aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-05-05Merge "README: update to be Lix" into mainQyriad
2024-05-05README: update to be LixQyriad
Change-Id: I15b2513de61cffa2002799c4d12d251ef0970b9f
2024-05-05fix integer overflow on i686 with high phys memoryQyriad
sizeof(long) is 4 bytes on i686 GCC. With ~32 GiB of memory and a page size of 4096, there are 7988420 pages. (7988420 * 4096) is bigger than INT32_MAX folks. This has gone unnoticed for 9 years, and only came up thanks to 94ea517db[1] adding integer overflow sensitization checks, which caused this broken code to emit an illegal instruction, crashing Lix the instant the buildsystem ran Lix to generate the docs files. [1]: 94ea517dbe729765b69638190f4bea3f6a632b40 Change-Id: I50bb9ea072aac11b449d79e5d55525887a6e5a99
2024-05-05Merge "point nix3-upgrade-nix to releases.lix.systems/manifest.nix" into mainQyriad
2024-05-05Merge "Warn on untrusted client settings being ignored" into mainjade
2024-05-05filetransfer: abort transfer on receiver exceptioneldritch horrors
not doing this will cause transfers that had their readers disappear to linger. with lingering transfers the curl thread can't shut down, which will cause nix itself to not shut down until the transfer finishes some other way (most likely network timeouts). also add a new test for this. Change-Id: Id2401b3ac85731c824db05918d4079125be25b57
2024-05-05point nix3-upgrade-nix to releases.lix.systems/manifest.nixQyriad
This file is currently manually managed, but will be automated along with the rest of the release process. Change-Id: I77839919549aaac73de582b2e563ce3ef914a8cb
2024-05-05Merge "add a contributor notice message to the dev shell hook" into mainQyriad
2024-05-05add a contributor notice message to the dev shell hookQyriad
It can be turned off by creating a file `.nocontribmsg` in the root of the repo. Change-Id: Iecc5c647c824a0416e527550226447780b94c08e
2024-05-05Merge "tests/flakes/follow-paths: test that warning about non-existent input ↵Maximilian Bosch
works recursively" into main
2024-05-05doc: fix build littering doc/eldritch horrors
mdbook has the unfortunate habit of creating stub files for chapters it can't find on disk. turn off this helpful feature as it masks errors in the summary file, and fix a recently introduced instance of this error. Change-Id: I10d86aac0489c9c494bd5c8a50047415f4d4b18d
2024-05-04Warn on untrusted client settings being ignoredJade Lovelace
These are such a footgun and trip people up a lot. Let's make Lix louder about this. Related: https://git.lix.systems/lix-project/lix/issues/261 Change-Id: I6a8d57c9817caaa6b0cbf886c615dda51038f628
2024-05-05Merge "Actually try making a userns before assuming they don't work" into mainjade
2024-05-05Merge "Fix /etc/group having desynced IDs from the actual UID in the ↵jade
sandbox" into main
2024-05-05Actually try making a userns before assuming they don't workJade Lovelace
If unprivileged userns are *believed* to be disabled (such as with "kernel.unprivileged_userns_clone = 0"), Lix would previously *give up* on trying to use a user namespace before actually trying it, even if, in cases such as unprivileged_userns_clone, it would actually be allowed since Nix has CAP_SYS_ADMIN when running as daemon. (see, e.g. https://github.com/archlinux/linux/commit/25d4709a4fc0e4f3b432c24b60dd508fb84f0cb2) We changed it to actually try it first, and then diagnose possible causes, and also to be more loud about the whole thing, using warnings instead of debugs. These warnings will only print on the first build run by the daemon, which is, tbh, eh, shrug. This is what led to us realizing that no-userns was a poorly exercised condition. Change-Id: I8e4f21afc89c574020dc7e89a560cc740ce6573a
2024-05-04Fix /etc/group having desynced IDs from the actual UID in the sandboxJade Lovelace
