diff options
| author | Shea Levy <shea@shealevy.com> | 2015-11-25 13:01:34 -0500 |
|---|---|---|
| committer | Shea Levy <shea@shealevy.com> | 2015-11-25 13:01:34 -0500 |
| commit | 8ea29441cf654a693cad012cb2dbfc04eac0a2b7 (patch) | |
| tree | 387f3884b66ef3f96c47f822fe589b97048a5a07 | |
| parent | 13eca6f79a0ddb09f6764273eaae0df4c2e67efc (diff) | |
| parent | c9f77f2b487de1b627ee367ef17e25332bdf34a1 (diff) | |
| download | nixlib-8ea29441cf654a693cad012cb2dbfc04eac0a2b7.tar nixlib-8ea29441cf654a693cad012cb2dbfc04eac0a2b7.tar.gz nixlib-8ea29441cf654a693cad012cb2dbfc04eac0a2b7.tar.bz2 nixlib-8ea29441cf654a693cad012cb2dbfc04eac0a2b7.tar.lz nixlib-8ea29441cf654a693cad012cb2dbfc04eac0a2b7.tar.xz nixlib-8ea29441cf654a693cad012cb2dbfc04eac0a2b7.tar.zst nixlib-8ea29441cf654a693cad012cb2dbfc04eac0a2b7.zip | |
Merge remote-tracking branch 'origin/single-underscore' into staging
Use zero underscores for sandboxProfile
14 files changed, 39 insertions, 94 deletions
diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 08e0e05590f3..363413a698e8 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - __sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 57ebb7397bc6..d060acef53ed 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; # without this, git fails when trying to check for /etc/gitconfig existence - __propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index 6a9bf7697c8b..05d64e9c511e 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { --replace "/bin/pwd" "$pwd" ''; - __sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index b31e5d043ef2..847738158dab 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -1,7 +1,6 @@ { stdenv, fetchurl, xar, gzip, cpio, pkgs }: let - generateFrameworkProfile = pkgs.callPackage ./generate-framework-profile.nix {}; # sadly needs to be exported because security_tool needs it sdk = stdenv.mkDerivation rec { version = "10.9"; @@ -97,11 +96,11 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - __sandboxProfile = '' + sandboxProfile = '' (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); + __propagatedImpureHostDeps = stdenv.lib.optional (name != "Kernel") "/System/Library/Frameworks/${name}.framework/${name}"; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -182,5 +181,5 @@ in rec { frameworks = bareFrameworks // overrides bareFrameworks; - inherit sdk generateFrameworkProfile; + inherit sdk; } diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix deleted file mode 100644 index eb6228db14dd..000000000000 --- a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ runCommand }: - -# In a normal programming language, one might store a hashmap -# { library name -> runtime dependencies }. -# associative arrays were only recently added to bash, and even then, bash arrays cannot -# be multidimensional. instead, the filesystem is the hash table! -# once every dependency in the tree has been visited, a comprehensive list of libraries -# will exist inside ./build. then `find ./build -type f` will give you the -# dependency tree you need! - -frameworkName: - -let path = "/System/Library/Frameworks/${frameworkName}.framework"; - -in runCommand "${frameworkName}-profile.sb" { - # __noChroot lite - __sandboxProfile = '' - (allow file* (subpath "/")) - ''; - - # inconsistencies may exist between self and hydra - allowSubstitutes = false; -} '' - if [ ! -f "${path}/${frameworkName}" ]; then - touch $out - exit - fi - base=./build - find_deps () { - if [ -f "$base/$1" ]; then - return - fi - dependencies=$(otool -l -arch x86_64 $1 \ - | grep 'LC_\w*_DYLIB' -A 2 \ - | grep name \ - | sed 's/^ *//' \ - | cut -d' ' -f2) - mkdir -p $base/"$(dirname "$1")" - touch $base/"$1" - for dep in $dependencies; do - find_deps "$dep" - done - } - find_deps "${path}/${frameworkName}" "$out" - set -o noglob - profile="(allow file-read*" - for file in $(find $base -type f); do - filename=''${file/$base/} - case $filename in - /usr/lib/system*) ;; - /usr/lib/libSystem.dylib) ;; - /usr/lib/libSystem.B.dylib) ;; - /usr/lib/libobjc.A.dylib) ;; - /usr/lib/libobjc.dylib) ;; - /usr/lib/libauto.dylib) ;; - /usr/lib/libc++abi.dylib) ;; - /usr/lib/libDiagnosticMessagesClient.dylib) ;; - *) profile+=" (literal \"$filename\")" ;; - esac - done - profile+=" (literal \"${path}/${frameworkName}\")" - profile+=" (literal \"${path}/Versions/Current\")" - echo "$profile)" > $out -'' diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index 0eac8fcae398..3993a360156a 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -1,4 +1,4 @@ -{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure, generateFrameworkProfile }: +{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure }: # this project uses blocks, a clang-only extension assert stdenv.cc.isClang; @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); + __propagatedImpureHostDeps = [ "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation" ]; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index d465fa71ff02..a0261875c102 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -81,7 +81,7 @@ in appleDerivation { ]; # ps uses this syscall to get process info - __propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; + propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index c730a409609f..1fbacfb92845 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,7 +7,7 @@ appleDerivation { propagatedBuildInputs = [ Security ]; - __propagatedSandboxProfile = '' + propagatedSandboxProfile = '' (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index 6b7858d374a0..f1b72b4123ff 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -54,11 +54,9 @@ let inherit (adv_cmds) ps locale; architecture = applePackage "architecture" "265" "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {}; bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; - bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; + bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; - CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" { - inherit (pkgs.darwin.apple_sdk) generateFrameworkProfile; - }; + CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; diff --git a/pkgs/os-specific/darwin/cf-private/setup-hook.sh b/pkgs/os-specific/darwin/cf-private/setup-hook.sh index a83a1323bf83..7594c07977b9 100644 --- a/pkgs/os-specific/darwin/cf-private/setup-hook.sh +++ b/pkgs/os-specific/darwin/cf-private/setup-hook.sh @@ -6,7 +6,7 @@ linkWithRealCF() { # gross! many symbols (such as _OBJC_CLASS_$_NSArray) are defined in system CF, but not # in the opensource release # if the package needs private headers, we assume they also want to link with system CF - NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation" + NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation" } preConfigureHooks+=(prependSearchPath linkWithRealCF) diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 196c8618c918..dbb3e25a1472 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,8 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] -, __stdenvSandboxProfile ? "" -, __extraSandboxProfile ? "" +, stdenvSandboxProfile ? "" +, extraSandboxProfile ? "" }: let @@ -102,8 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] - , __sandboxProfile ? "" - , __propagatedSandboxProfile ? "" + , sandboxProfile ? "" + , propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -154,12 +154,16 @@ let (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" "__impureHostDeps" "__propagatedImpureHostDeps" - "__sandboxProfile" "__propagatedSandboxProfile"]) + "sandboxProfile" "propagatedSandboxProfile"]) // (let computedSandboxProfile = lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + computedImpureHostDeps = + lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs)); + computedPropagatedImpureHostDeps = + lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs)); in { builder = attrs.realBuilder or shell; @@ -179,10 +183,17 @@ let } // ifDarwin { # TODO: remove lib.unique once nix has a list canonicalization primitive __sandboxProfile = - let profiles = [ __extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile __sandboxProfile ]; + let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ]; final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; - __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile ]); + __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]); + __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [ + "/dev/zero" + "/dev/random" + "/dev/urandom" + "/bin/sh" + ]; + __propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps; } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -219,7 +230,8 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - __sandboxProfile = __stdenvSandboxProfile; + __sandboxProfile = stdenvSandboxProfile; + __impureHostDeps = __stdenvImpureHostDeps; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index 1770d48278d9..bc3b433e9226 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -93,8 +93,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - __stdenvSandboxProfile = binShClosure + libSystemProfile; - __extraSandboxProfile = binShClosure + libSystemProfile; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -269,8 +269,8 @@ in rec { export PATH_LOCALE=${pkgs.darwin.locale}/share/locale ''; - __stdenvSandboxProfile = binShClosure + libSystemProfile; - __extraSandboxProfile = binShClosure + libSystemProfile; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 56034929434b..71535d831678 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5494,7 +5494,7 @@ let cmake-2_8 = callPackage ../development/tools/build-managers/cmake/2.8.nix { wantPS = stdenv.isDarwin; - ps = if stdenv.isDarwin then darwin.adv_cmds else null; + inherit (darwin) ps; }; cmake = callPackage ../development/tools/build-managers/cmake { diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index b0c5277274d3..9d0b04fb7404 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -9232,7 +9232,7 @@ let meta = { description = "A module for monitoring memory usage of a python program"; homepage = http://pypi.python.org/pypi/memory_profiler; - license = licenses.bsd; + license = licenses.bsd3; }; }; |