about summary refs log tree commit diff
path: root/src/libstore
AgeCommit message (Collapse)AuthorFilesLines
2015-03-04 Don't use vfork() before clone()Eelco Dolstra1-1/+3
I'm seeing hangs in Glibc's setxid_mark_thread() again. This is probably because the use of an intermediate process to make clone() safe from a multi-threaded program (see 524f89f1399724e596f61faba2c6861b1bb7b9c5) is defeated by the use of vfork(), since the intermediate process will have a copy of Glibc's threading data structures due to the vfork(). So use a regular fork() again.
2015-03-03 Merge branch 'allow-system-library' of git://github.com/copumpkin/nixShea Levy1-1/+1
Make the default impure prefix include all of /System/Library
2015-03-02 Make the default impure prefix (not actual allowed impurities!) include all ↵Dan Peebles1-1/+1
of /System/Library, since we also want PrivateFrameworks from there and (briefly) TextEncodings, and who knows what else. Yay infectious impurities?
2015-03-02 Allow local networking in the darwin sandbox to appease testsDan Peebles1-0/+3
2015-02-23 More graceful fallback for chroots on Linux < 2.13Eelco Dolstra1-6/+5
2015-02-23 Use chroots for all derivationsEelco Dolstra3-17/+35
If ‘build-use-chroot’ is set to ‘true’, fixed-output derivations are now also chrooted. However, unlike normal derivations, they don't get a private network namespace, so they can still access the network. Also, the use of the ‘__noChroot’ derivation attribute is no longer allowed. Setting ‘build-use-chroot’ to ‘relaxed’ gives the old behaviour.
2015-02-17 Use $<attr>Path instead of $<attr> for passAsFileEelco Dolstra1-1/+1
2015-02-17 Allow passing attributes via files instead of environment variablesEelco Dolstra1-4/+16
Closes #473.
2015-02-16 Use pivot_root in addition to chroot when possibleHarald van Dijk1-7/+28
chroot only changes the process root directory, not the mount namespace root directory, and it is well-known that any process with chroot capability can break out of a chroot "jail". By using pivot_root as well, and unmounting the original mount namespace root directory, breaking out becomes impossible. Non-root processes typically have no ability to use chroot() anyway, but they can gain that capability through the use of clone() or unshare(). For security reasons, these syscalls are limited in functionality when used inside a normal chroot environment. Using pivot_root() this way does allow those syscalls to be put to their full use.
2015-02-04 Require linux 3.13 or later for chrootShea Levy1-1/+6
Fixes #453
2015-01-18 Make inputs writeable in the sandbox (builds still can’t actually write ↵Daniel Peebles1-2/+7
due to user permissions)
2015-01-13 Allow using /bin and /usr/bin as impure prefixes on non-darwin by defaultShea Levy1-1/+1
These directories are generally world-readable anyway, and give us the two most common linux impurities (env and sh)
2015-01-13 SysError -> ErrorEelco Dolstra1-1/+1
2015-01-13 Don't resolve symlinks while checking __impureHostDepsEelco Dolstra1-2/+5
Since these come from untrusted users, we shouldn't do any I/O on them before we've checked that they're in an allowed prefix.
2015-01-12 Add basic Apple sandbox supportDaniel Peebles1-17/+169
2015-01-08 Doh^2Eelco Dolstra1-1/+1
2015-01-08 DohEelco Dolstra1-3/+3
2015-01-08 Set /nix/store permission to 1737Eelco Dolstra2-19/+6
I.e., not readable to the nixbld group. This improves purity a bit for non-chroot builds, because it prevents a builder from enumerating store paths (i.e. it can only access paths it knows about).
2015-01-06 Fix building on DarwinEelco Dolstra1-1/+4
Fixes #433.
2014-12-29 LocalStore initialization: Don't die if build-users-group doesn't existShea Levy1-11/+12
See NixOS/nixpkgs@9245516
2014-12-23 Revive running builds in a PID namespaceEelco Dolstra1-30/+59
2014-12-14 PedantryEelco Dolstra1-1/+1
2014-12-14 Merge branch 'cygwin-master' of https://github.com/ternaris/nixEelco Dolstra2-0/+2
2014-12-13 Better error messageEelco Dolstra1-1/+1
2014-12-12 Silence some warnings on GCC 4.9Eelco Dolstra2-3/+5
2014-12-12 Shut up a Valgrind warningEelco Dolstra1-1/+1
2014-12-12 Fix some memory leaksEelco Dolstra1-29/+9
2014-12-12 Ensure we're writing to stderr in the builderEelco Dolstra3-6/+6
http://hydra.nixos.org/build/17862041
2014-12-12 Remove chatty messageEelco Dolstra1-2/+0
This broke building with "-vv", because the builder is not allowed to write to stderr at this point.
2014-12-12 DohEelco Dolstra1-1/+1
2014-12-10 Don't do vfork in conjunction with setuidEelco Dolstra1-0/+2
2014-12-10 Rename functionEelco Dolstra1-4/+4
2014-12-10 Don't wait for PID -1Eelco Dolstra1-1/+2
The pid field can be -1 if forking the substituter process failed.
2014-12-09 Explicitly include required C headersMarko Durkovic2-0/+2
2014-11-24 Build derivations in a more predictable orderEelco Dolstra1-7/+41
Derivations are now built in order of derivation name, so a package named "aardvark" is built before "baboon". Fixes #399.
2014-11-24 Don't create unnecessary substitution goals for derivationsEelco Dolstra1-0/+5
2014-11-19 Disable vacuuming the DB after garbage collectionEelco Dolstra1-1/+1
Especially in WAL mode on a highly loaded machine, this is not a good idea because it results in a WAL file of approximately the same size ad the database, which apparently cannot be deleted while anybody is accessing it.
2014-11-19 Clean up temp roots in a more C++ wayEelco Dolstra3-26/+13
2014-11-17 Fix messageEelco Dolstra1-1/+1
2014-11-14 Don't use ADDR_LIMIT_3GBEelco Dolstra1-1/+1
This gives 32-bit builds on x86_64-linux more memory.
2014-11-12 Make ~DerivationGoal more reliableEelco Dolstra1-7/+3
2014-11-04 nix-store --gc: Don't warn about missing manifests directoryEelco Dolstra1-1/+2
2014-10-31 Improve error message if the daemon worker fails to startEelco Dolstra1-2/+1
2014-10-29 Remove comments claiming we use a private PID namespaceEelco Dolstra1-8/+1
This is no longer the case since 524f89f1399724e596f61faba2c6861b1bb7b9c5.
2014-10-14 Improved error message when encountering unsupported file typesEelco Dolstra1-3/+3
Fixes #269.
2014-10-03 Remove some duplicate codeEelco Dolstra1-6/+2
2014-09-18 Update spec fileEelco Dolstra1-1/+1
http://hydra.nixos.org/build/14344391
2014-09-18 Install some pkgconfig filesEelco Dolstra2-0/+11
2014-09-17 On Linux, disable address space randomizationEelco Dolstra1-5/+9
2014-09-17 Settings: Add bool get()Eelco Dolstra3-2/+12