This was found when `logrotate.conf` failed to build in a NixOS system with: /nix/store/26zdl4pyw5qazppj8if5lm8bjzxlc07l-coreutils-9.3/bin/id: cannot find name for group ID 30000 This was surprising because it seemed to mean that /etc/group was busted in the sandbox. Indeed it was: root:x:0: nixbld:!:100: nogroup:x:65534: We diagnosed this to sandboxUid() being called before usingUserNamespace() was called, in setting up /etc/group inside the sandbox. This code desperately needs refactoring. We also moved the /etc/group code to be with the /etc/passwd code, but honestly this code is all spaghetti'd all over the place and needs some more serious tidying than we did here. We also moved some checks to be earlier to improve locality with where the things they are checking come from. Change-Id: Ie29798771f3593c46ec313a32960fa955054aceb
2024-05-04Remove a URL literal from fetchTarball docsJade Lovelace
Change-Id: I254b793b42f77ffe9f357f3b376683e5758f23b5
2024-05-04Merge "package: remove assert for libseccomp version" into mainMaximilian Bosch
2024-05-04Merge "tests: actually run mercurial tests" into mainMaximilian Bosch
2024-05-04tests: actually run mercurial testsMaximilian Bosch
The binary to check for is called hg not hq. Change-Id: I812a30f9347d5bf0573cdacc3fc887960887ee92
2024-05-04package: remove assert for libseccomp versionMaximilian Bosch
This has the following downsides: * you cannot build Lix against nixos-unstable. * this will immediately break as soon as libseccomp will hit nixos-23.11 (given that people will probably use the package.nix via our overlay or override nixpkgs via `follows`). Hence, removing the assert again and add a better FIXME comment. Change-Id: I284e10cf08e1873fef70ed869a1638aa89792422
2024-05-04Merge "Revert "Revert "Merge pull request #6621 from Kha/nested-follows""" ↵Maximilian Bosch
into main
2024-05-04Merge "libstore/local-derivation-goal: prohibit creating setuid/setgid ↵Maximilian Bosch
binaries" into main
2024-05-03tests/flakes/follow-paths: test that warning about non-existent input works ↵Maximilian Bosch
recursively When I added the warning that an input X has an override for a non-existent input, the recursive flake input override fix wasn't implemented yet[1]. This patch tests that both work together. [1] https://github.com/NixOS/nix/pull/6663 Change-Id: I90dc032029b7160ab4a97d28c480c59d3a6f0150
2024-05-03Revert "Revert "Merge pull request #6621 from Kha/nested-follows""Maximilian Bosch
This reverts commit a8b3d777fbdaf0b732f129e5be62cd2a1227674b. This undoes the revert of PR#6621, which allows nested `follows`, i.e. { inputs = { foo.url = "github:bar/foo"; foo.inputs.bar.inputs.nixpkgs = "nixpkgs"; }; } does the expected thing now. This is useful to avoid the 1000 instances of nixpkgs problem without having each flake in the dependency tree to expose all of its transitive dependencies for modification. This was in fact part of Nix before and the C++ changes applied w/o conflicts. However, it got reverted then because people didn't want to merge lazy-trees against it which was supposed to be merged soon back in October 2022. Fixes: https://git.lix.systems/lix-project/lix/issues/201 Change-Id: I5ddef914135b695717b2ef88862d57ced5e7aa3c
2024-05-03Merge "Rename `nix show-config` to `nix config show`" into mainMaximilian Bosch
2024-05-03libstore/local-derivation-goal: prohibit creating setuid/setgid binariesMaximilian Bosch
