diff options
author | Luca Bruno <lethalman88@gmail.com> | 2015-12-11 18:31:00 +0100 |
---|---|---|
committer | Luca Bruno <lethalman88@gmail.com> | 2015-12-11 18:31:00 +0100 |
commit | 5b0352a6a43fdd924a53cde4b81c15b755fa0a27 (patch) | |
tree | cf0fcc2be2f6d08c970f0322a63ff0a31d5d5dee /pkgs/stdenv | |
parent | 2f0fe05543ce594eacf0310966914d6e19a42f88 (diff) | |
parent | 146784f835a6cadc65812c5adf76533c18e5be61 (diff) | |
download | nixlib-5b0352a6a43fdd924a53cde4b81c15b755fa0a27.tar nixlib-5b0352a6a43fdd924a53cde4b81c15b755fa0a27.tar.gz nixlib-5b0352a6a43fdd924a53cde4b81c15b755fa0a27.tar.bz2 nixlib-5b0352a6a43fdd924a53cde4b81c15b755fa0a27.tar.lz nixlib-5b0352a6a43fdd924a53cde4b81c15b755fa0a27.tar.xz nixlib-5b0352a6a43fdd924a53cde4b81c15b755fa0a27.tar.zst nixlib-5b0352a6a43fdd924a53cde4b81c15b755fa0a27.zip |
Merge branch 'master' into closure-size
Diffstat (limited to 'pkgs/stdenv')
-rw-r--r-- | pkgs/stdenv/generic/default.nix | 24 | ||||
-rw-r--r-- | pkgs/stdenv/pure-darwin/default.nix | 56 | ||||
-rw-r--r-- | pkgs/stdenv/pure-darwin/standard-sandbox.sb | 72 |
3 files changed, 123 insertions, 29 deletions
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 0341cf483b73..de5a9404b65c 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,6 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] +, stdenvSandboxProfile ? "" +, extraSandboxProfile ? "" }: let @@ -101,6 +103,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] + , sandboxProfile ? "" + , propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -123,10 +127,11 @@ let throw ("Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate." + (lib.strings.optionalString (reason != "blacklisted") '' - For `nixos-rebuild` you can set + a) For `nixos-rebuild` you can set { nixpkgs.config.allow${up reason} = true; } in configuration.nix to override this. - For `nix-env` you can add + + b) For `nix-env`, `nix-build` or any other Nix command you can add { allow${up reason} = true; } to ~/.nixpkgs/config.nix. '')); @@ -166,9 +171,13 @@ let lib.addPassthru (derivation ( (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" - "__impureHostDeps" "__propagatedImpureHostDeps"]) + "__impureHostDeps" "__propagatedImpureHostDeps" + "sandboxProfile" "propagatedSandboxProfile"]) // (let - # TODO: remove lib.unique once nix has a list canonicalization primitive + computedSandboxProfile = + lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); + computedPropagatedSandboxProfile = + lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); computedImpureHostDeps = lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs)); computedPropagatedImpureHostDeps = @@ -190,6 +199,12 @@ let propagatedNativeBuildInputs = propagatedNativeBuildInputs ++ (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { + # TODO: remove lib.unique once nix has a list canonicalization primitive + __sandboxProfile = + let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ]; + final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); + in final; + __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]); __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [ "/dev/zero" "/dev/random" @@ -233,6 +248,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { + __sandboxProfile = stdenvSandboxProfile; __impureHostDeps = __stdenvImpureHostDeps; }) diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index d13dc98cd742..bc3b433e9226 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -5,18 +5,9 @@ }: let - # libSystem and its transitive dependencies. Get used to this; it's a recurring theme in darwin land - libSystemClosure = [ - "/usr/lib/libSystem.dylib" - "/usr/lib/libSystem.B.dylib" - "/usr/lib/libobjc.A.dylib" - "/usr/lib/libobjc.dylib" - "/usr/lib/libauto.dylib" - "/usr/lib/libc++abi.dylib" - "/usr/lib/libc++.1.dylib" - "/usr/lib/libDiagnosticMessagesClient.dylib" - "/usr/lib/system" - ]; + libSystemProfile = '' + (import "${./standard-sandbox.sb}") + ''; fetch = { file, sha256, executable ? true }: import <nix/fetchurl.nix> { url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}"; @@ -46,7 +37,9 @@ in rec { ''; # The one dependency of /bin/sh :( - binShClosure = [ "/usr/lib/libncurses.5.4.dylib" ]; + binShClosure = '' + (allow file-read* (literal "/usr/lib/libncurses.5.4.dylib")) + ''; bootstrapTools = derivation rec { inherit system tarball; @@ -57,7 +50,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - __impureHostDeps = binShClosure ++ libSystemClosure; + __sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -100,8 +93,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - __stdenvImpureHostDeps = binShClosure ++ libSystemClosure; - __extraImpureHostDeps = binShClosure ++ libSystemClosure; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -178,10 +171,14 @@ in rec { }; stage2 = with stage1; stageFun 2 stage1 { + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + allowedRequisites = [ bootstrapTools ] ++ (with pkgs; [ xz libcxx libcxxabi icu ]) ++ - (with pkgs.darwin; [ dyld Libsystem CF ]); + (with pkgs.darwin; [ dyld Libsystem CF locale ]); overrides = persistent1; }; @@ -196,7 +193,7 @@ in rec { darwin = orig.darwin // { inherit (darwin) - dyld Libsystem xnu configd libdispatch libclosure launchd libiconv; + dyld Libsystem xnu configd libdispatch libclosure launchd libiconv locale; }; }; @@ -209,10 +206,14 @@ in rec { # patches our shebangs back to point at bootstrapTools. This makes sure bash comes first. extraInitialPath = [ pkgs.bash ]; + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + allowedRequisites = [ bootstrapTools ] ++ (with pkgs; [ icu bash libcxx libcxxabi ]) ++ - (with pkgs.darwin; [ dyld Libsystem ]); + (with pkgs.darwin; [ dyld Libsystem locale ]); overrides = persistent2; }; @@ -230,13 +231,16 @@ in rec { }; darwin = orig.darwin // { - inherit (darwin) dyld Libsystem libiconv; + inherit (darwin) dyld Libsystem libiconv locale; }; }; stage4 = with stage3; stageFun 4 stage3 { shell = "${pkgs.bash}/bin/bash"; extraInitialPath = [ pkgs.bash ]; + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; overrides = persistent3; }; @@ -251,7 +255,7 @@ in rec { }; darwin = orig.darwin // { - inherit (darwin) dyld Libsystem cctools CF libiconv; + inherit (darwin) dyld Libsystem cctools libiconv; }; }; @@ -261,10 +265,12 @@ in rec { name = "stdenv-darwin"; - preHook = commonPreHook; + preHook = commonPreHook + '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; - __stdenvImpureHostDeps = binShClosure ++ libSystemClosure; - __extraImpureHostDeps = binShClosure ++ libSystemClosure; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; @@ -292,7 +298,7 @@ in rec { coreutils ed diffutils gnutar gzip ncurses gnused bash gawk gnugrep llvmPackages.clang-unwrapped patch pcre binutils-raw binutils gettext ]) ++ (with pkgs.darwin; [ - dyld Libsystem CF cctools libiconv + dyld Libsystem CF cctools libiconv locale ]); overrides = orig: persistent4 orig // { diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb new file mode 100644 index 000000000000..b87be89f35f2 --- /dev/null +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -0,0 +1,72 @@ +(define TMPDIR (param "_GLOBAL_TMP_DIR")) + +; obvious +(allow process-fork) + +; allow reading system information like #CPUs, etc. +(allow sysctl-read) + +; IPC +(allow ipc-posix*) + +; Unix sockets +(allow system-socket) + +; all runtime dependencies of libSystem.dylib +(allow file-read* + (literal "/usr/lib/libSystem.dylib") + (literal "/usr/lib/libSystem.B.dylib") + (literal "/usr/lib/libobjc.A.dylib") + (literal "/usr/lib/libobjc.dylib") + (literal "/usr/lib/libauto.dylib") + (literal "/usr/lib/libc++abi.dylib") + (literal "/usr/lib/libc++.1.dylib") + (literal "/usr/lib/libDiagnosticMessagesClient.dylib") + (subpath "/usr/lib/system")) + +; tmp +(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) + +; clang likes to read the system version +(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) + +; used for bootstrap builders +(allow process-exec* (literal "/bin/sh")) + +; without this line clang cannot write to /dev/null, breaking some configure tests +(allow file-read-metadata (literal "/dev")) + +; standard devices +(allow file* + (literal "/dev/null") + (literal "/dev/random") + (literal "/dev/stdin") + (literal "/dev/stdout") + (literal "/dev/tty") + (literal "/dev/urandom") + (literal "/dev/zero") + (subpath "/dev/fd")) + +; does nothing, but reduces build noise +(allow file* (literal "/dev/dtracehelper")) + +; ICU data and zoneinfo data are hardcoded +; both are in libicucore and zoneinfo is in libsystem_c as well +(allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo")) + +; no idea what this is +(allow file-read-data (literal "/dev/autofs_nowait")) + +; lots of autoconf projects want to list this directory +(allow file-read-metadata (literal "/var") (literal "/private/var/tmp")) + +; send signals +(allow signal (target same-sandbox)) + +; allow getpwuid (for git and other packages) +(allow mach-lookup + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.opendirectoryd.libinfo")) + +; allow networking on localhost +(allow network* (local ip) (remote unix-socket)) |