aboutsummaryrefslogtreecommitdiff
path: root/src/libstore/globals.hh
AgeCommit message (Collapse)Author
2024-07-13language: cleanly ban integer overflowsJade Lovelace
This also bans various sneaking of negative numbers from the language into unsuspecting builtins as was exposed while auditing the consequences of changing the Nix language integer type to a newtype. It's unlikely that this change comprehensively ensures correctness when passing integers out of the Nix language and we should probably add a checked-narrowing function or something similar, but that's out of scope for the immediate change. During the development of this I found a few fun facts about the language: - You could overflow integers by converting from unsigned JSON values. - You could overflow unsigned integers by converting negative numbers into them when going into Nix config, into fetchTree, and into flake inputs. The flake inputs and Nix config cannot actually be tested properly since they both ban thunks, however, we put in checks anyway because it's possible these could somehow be used to do such shenanigans some other way. Note that Lix has banned Nix language integer overflows since the very first public beta, but threw a SIGILL about them because we run with -fsanitize=signed-overflow -fsanitize-undefined-trap-on-error in production builds. Since the Nix language uses signed integers, overflow was simply undefined behaviour, and since we defined that to trap, it did. Trapping on it was a bad UX, but we didn't even entirely notice that we had done this at all until it was reported as a bug a couple of months later (which is, to be fair, that flag working as intended), and it's got enough production time that, aside from code that is IMHO buggy (and which is, in any case, not in nixpkgs) such as https://git.lix.systems/lix-project/lix/issues/445, we don't think anyone doing anything reasonable actually depends on wrapping overflow. Even for weird use cases such as doing funny bit crimes, it doesn't make sense IMO to have wrapping behaviour, since two's complement arithmetic overflow behaviour is so *aggressively* not what you want for *any* kind of mathematics/algorithms. The Nix language exists for package management, a domain where bit crimes are already only dubiously in scope to begin with, and it makes a lot more sense for that domain for the integers to never lose precision, either by throwing errors if they would, or by being arbitrary-precision. This change will be ported to CppNix as well, to maintain language consistency. Fixes: https://git.lix.systems/lix-project/lix/issues/423 Change-Id: I51f253840c4af2ea5422b8a420aa5fafbf8fae75
2024-06-24Add build-dir setting, clean up default TMPDIR handlingRobert Hensing
This is a squash of upstream PRs #10303, #10312 and #10883. fix: Treat empty TMPDIR as unset Fixes an instance of nix: src/libutil/util.cc:139: nix::Path nix::canonPath(PathView, bool): Assertion `path != ""' failed. ... which I've been getting in one of my shells for some reason. I have yet to find out why TMPDIR was empty, but it's no reason for Nix to break. (cherry picked from commit c3fb2aa1f9d1fa756dac38d3588c836c5a5395dc) fix: Treat empty XDG_RUNTIME_DIR as unset See preceding commit. Not observed in the wild, but is sensible and consistent with TMPDIR behavior. (cherry picked from commit b9e7f5aa2df3f0e223f5c44b8089cbf9b81be691) local-derivation-goal.cc: Reuse defaultTempDir() (cherry picked from commit fd31945742710984de22805ee8d97fbd83c3f8eb) fix: remove usage of XDG_RUNTIME_DIR for TMP (cherry picked from commit 1363f51bcb24ab9948b7b5093490a009947f7453) tests/functional: Add count() (cherry picked from commit 6221770c9de4d28137206bdcd1a67eea12e1e499) Remove uncalled for message (cherry picked from commit b1fe388d33530f0157dcf9f461348b61eda13228) Add build-dir setting (cherry picked from commit 8b16cced18925aa612049d08d5e78eccbf0530e4) Change-Id: Ic7b75ff0b6a3b19e50a4ac8ff2d70f15c683c16a
2024-06-12doc: rewrite the multi-user documentation to actually talk about securityJade Lovelace