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that isn't filtered away by the libseccomp sandbox. Being able to use this to bypass that restriction has surprising results for some builds such as lxc[1]: > With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2, > which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663. > The fixupPhase then uses fchmodat, which fails. > With older kernel or glibc, setting the suid bit fails in the > install phase, which is not treated as fatal, and then the > fixup phase does not try to set it again. Please note that there are still ways to bypass this sandbox[2] and this is mostly a fix for the breaking builds. This change works by creating a syscall filter for the `fchmodat2` syscall (number 452 on most systems). The problem is that glibc 2.39 is needed to have the correct syscall number available via `__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on nixpkgs 23.11. To have this change everywhere and not dependent on the glibc this package is built against, I added a header "fchmodat2-compat.hh" that sets the syscall number based on the architecture. On most platforms its 452 according to glibc with a few exceptions: $ rg --pcre2 'define __NR_fchmodat2 (?!452)' sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h 58:#define __NR_fchmodat2 1073742276 sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h 67:#define __NR_fchmodat2 6452 sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h 62:#define __NR_fchmodat2 5452 sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h 70:#define __NR_fchmodat2 4452 sysdeps/unix/sysv/linux/alpha/arch-syscall.h 59:#define __NR_fchmodat2 562 I added a small regression-test to the setuid integration-test that attempts to set the suid bit on a file using the fchmodat2 syscall. I confirmed that the test fails without the change in local-derivation-goal. Additionally, we require libseccomp 2.5.5 or greater now: as it turns out, libseccomp maintains an internal syscall table and validates each rule against it. This means that when using libseccomp 2.5.4 or older, one may pass `452` as syscall number against it, but since it doesn't exist in the internal structure, `libseccomp` will refuse to create a filter for that. This happens with nixpkgs-23.11, i.e. on stable NixOS and when building Lix against the project's flake. To work around that * a backport of libseccomp 2.5.5 on upstream nixpkgs has been scheduled[3]. * the package now uses libseccomp 2.5.5 on its own already. This is to provide a quick fix since the correct fix for 23.11 is still a staging cycle away. We still need the compat header though since `SCMP_SYS(fchmodat2)` internally transforms this into `__SNR_fchmodat2` which points to `__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38. The updated syscall table from libseccomp 2.5.5 is NOT used for that step, but used later, so we need both, our compat header and their syscall table 🤷 Relevant PRs in CppNix: * https://github.com/NixOS/nix/pull/10591 * https://github.com/NixOS/nix/pull/10501 [1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804 [2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251 [3] https://github.com/NixOS/nixpkgs/pull/306070 (cherry picked from commit ba6804518772e6afb403dd55478365d4b863c854) Change-Id: I6921ab5a363188c6bff617750d00bb517276b7fe
2024-05-03Rename `nix show-config` to `nix config show`Théophane Hufschmitt
Part of #7672 My main motivation is to be able to use `nix.checkConfig`[1]. This doesn't work with Lix currently since the module uses `nix show-config` if the Nix version is <2.20pre and `nix config show` otherwise. I think this is the only instance where nixpkgs checks for which Nix commands exist that affects us now, so I figured we could just perform the rename here as well[2] and still provide the current version number[3]. I don't have a strong opinion on whether to deprecate `nix show-config`, the warning is added there automatically. (cherry picked from commit f300e11b056dea414d7d77bbc6e5a7dc5d9ddd41) [1] https://nixos.org/manual/nixos/stable/options.html#opt-nix.checkConfig [2] I should add that I don't use the "official" ways of installing Lix because using the flake directly and callPackaging it seemed to fit better into my workflow: I already have a little mess to make sure Hydra from the flake uses the correct pkgs.nix and I didn't want to complicate it further while keeping a single package-set I can build in CI. Don't get me wrong, I think such a module for a quick-start is very important, just giving context on why I bother in the first place :) [3] When we go public, I think it's worth considering to add support in nixpkgs itself for Lix. Change-Id: I47b4239b05cbeda3c370d2fa56ea768b768768ac
