aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-12-22Add commentEelco Dolstra
2016-12-22Merge pull request #1144 from jamesbroadhead/shellcheck_installDomen Kožar
shellcheck scripts/install-nix-from-closure.sh
2016-12-19shellcheck scripts/install-nix-from-closure.shJames Broadhead
2016-12-19Revert "Merge branch 'seccomp' of https://github.com/aszlig/nix"Eelco Dolstra
This reverts commit 9f3f2e21edb17dbcd674539dff96efb6cceca10c, reversing changes made to 47f587700d646f5b03a42f2fa57c28875a31efbe.
2016-12-19Revert "shell.nix: Add libseccomp"Eelco Dolstra
This reverts commit 1df82b62456b3194b3d8be0562e886cf16bf9379.
2016-12-19Revert "Give root a valid home directory"Eelco Dolstra
This reverts commit ec7d498b72b0e283814c27cbc6c064496f95445d.
2016-12-16Merge pull request #1154 from LnL7/manual-conf-fileDomen Kožar
manual: add NIX_CONF_DIR to conf-file section
2016-12-16manual: add NIX_CONF_DIR to conf-file sectionDaiderd Jordan
2016-12-15Give root a valid home directoryEelco Dolstra
Some programs barf if the current user has a non-writable home directory, e.g. http://hydra.nixos.org/build/44818144.
2016-12-15Merge branch 'master' of github.com:NixOS/nixEelco Dolstra
2016-12-15shell.nix: Add libseccompEelco Dolstra
2016-12-15Merge branch 'seccomp' of https://github.com/aszlig/nixEelco Dolstra
2016-12-13Merge branch 'base32-overflow' of git://github.com/vcunat/nixShea Levy
2016-12-11Merge pull request #1153 from lheckemann/path-searchDomen Kožar
Document path-searching behaviour
2016-12-11Document path-search behaviourLinus Heckemann
2016-12-11Add missing DBD::SQLite to shell.nixLinus Heckemann
2016-12-09Document builtins.match, fixes #1145Domen Kožar
2016-12-09Probably fix a segfault in PathLocksEelco Dolstra
2016-12-08Don't delete .check directories of running buildsEelco Dolstra
We need to keep them around for diffoscope.
2016-12-08Fix warning on 32-bit systemsEelco Dolstra
http://hydra.nixos.org/build/44628517
2016-12-08Fix buildEelco Dolstra
http://hydra.nixos.org/build/44628517
2016-12-08S3BinaryCacheStore: Ensure it only builds on LinuxEelco Dolstra
2016-12-08Fix S3BinaryCacheStoreEelco Dolstra
It failed with AWS error uploading ‘6gaxphsyhg66mz0a00qghf9nqf7majs2.ls.xz’: Unable to parse ExceptionName: MissingContentLength Message: You must provide the Content-Length HTTP header. possibly because the istringstream_nocopy introduced in 0d2ebb4373e509521f27a6e8f16bfd39d05b2188 doesn't supply the seek method that the AWS library expects. So bring back the old version, but only for S3BinaryCacheStore.
2016-12-08Drop unused dblatex referenceEelco Dolstra
2016-12-07Add a hook to run diffoscope when non-determinism is detectedEelco Dolstra
2016-12-07Keep track of the exact build start/stop timesEelco Dolstra
2016-12-07Bail out early when non-determinism is detectedEelco Dolstra
2016-12-07Expose enforce-determinism and the result to HydraEelco Dolstra
2016-12-07Add an option to make non-determinism non-fatalEelco Dolstra
That is, when build-repeat > 0, and the output of two rounds differ, then print a warning rather than fail the build. This is primarily to let Hydra check reproducibility of all packages.
2016-12-06Use a steady clock for timeoutsEelco Dolstra
Fixes #1146.
2016-12-06nix-store --serve: Suppress log output on stderr when repeating a buildEelco Dolstra
2016-12-06nix-store --serve: Support setting build-repeatEelco Dolstra
This allows Hydra to test whether builds are reproducible.
2016-12-06Tweak error messageEelco Dolstra
2016-12-06Add shell.nixEelco Dolstra
2016-12-06Drop unused WWW::Curl dependencyEelco Dolstra
2016-12-06Merge pull request #947 from layus/fix-path-slashEelco Dolstra
Improve error message on trailing path slashes
2016-11-27Improve error message on trailing path slashesGuillaume Maudoux
2016-11-26Revert "Get rid of unicode quotes (#1140)"Eelco Dolstra
This reverts commit f78126bfd6b6c8477fcdbc09b2f98772dbe9a1e7. There really is no need for such a massive change...
2016-11-25Get rid of unicode quotes (#1140)Guillaume Maudoux
2016-11-21nix-channel: Fix --update <CHANNELS>Eelco Dolstra
This unbreaks "nixos-rebuild --upgrade".
2016-11-17TypoEelco Dolstra
2016-11-17Fix binary-cache-store buildShea Levy
2016-11-17istringstream_nocopy: Implement in a standards-compliant wayShea Levy
Fixes #1135.
2016-11-17nix-daemon: Fix splice faking on non-LinuxShea Levy
2016-11-17Update darwin build for optional sandbox pathsShea Levy
Fixes #1132
2016-11-16seccomp: Forge return values for *chown32aszlig
These syscalls are only available in 32bit architectures, but libseccomp should handle them correctly even if we're on native architectures that do not have these syscalls. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-11-16seccomp: Forge return codes for POSIX ACL syscallsaszlig
Commands such as "cp -p" also use fsetxattr() in addition to fchown(), so we need to make sure these syscalls always return successful as well in order to avoid nasty "Invalid value" errors. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-11-16release.nix: Add a test for sandboxingaszlig
Right now it only tests whether seccomp correctly forges the return value of chown, but the long-term goal is to test the full sandboxing functionality at some point in the future. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-11-16libstore/build: Forge chown() to return successaszlig
What we basically want is a seccomp mode 2 BPF program like this but for every architecture: BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_chown, 4, 0), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_fchown, 3, 0), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_fchownat, 2, 0), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_lchown, 1, 0), BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO) However, on 32 bit architectures we do have chown32, lchown32 and fchown32, so we'd need to add all the architecture blurb which libseccomp handles for us. So we only need to make sure that we add the 32bit seccomp arch while we're on x86_64 and otherwise we just stay at the native architecture which was set during seccomp_init(), which more or less replicates setting 32bit personality during runChild(). The FORCE_SUCCESS() macro here could be a bit less ugly but I think repeating the seccomp_rule_add() all over the place is way uglier. Another way would have been to create a vector of syscalls to iterate over, but that would make error messages uglier because we can either only print the (libseccomp-internal) syscall number or use seccomp_syscall_resolve_num_arch() to get the name or even make the vector a pair number/name, essentially duplicating everything again. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-11-16Add build dependency for libseccompaszlig
We're going to use libseccomp instead of creating the raw BPF program, because we have different syscall numbers on different architectures. Although our initial seccomp rules will be quite small it really doesn't make sense to generate the raw BPF program because we need to duplicate it and/or make branches on every single architecture we want to suuport. Signed-off-by: aszlig <aszlig@redmoonstudios.org>