aboutsummaryrefslogtreecommitdiff
path: root/src/libstore/local.mk
AgeCommit message (Collapse)Author
2017-10-17Shift Darwin sandbox to separate installed filesDan Peebles
This makes it slightly more manageable to see at a glance what in a build's sandbox profile is unique to the build and what is standard. Also a first step to factoring more of our Darwin logic into scheme functions that will allow us a bit more flexibility. And of course less of that nasty codegen in C++! 😀
2017-06-06Always use the Darwin sandboxEelco Dolstra
Even with "build-use-sandbox = false", we now use sandboxing with a permissive profile that allows everything except the creation of setuid/setgid binaries.
2017-05-31OS X sandbox: Improve builtin sandbox profileEelco Dolstra
Also, add rules to allow fixed-output derivations to access the network. These rules are sufficient to build stdenvDarwin without any __sandboxProfile magic.
2017-05-30Darwin sandbox: Use sandbox-defaults.sbEelco Dolstra
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
2017-05-29Add a seccomp filter to prevent creating setuid/setgid binariesEelco Dolstra
This prevents builders from setting the S_ISUID or S_ISGID bits, preventing users from using a nixbld* user to create a setuid/setgid binary to interfere with subsequent builds under the same nixbld* uid. This is based on aszlig's seccomp code (47f587700d646f5b03a42f2fa57c28875a31efbe). Reported by Linus Heckemann.
2017-05-15Add --with-sandbox-shell configure flagEelco Dolstra
And add a 116 KiB ash shell from busybox to the release build. This helps to make sandbox builds work out of the box on non-NixOS systems and with diverted stores.
2017-04-20Detect lsofEelco Dolstra
Also, don't use lsof on Linux since it's not needed. Fixes #1328.
2016-12-19Revert "Merge branch 'seccomp' of https://github.com/aszlig/nix"Eelco Dolstra
This reverts commit 9f3f2e21edb17dbcd674539dff96efb6cceca10c, reversing changes made to 47f587700d646f5b03a42f2fa57c28875a31efbe.
2016-11-16Add build dependency for libseccompaszlig
We're going to use libseccomp instead of creating the raw BPF program, because we have different syscall numbers on different architectures. Although our initial seccomp rules will be quite small it really doesn't make sense to generate the raw BPF program because we need to duplicate it and/or make branches on every single architecture we want to suuport. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-04Make the aws-cpp-sdk dependency optionalEelco Dolstra
2016-04-29Eliminate the substituter mechanismEelco Dolstra
Substitution is now simply a Store -> Store copy operation, most typically from BinaryCacheStore to LocalStore.
2016-04-21Move S3BinaryCacheStore from HydraEelco Dolstra
This allows running arbitrary Nix commands against an S3 binary cache. To do: make this a compile time option to prevent a dependency on aws-sdk-cpp.
2016-02-16Add C++ functions for .narinfo processing / signingEelco Dolstra
This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2015-11-24Merge pull request #704 from ysangkok/freebsd-supportEelco Dolstra
FreeBSD support with knowledge about Linux emulation
2015-11-21Revert "remove sandbox-defaults.sb"Shea Levy
As discussed in NixOS/nixpkgs#11001, we still need some of the old sandbox mechanism. This reverts commit d760c2638c9e1f4b8cd9b4ec90d68bf0c76a800b.
2015-11-14remove sandbox-defaults.sbJude Taylor
2015-10-21Add resolve-system-dependencies.plJude Taylor
2015-10-21remove sandbox defaults into a new fileJude Taylor
2015-10-06Use pkg-config-provided LDFLAGS for libsqlite3 and libcurl.Manuel Jacob
Previously, pkg-config was already queried for libsqlite3's and libcurl's link flags. However they were not used, but hardcoded instead. This commit replaces the hardcoded LDFLAGS by the ones provided by pkg-config in a similar pattern as already used for libsodium.
2015-07-20Make <nix/fetchurl.nix> a builtin builderEelco Dolstra
This ensures that 1) the derivation doesn't change when Nix changes; 2) the derivation closure doesn't contain Nix and its dependencies; 3) we don't have to rely on ugly chroot hacks.
2015-04-16Fix using restricted mode with chrootsEelco Dolstra
2015-03-24Improve setting the default chroot dirsEelco Dolstra
2014-09-18Update spec fileEelco Dolstra
http://hydra.nixos.org/build/14344391
2014-09-18Install some pkgconfig filesEelco Dolstra
2014-08-04Add option ‘build-extra-chroot-dirs’Eelco Dolstra
This is useful for extending (rather than overriding) the default set of chroot paths.
2014-05-26Use std::unordered_setEelco Dolstra
2014-04-03Fix compile errors on IllumosDanny Wilson
2014-02-01Fix "make dist"Eelco Dolstra
2014-02-01Update Makefile variable namesEelco Dolstra
2014-01-30Rename Makefile -> local.mkEelco Dolstra