2024-05-03Merge changes Id1a67156,I03f4c7c1,I146736bb,I3b1453cb into mainQyriad
* changes: docs: clarify how ^ works for -E/-f installables docs: give translation examples from nix-build -E/-A to installables docs: clarify how the different kinds of installables are selected docs: guide to installables docs in installable commands' docs
2024-05-03Merge "libstore: check additionalSandboxProfile" into mainArtemis Tosini
2024-05-03libstore: check additionalSandboxProfileArtemis Tosini
Currently LocalDerivationGoal allows setting `__sandboxProfile` to add sandbox parameters on Darwin when `sandbox=true`. This was only supposed to have an effect when `sandbox=relaxed` Change-Id: Ide44ee82d7e4d6b545285eab26547e7014817d3f
2024-05-03libutil: make rewriteStrings soundeldritch horrors
this is used in CA rewriting, replacement of placeholders in derivations, generating scripts for devShells, and some more places. in all of these transitive replacements are unsound, and overlapping replacements would be as well. there even is a test that transitive replacements do not happen (in the CA RewriteSink suite), but none for overlapping replacements. a minimally surprising binary rewriter surely would not do any of these replacements, the only reason we have not seen this break yet is probably that rewriteStrings is only called for store paths and things that look like store paths (and those should never overlap nor admit such transitive replacements) Change-Id: I6fc29f939d5061d9f56c752624a823ece8437c07
2024-05-02Merge changes from topic "profile-v3" into mainQyriad
* changes: nix3-profile: remove check "name" attr in manifests Add profile migration test nix3-profile: make element names stable getNameFromURL(): Support uppercase characters in attribute names nix3-profile: remove indices nix3-profile: allow using human-readable names to select packages implement parsing human-readable names from URLs
2024-05-02nix3-profile: remove check "name" attr in manifestsQyriad
It doesn't seem to have ever been used. Based off of commit a748e88bf4cca0fdc6ce75188e88017a7899d16b Upstream-PR: https://github.com/NixOS/nix/pull/9656 Change-Id: Idcf250a645fa43f2ef11fb15b503b070a62a917e
2024-05-02Add profile migration testEelco Dolstra
(cherry picked from commit 72560f7bbef2ab3c02b8ca040fe084328bdd5fbe) Upstream-PR: https://github.com/NixOS/nix/pull/9656 Change-Id: I405e5848e2627a76940220fb6aebadfb8f094afb
2024-05-02nix3-profile: make element names stableQyriad
Based off of commit 6268a45b650f563bae2360e0540920a2959bdd40 Upstream-PR: https://github.com/NixOS/nix/pull/9656 Co-authored-by: Eelco Dolstra <edolstra@gmail.com> Change-Id: I0fcf069a8537c61ad6fc4eee1f3c193a708ea1c4
2024-05-02getNameFromURL(): Support uppercase characters in attribute namesEelco Dolstra
In particular, this makes it handle 'legacyPackages' correctly. (cherry picked from commit 936a3642264ac159f3f9093710be3465b70e0e89) Upstream-PR: https://github.com/NixOS/nix/pull/9657 Change-Id: Icc4efe02f7f8e90a2970589f72fd3d3cd4418d95
2024-05-02nix3-profile: remove indicesQyriad
Based off of commit 3187bc9ac3dd193b9329ef68c73ac3cca794ed78 Upstream-PR: https://github.com/NixOS/nix/pull/9656 Co-authored-by: Eelco Dolstra <edolstra@gmail.com> Change-Id: I8ac4a33314cd1cf9de95404c20f58e883460acc7
2024-05-02nix3-profile: allow using human-readable names to select packagesQyriad
