about summary refs log tree commit diff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2017-06-19 macOS: Ugly hack to make the tests succeedEelco Dolstra1-3/+2
Sandboxes cannot be nested, so if Nix's build runs inside a sandbox, it cannot use a sandbox itself. I don't see a clean way to detect whether we're in a sandbox, so use a test-specific hack. https://github.com/NixOS/nix/issues/1413
2017-06-19 macOS: Remove flagsEelco Dolstra1-0/+10
In particular, UF_IMMUTABLE (uchg) needs to be cleared to allow the path to be garbage-collected or optimised. See https://github.com/NixOS/nixpkgs/issues/25819. + the file from being garbage-collected.
2017-06-14 Remove redundant debug lineEelco Dolstra1-2/+0
2017-06-14 canonicalisePathMetaData(): Ignore security.selinux attributeEelco Dolstra1-2/+6
Untested, hopefully fixes #1406.
2017-06-12 Suppress spurious "killing process N: Operation not permitted" on macOSEelco Dolstra1-2/+9
2017-06-12 On macOS, don't use /var/folders for TMPDIREelco Dolstra1-0/+8
This broke "nix-store --serve".
2017-06-12 Provide a builtin default for $NIX_SSL_CERT_FILEEelco Dolstra2-4/+13
This is mostly to ensure that when Nix is started on macOS via a launchd service or sshd (for a remote build), it gets a certificate bundle.
2017-06-12 Don't run pre-build-hook if we don't have a derivationEelco Dolstra1-1/+1
This fixes a build failure on OS X when using Hydra or Nix 1.12's build-remote (since they don't copy the derivation to the build machine).
2017-06-07 Don't show flags from config settings in "nix --help"Eelco Dolstra9-54/+140
2017-06-07 nix: Add --help-config flagEelco Dolstra3-2/+30
2017-06-07 nix: Make all options available as flagsEelco Dolstra4-0/+40
Thus, instead of ‘--option <name> <value>’, you can write ‘--<name> <value>’. So --option http-connections 100 becomes --http-connections 100 Apart from brevity, the difference is that it's not an error to set a non-existent option via --option, but unrecognized arguments are fatal. Boolean options have special treatment: they're mapped to the argument-less flags ‘--<name>’ and ‘--no-<name>’. E.g. --option auto-optimise-store false becomes --no-auto-optimise-store
2017-06-06 Disable the build user mechanism on all platforms except Linux and OS XEelco Dolstra1-0/+6
2017-06-06 Always use the Darwin sandboxEelco Dolstra4-83/+98
Even with "build-use-sandbox = false", we now use sandboxing with a permissive profile that allows everything except the creation of setuid/setgid binaries.
2017-05-31 Remove listxattr assertionEelco Dolstra1-2/+0
It appears that sometimes, listxattr() returns a different value for the query case (i.e. when the buffer size is 0).
2017-05-31 OS X sandbox: Improve builtin sandbox profileEelco Dolstra4-59/+76
Also, add rules to allow fixed-output derivations to access the network. These rules are sufficient to build stdenvDarwin without any __sandboxProfile magic.
2017-05-31 resolve-system-dependencies: Misc fixesEelco Dolstra1-22/+20
This fixes Could not find any mach64 blobs in file ‘/usr/lib/libSystem.B.dylib’, continuing...
2017-05-31 resolve-system-dependencies: SimplifyEelco Dolstra1-10/+1
2017-05-31 OS X sandbox: Don't use a deterministic $TMPDIREelco Dolstra1-3/+0
This doesn't work because the OS X sandbox cannot bind-mount path to a different location.
2017-05-31 OS X sandbox: Store .sb file in $TMPDIR rather than the Nix storeEelco Dolstra1-4/+1
The filename used was not unique and owned by the build user, so builds could fail with error: while setting up the build environment: cannot unlink ‘/nix/store/99i210ihnsjacajaw8r33fmgjvzpg6nr-bison-3.0.4.drv.sb’: Permission denied
2017-05-30 resolve-system-dependencies: Fix another segfaultEelco Dolstra1-0/+5
runResolver() was barfing on directories like /System/Library/Frameworks/Security.framework/Versions/Current/PlugIns. It should probably do something sophisticated for frameworks, but let's ignore them for now.
2017-05-30 Darwin sandbox: Use sandbox-defaults.sbEelco Dolstra4-14/+17
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
2017-05-30 Darwin sandbox: Disallow creating setuid/setgid binariesEelco Dolstra1-0/+4
Suggested by Daiderd Jordan.
2017-05-30 resolve-system-dependencies: Several fixesEelco Dolstra1-53/+65
This fixes error: getting attributes of path ‘Versions/Current/CoreFoundation’: No such file or directory when /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation is a symlink. Also fixes a segfault when encounting a file that is not a MACH binary (such as /dev/null, which is included in __impureHostDeps in Nixpkgs). Possibly fixes #786.
