about summary refs log tree commit diff
path: root/src/libstore/local.mk
AgeCommit message (Collapse)AuthorFilesLines
2017-10-17 Shift Darwin sandbox to separate installed filesDan Peebles1-4/+6
This makes it slightly more manageable to see at a glance what in a build's sandbox profile is unique to the build and what is standard. Also a first step to factoring more of our Darwin logic into scheme functions that will allow us a bit more flexibility. And of course less of that nasty codegen in C++! 😀
2017-06-06 Always use the Darwin sandboxEelco Dolstra1-2/+4
Even with "build-use-sandbox = false", we now use sandboxing with a permissive profile that allows everything except the creation of setuid/setgid binaries.
2017-05-31 OS X sandbox: Improve builtin sandbox profileEelco Dolstra1-6/+6
Also, add rules to allow fixed-output derivations to access the network. These rules are sufficient to build stdenvDarwin without any __sandboxProfile magic.
2017-05-30 Darwin sandbox: Use sandbox-defaults.sbEelco Dolstra1-5/+9
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
2017-05-29 Add a seccomp filter to prevent creating setuid/setgid binariesEelco Dolstra1-0/+4
This prevents builders from setting the S_ISUID or S_ISGID bits, preventing users from using a nixbld* user to create a setuid/setgid binary to interfere with subsequent builds under the same nixbld* uid. This is based on aszlig's seccomp code (47f587700d646f5b03a42f2fa57c28875a31efbe). Reported by Linus Heckemann.
2017-05-15 Add --with-sandbox-shell configure flagEelco Dolstra1-1/+1
And add a 116 KiB ash shell from busybox to the release build. This helps to make sandbox builds work out of the box on non-NixOS systems and with diverted stores.
2017-04-20 Detect lsofEelco Dolstra1-1/+2
Also, don't use lsof on Linux since it's not needed. Fixes #1328.
2016-12-19 Revert "Merge branch 'seccomp' of https://github.com/aszlig/nix"Eelco Dolstra1-4/+0
This reverts commit 9f3f2e21edb17dbcd674539dff96efb6cceca10c, reversing changes made to 47f587700d646f5b03a42f2fa57c28875a31efbe.
2016-11-16 Add build dependency for libseccompaszlig1-0/+4
We're going to use libseccomp instead of creating the raw BPF program, because we have different syscall numbers on different architectures. Although our initial seccomp rules will be quite small it really doesn't make sense to generate the raw BPF program because we need to duplicate it and/or make branches on every single architecture we want to suuport. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-04 Make the aws-cpp-sdk dependency optionalEelco Dolstra1-1/+5
2016-04-29 Eliminate the substituter mechanismEelco Dolstra1-1/+1
Substitution is now simply a Store -> Store copy operation, most typically from BinaryCacheStore to LocalStore.
2016-04-21 Move S3BinaryCacheStore from HydraEelco Dolstra1-1/+1
This allows running arbitrary Nix commands against an S3 binary cache. To do: make this a compile time option to prevent a dependency on aws-sdk-cpp.
2016-02-16 Add C++ functions for .narinfo processing / signingEelco Dolstra1-1/+1
This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2015-11-24 Merge pull request #704 from ysangkok/freebsd-supportEelco Dolstra1-1/+1
FreeBSD support with knowledge about Linux emulation
2015-11-21 Revert "remove sandbox-defaults.sb"Shea Levy1-0/+1
As discussed in NixOS/nixpkgs#11001, we still need some of the old sandbox mechanism. This reverts commit d760c2638c9e1f4b8cd9b4ec90d68bf0c76a800b.
2015-11-14 remove sandbox-defaults.sbJude Taylor1-1/+0
2015-10-21 Add resolve-system-dependencies.plJude Taylor1-1/+1
2015-10-21 remove sandbox defaults into a new fileJude Taylor1-0/+1
2015-10-06 Use pkg-config-provided LDFLAGS for libsqlite3 and libcurl.Manuel Jacob1-1/+1
Previously, pkg-config was already queried for libsqlite3's and libcurl's link flags. However they were not used, but hardcoded instead. This commit replaces the hardcoded LDFLAGS by the ones provided by pkg-config in a similar pattern as already used for libsodium.
2015-07-20 Make <nix/fetchurl.nix> a builtin builderEelco Dolstra1-1/+1
This ensures that 1) the derivation doesn't change when Nix changes; 2) the derivation closure doesn't contain Nix and its dependencies; 3) we don't have to rely on ugly chroot hacks.
2015-04-16 Fix using restricted mode with chrootsEelco Dolstra1-0/+1
2015-03-24 Improve setting the default chroot dirsEelco Dolstra1-1/+1
2014-09-18 Update spec fileEelco Dolstra1-1/+1
http://hydra.nixos.org/build/14344391
2014-09-18 Install some pkgconfig filesEelco Dolstra1-0/+2
2014-08-04 Add option ‘build-extra-chroot-dirs’Eelco Dolstra1-1/+2
This is useful for extending (rather than overriding) the default set of chroot paths.
2014-05-26 Use std::unordered_setEelco Dolstra1-2/+1
2014-04-03 Fix compile errors on IllumosDanny Wilson1-0/+4
2014-02-01 Fix "make dist"Eelco Dolstra1-1/+3
2014-02-01 Update Makefile variable namesEelco Dolstra1-1/+1
2014-01-30 Rename Makefile -> local.mkEelco Dolstra1-0/+26