It's in the security section, and it was totally outdated anyway. I took the opportunity to write down the stuff we already believed. Change-Id: I73e62ae85a82dad13ef846e31f377c3efce13cb0
2024-06-01chore: rebrand Nix to Lix when it makes senseRaito Bezarius
Here's my guide so far: $ rg '((?!(recursive).*) Nix (?!(daemon|store|expression|Rocks!|Packages|language|derivation|archive|account|user|sandbox|flake).*))' -g '!doc/' --pcre2 All items from this query have been tackled. For the documentation side: that's for https://git.lix.systems/lix-project/lix/issues/162. Additionally, all remaining references to github.com/NixOS/nix which were not relevant were also replaced. Fixes: https://git.lix.systems/lix-project/lix/issues/148. Fixes: https://git.lix.systems/lix-project/lix/issues/162. Change-Id: Ib3451fae5cb8ab8cd9ac9e4e4551284ee6794545 Signed-off-by: Raito Bezarius <raito@lix.systems>
2024-05-28util.{hh,cc}: Split out environment-variables.{hh,cc}Tom Hubrecht
Change-Id: Icff0aa33fda5147bd5dbe256a0b9d6a6c8a2c3f6
2024-05-24libstore/build: always enable seccomp filtering and no-new-privilegesAlois Wohlschlager
Seccomp filtering and the no-new-privileges functionality improve the security of the sandbox, and have been enabled by default for a long time. In https://git.lix.systems/lix-project/lix/issues/265 it was decided that they should be enabled unconditionally. Accordingly, remove the allow-new-privileges (which had weird behavior anyway) and filter-syscall settings, and force the security features on. Syscall filtering can still be enabled at build time to support building on architectures libseccomp doesn't support. Change-Id: Iedbfa18d720ae557dee07a24f69b2520f30119cb
2024-05-16Allow enabling core dumps from builds for nix & child processesmidnightveil
Fixes https://git.lix.systems/lix-project/lix/issues/268 Change-Id: I3f1b0ddf064f891cca8b53229c5c31c74cea3d9f
2024-04-11libstore: fix glossary link in documentationeldritch horrors
this should be a link, not an anchor. it should also point to the `gloss-store` element, not the `#gloss-store` element. Change-Id: I1f2803093179549637e10f917ad73399a419131b
2024-03-05Merge pull request #9443 from ivan770/reproducibilityeldritch horrors
doc: fix machine-specific capabilities leaking (cherry picked from commit dda0e34ecf16bb1c736d585414122a7e3587db70) Change-Id: I3d07cc5039ee954b215a7a27caa3bf7359d92c26
2024-03-04Merge pull request #9670 from DavHau/log-lineseldritch horrors
saner default for log-lines: change to 25 (cherry picked from commit dedbbbb451bb8f2bd0925e59a8b3d127157015f8) Change-Id: I8847df4aeb6e5c2d2be0e04f2a0a1aa595cb3b2f
2024-03-04Merge pull request #4093 from matthewbauer/eval-systemeldritch horrors
Add eval-system option (cherry picked from commit 071dbbee33af9f27338c3e53e4ea067dbfa14010) Change-Id: Ia81358c8cfb60241da07a4d0e84b9ee62a18a53f
2024-03-04Merge pull request #8047 from lovesegfault/always-allow-substituteseldritch horrors
feat: add always-allow-substitutes (cherry picked from commit da2b59a08878b3c6c7074595e3b6d26b6928b4c1) Change-Id: I50481cd8fe643c673c610fec28bad84519a4d650
2023-11-16libstore: Add apple-virt to system features when availableRobert Hensing
I'm sure that we'll adjust the implementation over time, but this at least discerns between an apple silicon bare metal machine and a tart VM. (cherry picked from commit 9277eb276bf0a942e88fcf499f6a6b9c262be853)
2023-09-06Fix globals.hh typoChristina Sørensen
2023-07-19Merge pull request #7973 from fricklerhandwerk/remove-channelsRobert Hensing
remove the Channels section
2023-07-19fix broken linksValentin Gagarin
2023-07-19expand on the `extra-platforms` optionValentin Gagarin
2023-07-19mention `extra-platforms`Valentin Gagarin
2023-07-19fix wordingValentin Gagarin
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2023-07-19add cross-linksValentin Gagarin
2023-07-19shorten `system` setting descriptionValentin Gagarin
2023-07-19move docs of the current system to the system settingValentin Gagarin
add information what happens when Nix itself is cross-compiled
2023-07-19one line per sentence for easier reviewValentin Gagarin
2023-07-12Update src/libstore/globals.hhBen Radford
