’ is set to ‘true’, fixed-output derivations are
now also chrooted. However, unlike normal derivations, they don't get
a private network namespace, so they can still access the
network. Also, the use of the ‘__noChroot’ derivation attribute is
no longer allowed.
Setting ‘build-use-chroot’ to ‘relaxed’ gives the old behaviour.
|
|
|
|
Closes #473.
|
|
chroot only changes the process root directory, not the mount namespace root
directory, and it is well-known that any process with chroot capability can
break out of a chroot "jail". By using pivot_root as well, and unmounting the
original mount namespace root directory, breaking out becomes impossible.
Non-root processes typically have no ability to use chroot() anyway, but they
can gain that capability through the use of clone() or unshare(). For security
reasons, these syscalls are limited in functionality when used inside a normal
chroot environment. Using pivot_root() this way does allow those syscalls to be
put to their full use.
|
|
Fixes #453
|
|
due to user permissions)
|
|
These directories are generally world-readable anyway, and give us the two
most common linux impurities (env and sh)
|
|
|
|
Since these come from untrusted users, we shouldn't do any I/O on them
before we've checked that they're in an allowed prefix.
|
|
|
|
I.e., not readable to the nixbld group. This improves purity a bit for
non-chroot builds, because it prevents a builder from enumerating
store paths (i.e. it can only access paths it knows about).
|
|
Fixes #433.
|
|
|
|
|
|
|
|
http://hydra.nixos.org/build/17862041
|
|
This broke building with "-vv", because the builder is not allowed to
write to stderr at this point.
|
|
|
|
|
|
|
|
Derivations are now built in order of derivation name, so a package
named "aardvark" is built before "baboon".
Fixes #399.
|
|
|
|
|
|
This gives 32-bit builds on x86_64-linux more memory.
|
|
|
|
This is no longer the case since
524f89f1399724e596f61faba2c6861b1bb7b9c5.
|
|
|
|
|
|
For the "stdenv accidentally referring to bootstrap-tools", it seems
easier to specify the path that we don't want to depend on, e.g.
disallowedRequisites = [ bootstrapTools ];
|
|
|
|
|
|
It turns out that using clone() to start a child process is unsafe in
a multithreaded program. It can cause the initialisation of a build
child process to hang in setgroups(), as seen several times in the
build farm:
The reason is that Glibc thinks that the other threads of the parent
exist in the child, so in setxid_mark_thread() it tries to get a futex
that has been acquired by another thread just before the clone(). With
fork(), Glibc runs pthread_atfork() handlers that take care of this
(in particular, __reclaim_stacks()). But clone() doesn't do that.
Fortunately, we can use fork()+unshare() instead of clone() to set up
private namespaces.
See also https://www.mail-archive.com/lxc-devel@lists.linuxcontainers.org/msg03434.html.
|
|
|
|
|
|
The Nixpkgs stdenv prints some custom escape sequences to denote
nesting and stuff like that. Most terminals (e.g. xterm, konsole)
ignore them, but some do not (e.g. xfce4-terminal). So for the benefit
of the latter, filter them out.
|
|
|
|
|
|
|
|
|
|
|
|
This is useful for extending (rather than overriding) the default set
of chroot paths.
|
|
|
|
|
|
This ensures that daemon clients see error messages from the chroot
setup.
|
|
Fixes NixOS/nixpkgs#3410.
|