diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2017-05-15 17:30:33 +0200 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2017-05-15 17:36:32 +0200 |
commit | a2d92bb20e82a0957067ede60e91fab256948b41 (patch) | |
tree | 665a9274c830f73c05a282622d78f6cf8d7c9ec9 | |
parent | b30f5784d0184688de964f6239e373b62101ebc4 (diff) |
Add --with-sandbox-shell configure flag
And add a 116 KiB ash shell from busybox to the release build. This
helps to make sandbox builds work out of the box on non-NixOS systems
and with diverted stores.
-rw-r--r-- | Makefile.config.in | 1 | ||||
-rw-r--r-- | configure.ac | 6 | ||||
-rw-r--r-- | release-common.nix | 21 | ||||
-rw-r--r-- | release.nix | 9 | ||||
-rw-r--r-- | shell.nix | 7 | ||||
-rw-r--r-- | src/libstore/globals.cc | 4 | ||||
-rw-r--r-- | src/libstore/local.mk | 2 |
7 files changed, 38 insertions, 12 deletions
diff --git a/Makefile.config.in b/Makefile.config.in index 3cae30d48..45a70cd6d 100644 --- a/Makefile.config.in +++ b/Makefile.config.in @@ -28,6 +28,7 @@ localstatedir = @localstatedir@ mandir = @mandir@ pkglibdir = $(libdir)/$(PACKAGE_NAME) prefix = @prefix@ +sandbox_shell = @sandbox_shell@ storedir = @storedir@ sysconfdir = @sysconfdir@ doc_generate = @doc_generate@ diff --git a/configure.ac b/configure.ac index c7026cf95..24a95ce56 100644 --- a/configure.ac +++ b/configure.ac @@ -240,6 +240,12 @@ fi AC_SUBST(tarFlags) +AC_ARG_WITH(sandbox-shell, AC_HELP_STRING([--with-sandbox-shell=PATH], + [path of a statically-linked shell to use as /bin/sh in sandboxes]), + sandbox_shell=$withval) +AC_SUBST(sandbox_shell) + + # Expand all variables in config.status. test "$prefix" = NONE && prefix=$ac_default_prefix test "$exec_prefix" = NONE && exec_prefix='${prefix}' diff --git a/release-common.nix b/release-common.nix new file mode 100644 index 000000000..8047c75bd --- /dev/null +++ b/release-common.nix @@ -0,0 +1,21 @@ +{ pkgs }: + +rec { + sh = pkgs.busybox.override { + useMusl = true; + enableStatic = true; + enableMinimal = true; + extraConfig = '' + CONFIG_ASH y + CONFIG_ASH_BUILTIN_ECHO y + CONFIG_ASH_BUILTIN_TEST y + CONFIG_ASH_OPTIMIZE_FOR_SIZE y + ''; + }; + + configureFlags = + [ "--disable-init-state" + "--enable-gc" + "--with-sandbox-shell=${sh}/bin/busybox" + ]; +} diff --git a/release.nix b/release.nix index 54d20c868..f1a553d01 100644 --- a/release.nix +++ b/release.nix @@ -66,6 +66,8 @@ let with import <nixpkgs> { inherit system; }; + with import ./release-common.nix { inherit pkgs; }; + releaseTools.nixBuild { name = "nix"; src = tarball; @@ -83,11 +85,8 @@ let customMemoryManagement = false; }); - configureFlags = '' - --disable-init-state - --enable-gc - --sysconfdir=/etc - ''; + configureFlags = configureFlags ++ + [ "--sysconfdir=/etc" ]; enableParallelBuilding = true; @@ -2,6 +2,8 @@ with import <nixpkgs> {}; +with import ./release-common.nix { inherit pkgs; }; + (if useClang then clangStdenv else stdenv).mkDerivation { name = "nix"; @@ -22,10 +24,7 @@ with import <nixpkgs> {}; perlPackages.DBDSQLite ]; - configureFlags = - [ "--disable-init-state" - "--enable-gc" - ]; + inherit configureFlags; enableParallelBuilding = true; diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc index 4bdbde989..3dd2508a2 100644 --- a/src/libstore/globals.cc +++ b/src/libstore/globals.cc @@ -47,8 +47,8 @@ Settings::Settings() auto s = getEnv("NIX_REMOTE_SYSTEMS"); if (s != "") builderFiles = tokenizeString<Strings>(s, ":"); -#if __linux__ - sandboxPaths = tokenizeString<StringSet>("/bin/sh=" BASH_PATH); +#if defined(__linux__) && defined(SANDBOX_SHELL) + sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL); #endif allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES); diff --git a/src/libstore/local.mk b/src/libstore/local.mk index 4da20330c..e06002587 100644 --- a/src/libstore/local.mk +++ b/src/libstore/local.mk @@ -27,7 +27,7 @@ libstore_CXXFLAGS = \ -DNIX_CONF_DIR=\"$(sysconfdir)/nix\" \ -DNIX_LIBEXEC_DIR=\"$(libexecdir)\" \ -DNIX_BIN_DIR=\"$(bindir)\" \ - -DBASH_PATH="\"$(bash)\"" \ + -DSANDBOX_SHELL="\"$(sandbox_shell)\"" \ -DLSOF=\"$(lsof)\" $(d)/local-store.cc: $(d)/schema.sql.hh |