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2023-07-12Update src/libstore/globals.hhBen Radford
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2023-07-11Say a bit about default value in setting description.Ben Radford
2023-07-11Default should depend on whether we are root.Ben Radford
2023-07-11Be clearer about the security implications.Ben Radford
2023-07-11Update description for require-drop-supplementary-groups.Ben Radford
2023-07-11Always attempt setgroups but allow failure to be ignored.Ben Radford
2023-07-11Merge remote-tracking branch 'origin/master' into ↵Ben Radford
best-effort-supplementary-groups
2023-06-23Merge pull request #8519 from fricklerhandwerk/reword-trusted-usersRobert Hensing
reword documentation on trusted users and substituters
2023-06-18Split `OptionalPathSetting` from `PathSetting`John Ericson
Rather than doing `allowEmpty` as boolean, have separate types and use `std::optional`. This makes it harder to forget the possibility of an empty path. The `build-hook` setting was categorized as a `PathSetting`, but actually it was split into arguments. No good! Now, it is `Setting<Strings>` which actually reflects what it means and how it is used. Because of the subtyping, we now also have support for `Setting<std::optional<String>>` in general. I imagine this can be used to clean up many more settings also.
2023-06-16Update src/libstore/globals.hhValentin Gagarin
2023-06-16use "store URLs" consistentlyValentin Gagarin
2023-06-15Update src/libstore/globals.hhValentin Gagarin
2023-06-15fix wordingValentin Gagarin
2023-06-15reword documentation on trusted users and substitutersValentin Gagarin
this is to make it slightly easier to scan over
2023-06-14Fixup description of substituters (#8291)Valentin Gagarin
Introduce what substituters "are" in the configuration option entry. Remove arbitrary line breaks for easier editing in the future. Link glossary some more. Co-authored-by: Robert Hensing <roberth@users.noreply.github.com> Co-authored-by: John Ericson <git@JohnEricson.me>
2023-06-06Merge pull request #8391 from ↵Eelco Dolstra
aneeshusa/remove-wrong-default-value-in-docs-for-hashed-mirrors Remove old default from docs for `hashed-mirrors`
2023-06-02Document manual migration for use-xdg-base-directories (#8044)Alexander Bantyev
* Document manual migration for use-xdg-base-directories As there's currently no automatic migration for use-xdg-base-directories option, add instructions for manual migration to the option's description. Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2023-05-24Remove old default from docs for `hashed-mirrors`Aneesh Agrawal
The `hashed-mirrors` option did use to have this default value, but it was removed and re-added with an empty default value. As the autogenerated docs show the (actual) default values from code, remove this incorrect reference from the docs. I was updating my nix.conf settings after a few years and noticed this.
2023-05-15Merge remote-tracking branch 'upstream/master' into ↵John Ericson
best-effort-supplementary-groups
2023-05-15Merge pull request #8141 from tweag/user-files-docJohn Ericson
Document user files of nix
2023-05-08Create escape hatch for supplementary group sandboxing woesJohn Ericson
There is no obvious good solution for this that has occured to anyone.
2023-05-08removes MaxSubstitutionJobsSettingMatej Urbas
2023-05-07`max-substitution-jobs` settingMatej Urbas
2023-04-26Document user files of nixAlexander Bantyev
2023-04-17Fix some issues with experimental config settingsJohn Ericson
Issues: 1. Features gated on disabled experimental settings should warn and be ignored, not silently succeed. 2. Experimental settings in the same config "batch" (file or env var) as the enabling of the experimental feature should work. 3. For (2), the order should not matter. These are analogous to the issues @roberth caught with my changes for arg handling, but they are instead for config handling. Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2023-04-17Merge pull request #7732 from hercules-ci/make-initLibStore-viable-alternativeJohn Ericson
Make `initLibStore` a viable alternative