diff options
Diffstat (limited to 'pkgs/stdenv')
-rw-r--r-- | pkgs/stdenv/generic/default.nix | 13 | ||||
-rw-r--r-- | pkgs/stdenv/pure-darwin/default.nix | 12 | ||||
-rw-r--r-- | pkgs/stdenv/pure-darwin/standard-sandbox.sb | 27 |
3 files changed, 34 insertions, 18 deletions
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index c2324c86eb5a..196c8618c918 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -156,11 +156,10 @@ let "__impureHostDeps" "__propagatedImpureHostDeps" "__sandboxProfile" "__propagatedSandboxProfile"]) // (let - # TODO: remove lib.unique once nix has a list canonicalization primitive computedSandboxProfile = - lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (extraBuildInputs ++ buildInputs ++ nativeBuildInputs))); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (propagatedBuildInputs ++ propagatedNativeBuildInputs))); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,8 +177,12 @@ let propagatedNativeBuildInputs = propagatedNativeBuildInputs ++ (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { - __sandboxProfile = computedSandboxProfile + computedPropagatedSandboxProfile + __propagatedSandboxProfile + __sandboxProfile + __extraSandboxProfile; - __propagatedSandboxProfile = computedPropagatedSandboxProfile + __propagatedSandboxProfile; + # TODO: remove lib.unique once nix has a list canonicalization primitive + __sandboxProfile = + let profiles = [ __extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile __sandboxProfile ]; + final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); + in final; + __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index fb3559659e59..1770d48278d9 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -5,7 +5,9 @@ }: let - libSystemProfile = builtins.readFile ./standard-sandbox.sb; + libSystemProfile = '' + (import "${./standard-sandbox.sb}") + ''; fetch = { file, sha256, executable ? true }: import <nix/fetchurl.nix> { url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}"; @@ -253,7 +255,7 @@ in rec { }; darwin = orig.darwin // { - inherit (darwin) dyld Libsystem cctools CF libiconv; + inherit (darwin) dyld Libsystem cctools libiconv; }; }; @@ -263,7 +265,9 @@ in rec { name = "stdenv-darwin"; - preHook = commonPreHook; + preHook = commonPreHook + '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; __stdenvSandboxProfile = binShClosure + libSystemProfile; __extraSandboxProfile = binShClosure + libSystemProfile; @@ -294,7 +298,7 @@ in rec { coreutils ed diffutils gnutar gzip ncurses gnused bash gawk gnugrep llvmPackages.clang-unwrapped patch pcre binutils-raw binutils gettext ]) ++ (with pkgs.darwin; [ - dyld Libsystem CF cctools libiconv + dyld Libsystem CF cctools libiconv locale ]); overrides = orig: persistent4 orig // { diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb index 670ab01f3477..37a9b736e53e 100644 --- a/pkgs/stdenv/pure-darwin/standard-sandbox.sb +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -7,7 +7,7 @@ (allow sysctl-read) ; IPC -(allow ipc-posix-sem) +(allow ipc-posix*) ; Unix sockets (allow system-socket) @@ -33,6 +33,9 @@ ; used for bootstrap builders (allow process-exec* (literal "/bin/sh")) +; without this line clang cannot write to /dev/null, breaking some configure tests +(allow file-read-metadata (literal "/dev")) + ; standard devices (allow file* (literal "/dev/null") @@ -51,15 +54,21 @@ ; both are in libicucore and zoneinfo is in libsystem_c as well (allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo")) +; no idea what this is +(allow file-read-data (literal "/dev/autofs_nowait")) + ; lots of autoconf projects want to list this directory (allow file-read-metadata (literal "/var") (literal "/private/var/tmp")) +; send signals +(allow signal (target same-sandbox)) + +; allow getpwuid (for git and other packages) +(allow mach-lookup + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.opendirectoryd.libinfo")) + ; mute annoying failures -(deny file-read-metadata (with no-log) - (literal "/etc") - (subpath "/usr/bin")) - -(deny process-exec* (with no-log) - (literal "/usr/bin/arch") - (literal "/usr/bin/hostinfo") - (literal "/usr/bin/uname")) +(deny (with no-log) file-read-metadata (literal "/etc") (subpath "/usr/bin")) + +(deny process-exec* (literal "/usr/bin/arch") (literal "/usr/bin/hostinfo") (literal "/usr/bin/uname")) |