| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
Fixes #38525
|
| |
|
|
| |
This is needed since NixOS keeps tzdata in non-standard /etc/zoneinfo path.
|
| |
|
|
| |
Fixes OpenWrt compilation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* doesn't handle root user separately
* doesn't chdir("/") which makes using it seamless
* only bind mounts, doesn't symlink (i.e. files)
Incidentally, fixes #33106.
It's about two times shorter than the previous version, and much
easier to read/follow through. It uses GLib quite heavily, along with
RAII (available in GCC/Clang).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Wrap LEN macro in parantheses
* Drop env_filter in favor of stateful environ_blacklist_filter,
use execvp instead of execvpe, don't explicitly use environ
* Add argument error logging wherever it makes sense
* Drop strjoin in favor of asprintf
* char* -> const char* where appropriate
* Handle stat errors
* Print user messages with fputs, not errorf
* Abstract away is_str_in (previously bind_blacklisted)
* Cleanup temporary directory on error
* Some minor syntactic and naming changes
Thanks to Jörg Thalheim and Tuomas Tynkkynen for the code review!
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Formatted via clang-format.
|
| |
|
|
| |
This is needed now after #27672.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The `DISPLAY` environment variable is propagated into chroots built with
`buildFHSUserEnv`, but currently the `XAUTHORITY` variable is not. When
the latter is set, its value is usually necessary in order to connect to
the X server identified by the former.
This matters for users running gdm3, for example, who have `XAUTHORITY`
set to something like `/run/user/1000/gdm/Xauthority` instead of the X
default of `~/.Xauthority`, which doesn't exist in that setup.
Fixes #21532.
|
| |
|
|
| |
Fixes #24620.
|
| | |
|
| | |
|
| |\ |
|
| | |
| |
| |
| | |
This is needed because now /etc/localtime symlink points there.
|
| |/ |
|
| |
|
|
|
| |
Steam requires this variable or some games run incredibly slow.
See ValveSoftware/Dota-2#921 for more information.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This takes another approach at binding FHS directory structure. We
now bind-mount all the root filesystem to directory "/host" in the target tree.
From that we symlink all the directories into the tree if they do not already
exist in FHS structure.
This probably makes `CHROOTENV_EXTRA_BINDS` unnecessary -- its main usecase was
to add bound directories from the host to the sandbox, and we not just symlink
all of them. I plan to get some feedback on its usage and maybe deprecate it.
This also drops old `buildFHSChrootEnv` infrastructure. The main problem with it
is it's very difficult to unmount a recursive-bound directory when mount is not
sandboxed. This problem is a bug even without these changes -- if
you have for example `/home/alice` mounted to somewhere, you wouldn't see
it in `buildFHSChrootEnv` now. With the new directory structure, it's
impossible to use regular bind at all. After some tackling with this I realized
that the fix would be brittle and dangerous (if you don't unmount everything
clearly and proceed to removing the temporary directory, bye-bye fs!). It also
probably doesn't worth it because I haven't heard that someone actually uses it
for a long time, and `buildFHSUserEnv` should cover most cases while being much
more maintainable and safe for the end-user.
|
| |
|
|
| |
Fixes https://github.com/NixOS/nixpkgs/issues/12406 for `.env`
|
| | |
|
| |
|
|
|
|
|
| |
This reverts commit 2f26b82411ea93349d375ea3b5d833b04a455972.
This breaks terminfo in Bash for some reason (i.e. TAB and other
special keys).
|
| |
|
|
|
|
| |
Login mode can cause hidden problems, e.g. #12406. Generally we don't want
to read user's .bash_profile when we don't start an interactive shell inside
a chroot.
|
| |\
| |
| | |
platformio: init at 2.7.0
|
| | |
| |
| |
| | |
derivation.
|
| |/ |
|
| |
|
|
|
|
|
| |
Previously is was assumed that bash was in the path when calling the
environment setup script. This changes all of the references of bash to
be absolute paths so that the user doesn't have to worry about the
environment they call it with.
|
| |
|
|
|
| |
This re-uses the capabilities documented in `Process.spawn` to avoid leaking
unecessary file-descriptors to the sandbox
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
runScript now expects a filename instead of a Bash snippet; thus, "exec" should be
omitted.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
It may not be very secure, but I think it's better to make it work
with older kernel since 3.19 is not the default on nixos.
|
| |\
| |
| | |
build-fhs-userenv passes through command line args
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The motivation for this change is to allow things like the
following derivation, which wraps the debian-packaged
hello binary.
let nixpkgs = import <nixpkgs> {};
stdenv = nixpkgs.stdenv;
in rec {
dumb-hello = stdenv.mkDerivation {
name = "dumb-hello";
builder = ./builder.sh;
dpkg = nixpkgs.dpkg;
src = nixpkgs.fetchurl {
url = "http://ftp.us.debian.org/debian/pool/main/h/hello-traditional/hello-traditional_2.9-2_amd64.deb";
md5 = "f5f3c28b65221dae44dda6f242c23316";
};
};
full-hello = nixpkgs.buildFHSUserEnv {
name = "full-hello";
targetPkgs = pkgs: [ dumb-hello ];
multiPkgs = pkgs: [ pkgs.dpkg ];
runScript = "hello";
};
}
|
| | | |
|
| |/ |
|