diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2016-04-25 11:00:26 +0200 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2016-04-25 11:04:08 +0200 |
commit | 7cf8daa2bbf7e9ac1b57305a22547271dca28a6e (patch) | |
tree | f2a51bb86faa1b589ccd2ae59d4d2b57fb1574c4 /nixos/modules | |
parent | 3db3355c835622123245515cdba65edb274e9e7b (diff) | |
download | nixlib-7cf8daa2bbf7e9ac1b57305a22547271dca28a6e.tar nixlib-7cf8daa2bbf7e9ac1b57305a22547271dca28a6e.tar.gz nixlib-7cf8daa2bbf7e9ac1b57305a22547271dca28a6e.tar.bz2 nixlib-7cf8daa2bbf7e9ac1b57305a22547271dca28a6e.tar.lz nixlib-7cf8daa2bbf7e9ac1b57305a22547271dca28a6e.tar.xz nixlib-7cf8daa2bbf7e9ac1b57305a22547271dca28a6e.tar.zst nixlib-7cf8daa2bbf7e9ac1b57305a22547271dca28a6e.zip |
nixos: rename chroot* to sandbox*
On Nix side this was done months ago: https://github.com/NixOS/nix/pull/682
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/rename.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/misc/nix-daemon.nix | 16 |
2 files changed, 12 insertions, 8 deletions
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 84eccfd51292..6b02446d53b4 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -68,6 +68,10 @@ with lib; # proxy (mkRenamedOptionModule [ "nix" "proxy" ] [ "networking" "proxy" "default" ]) + # sandboxing + (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ]) + (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ]) + # KDE (mkRenamedOptionModule [ "kde" "extraPackages" ] [ "environment" "systemPackages" ]) (mkRenamedOptionModule [ "environment" "kdePackages" ] [ "environment" "systemPackages" ]) diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 10ac6f93cfdb..c84c67ff2872 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -24,8 +24,8 @@ let nixConf = let - # If we're using a chroot for builds, then provide /bin/sh in - # the chroot as a bind-mount to bash. This means we also need to + # If we're using sandbox for builds, then provide /bin/sh in + # the sandbox as a bind-mount to bash. This means we also need to # include the entire closure of bash. sh = pkgs.stdenv.shell; binshDeps = pkgs.writeReferencesToFile sh; @@ -39,8 +39,8 @@ let build-users-group = nixbld build-max-jobs = ${toString (cfg.maxJobs)} build-cores = ${toString (cfg.buildCores)} - build-use-chroot = ${if (builtins.isBool cfg.useChroot) then (if cfg.useChroot then "true" else "false") else cfg.useChroot} - build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths) + build-use-sandbox = ${if (builtins.isBool cfg.useSandbox) then (if cfg.useSandbox then "true" else "false") else cfg.useSandbox} + build-sandbox-paths = ${toString cfg.sandboxPaths} /bin/sh=${sh} $(echo $extraPaths) binary-caches = ${toString cfg.binaryCaches} trusted-binary-caches = ${toString cfg.trustedBinaryCaches} binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys} @@ -98,25 +98,25 @@ in ''; }; - useChroot = mkOption { + useSandbox = mkOption { type = types.either types.bool (types.enum ["relaxed"]); default = false; description = " - If set, Nix will perform builds in a chroot-environment that it + If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store. "; }; - chrootDirs = mkOption { + sandboxPaths = mkOption { type = types.listOf types.str; default = []; example = [ "/dev" "/proc" ]; description = '' Directories from the host filesystem to be included - in the chroot. + in the sandbox. ''; }; |