2017-05-30 Fix seccomp build failure on clangEelco Dolstra1-3/+3
Fixes src/libstore/build.cc:2321:45: error: non-constant-expression cannot be narrowed from type 'int' to 'scmp_datum_t' (aka 'unsigned long') in initializer list [-Wc++11-narrowing]
2017-05-30 Shut up some clang warningsEelco Dolstra1-7/+7
2017-05-30 Add a seccomp rule to disallow setxattr()Eelco Dolstra1-1/+9
2017-05-30 canonicalisePathMetaData(): Remove extended attributes / ACLsEelco Dolstra1-0/+22
EAs/ACLs are not part of the NAR canonicalisation. Worse, setting an ACL allows a builder to create writable files in the Nix store. So get rid of them. Closes #185.
2017-05-30 Require seccomp only in multi-user setupsEelco Dolstra1-1/+5
2017-05-29 Fix seccomp initialisation on i686-linuxEelco Dolstra1-1/+2
2017-05-29 Add a seccomp filter to prevent creating setuid/setgid binariesEelco Dolstra2-0/+43
This prevents builders from setting the S_ISUID or S_ISGID bits, preventing users from using a nixbld* user to create a setuid/setgid binary to interfere with subsequent builds under the same nixbld* uid. This is based on aszlig's seccomp code (47f587700d646f5b03a42f2fa57c28875a31efbe). Reported by Linus Heckemann.
2017-05-29 Fix nix-copy-closure testEelco Dolstra1-0/+1
Fixes client# error: size mismatch importing path ‘/nix/store/ywf5fihjlxwijm6ygh6s0a353b5yvq4d-libidn2-0.16’; expected 0, got 120264 This is mostly an artifact of the NixOS VM test environment, where the Nix database doesn't contain hashes/sizes. http://hydra.nixos.org/build/53537471
2017-05-29 Fix build failure on Debian/UbuntuEelco Dolstra3-2/+2
http://hydra.nixos.org/build/53537463
2017-05-29 Fix typoEelco Dolstra1-1/+1
2017-05-24 Fix #1314Eelco Dolstra1-1/+2
Also, make nix-shell respect --option. (Previously it only passed it along to nix-instantiate and nix-build.)
2017-05-24 Merge branch 'topic/cores-master' of https://github.com/neilmayhew/nixEelco Dolstra1-0/+1
2017-05-24 Fix #1380Eelco Dolstra1-1/+1
It lacked a backslash. Use a raw string and single quotes around PS1 to simplify this.
2017-05-24 Merge branch 'prompt-terminator' of https://github.com/lheckemann/nixEelco Dolstra1-1/+1
2017-05-24 Merge branch 'nar-accessor-tree' of https://github.com/bennofs/nixEelco Dolstra1-33/+75
2017-05-17 builtins.match: Improve error message for bad regular expressionEelco Dolstra1-16/+23
Issue #1331.
2017-05-16 Improve progress indicatorEelco Dolstra26-168/+339
2017-05-15 nar-accessor.cc: remove unused member NarIndexer::currentNameBenno Fünfstück1-2/+1
2017-05-15 nar-accessor: non-recursive NarMember::findBenno Fünfstück1-21/+21
This avoids a possible stack overflow if directories are very deeply nested.
2017-05-15 Simplify fixed-output checkEelco Dolstra1-6/+2
2017-05-15 Disallow outputHash being null or an empty stringEelco Dolstra1-4/+5
Fixes #1384.
2017-05-15 Add --with-sandbox-shell configure flagEelco Dolstra2-3/+3
And add a 116 KiB ash shell from busybox to the release build. This helps to make sandbox builds work out of the box on non-NixOS systems and with diverted stores.
2017-05-15 Linux sandbox: Don't barf on invalid pathsEelco Dolstra1-0/+1
This is useful when we're using a diverted store (e.g. "--store local?root=/tmp/nix") in conjunction with a statically-linked sh from the host store (e.g. "sandbox-paths =/bin/sh=/nix/store/.../bin/busybox").
2017-05-15 Make fmt() non-recursiveEelco Dolstra2-12/+7
2017-05-15 nix ls: support '/' for the root directoryBenno Fünfstück1-0/+4
2017-05-15 nar-accessor: use tree, fixes readDirectory missing childrenBenno Fünfstück1-33/+76
Previously, if a directory `foo` existed and a file `foo-` (where `-` is any character that is sorted before `/`), then `readDirectory` would return an empty list. To fix this, we now use a tree where we can just access the children of the node, and do not need to rely on sorting behavior to list the contents of a directory.
2017-05-11 Add an option for extending the user agent headerEelco Dolstra2-1/+6
This is useful e.g. for distinguishing traffic to a binary cache (e.g. certain machines can use a different tag in the user agent).