These names are parsed from the URL provided for that package Based off of commit 257b768436a0e8ab7887f9b790c5b92a7fe51ef5 Upstream-PR: https://github.com/NixOS/nix/pull/8678 Co-authored-by: Felix Uhl <felix.uhl@outlook.com> Change-Id: I76d5f9cfb11d3d2915b3dd1db21d7bb49e91f4fb
2024-05-02Disallow store path names that are . or .. (plus opt. -)Robert Hensing
As discussed in the maintainer meeting on 2024-01-29. Mainly this is to avoid a situation where the name is parsed and treated as a file name, mostly to protect users. .-* and ..-* are also considered invalid because they might strip on that separator to remove versions. Doesn't really work, but that's what we decided, and I won't argue with it, because .-* probably doesn't seem to have a real world application anyway. We do still permit a 1-character name that's just "-", which still poses a similar risk in such a situation. We can't start disallowing trailing -, because a non-zero number of users will need it and we've seen how annoying and painful such a change is. What matters most is preventing a situation where . or .. can be injected, and to just get this done. (cherry picked from commit f1b4663805a9dbcb1ace64ec110092d17c9155e0) Change-Id: I900a8509933cee662f888c3c76fa8986b0058839
2024-05-02test: Generate distinct hashesRobert Hensing
Gen::just is the constant generator. Don't just return that! (cherry picked from commit 8406da28773f050e00a006e4812e3ecbf919a2a9) Change-Id: Ibfd0bd40f90942077a4720086ce0cd3bfabef79d
2024-05-02test: Generate distinct path namesRobert Hensing
Gen: :just is the constant generator. Don't just return that! (cherry picked from commit 69bbd5852af9b2f0b794162bd1debcdf64fc6648) Change-Id: Id6e58141f5a42a1f67bd11d48c87b32a3ebd0500
2024-05-02parseStorePath: Support leading periodRobert Hensing
(cherry picked from commit b13e6a76b4f289c6db69ffaa7bd35b7e44f2a391) Change-Id: Ie14be437d87d17248f80e1f009aa2a4311ddede6
2024-05-02Revert "StorePath: reject names starting with '.'"Robert Hensing
This reverts commit 24bda0c7b381e1a017023c6f7cb9661fae8560bd. (cherry picked from commit 9ddd0f2af8fd95e1380027a70d0aa650ea2fd5e4) Change-Id: Ideb547e2a8ac911cf39d58d3e0c1553867bdd776
2024-04-30implement parsing human-readable names from URLsQyriad
Based off of commit 257b768436a0e8ab7887f9b790c5b92a7fe51ef5 Upstream-PR: https://github.com/NixOS/nix/pull/8678 Co-authored-by: Felix Uhl <felix.uhl@outlook.com> Change-Id: Idcb7f6191ca3310ef9dc854197f7798260c3f71d
2024-04-29docs: clarify how ^ works for -E/-f installablesQyriad
We didn't even realize you *could* use this syntax with -E and -f, much less that the attribute path could be *empty*. Change-Id: Id1a6715609f3a76a5ce477bd43a7832effbbe07b
2024-04-29docs: give translation examples from nix-build -E/-A to installablesQyriad
Change-Id: I03f4c7c1049063539a35ba500a07bb8f866d4cb7
2024-04-29docs: clarify how the different kinds of installables are selectedQyriad
Change-Id: I146736bb97ebe035e04be69ce9fb60a557e38c6c
2024-04-29docs: guide to installables docs in installable commands' docsQyriad
The installables syntax is not documented in any of the man pages or docbook pages for any of those individual commands. And while these commands really should at least peripherally individually document how installables work, in the meantime we can at least direct people to the right place. This commit also clarifies the unexpected fact that `nix profile remove` and `nix profile upgrade` do *not* take installables. Change-Id: I3b1453cb197a613bbab639c66a466365c3592c6d
2024-04-29add VM test for nix upgrade-nixQyriad
This commit adds a new NixOS VM test, which tests that `nix upgrade-nix` works on both kinds of profiles (manifest.nix and manifest.json). Done as a separate commit from 831d18a13, since it relies on the --store-path argument from 026c90e5f as well. Change-Id: I5fc94b751d252862cb6cffb541a4c072faad9f3b