aboutsummaryrefslogtreecommitdiff
path: root/src/libstore/local.mk
AgeCommit message (Collapse)Author
2023-01-04Include macOS sandbox files in the Nix binaryEelco Dolstra
This basically reverts 6e5165b77370c76bfa39d4b55e9f83673f3bd466. It fixes errors like sandbox-exec: <internal init prelude>:292:47: unable to open sandbox-minimal.sb: not found when trying to run a development Nix installed in a user's home directory. Also, we're trying to minimize the number of installed files to make it possible to deploy Nix as a single statically-linked binary.
2022-11-12libstore: link to aws-crt-cppTobias Mayer
This change is needed to support aws-sdk-cpp 1.10 and newer. I opted not to make this dependent on the sdk version because the crt dependency has been in the interface of the older sdk as well, and it was only coincidence that libstore didn't make use of any privately defined symbols directly.
2022-06-23Merge pull request #6710 from edolstra/embedded-sandbox-shellEelco Dolstra
Embed the sandbox shell into the statically linked 'nix' binary
2022-06-23Embed the sandbox shell into the statically linked 'nix' binaryEelco Dolstra
With this, Nix will write a copy of the sandbox shell to /bin/sh in the sandbox rather than bind-mounting it from the host filesystem. This makes /bin/sh work out of the box with nix-static, i.e. you no longer get /nix/store/qa36xhc5gpf42l3z1a8m1lysi40l9p7s-bootstrap-stage4-stdenv-linux/setup: ./configure: /bin/sh: bad interpreter: No such file or directory
2022-06-23Remove NIX_LIBEXEC_DIREelco Dolstra
2021-08-30Merge pull request #5175 from Pamplemousse/makeEelco Dolstra
Don't overwrite user provided `lib*_LDFLAGS`
2021-08-25Don't overwrite user provided `lib*_LDFLAGS`Pamplemousse
Signed-off-by: Pamplemousse <xav.maso@gmail.com>
2021-08-13Install pkg-config files in the correct locationPiotr Szubiakowski
Use `$(libdir)` while installing .pc files looks like a more generic solution. For example, it will work for distributions like RHEL or Fedora where .pc files are installed in `/usr/lib64/pkgconfig`.
2021-08-1015f4d4f follow upPamplemousse
* libstore: `bz2` should not be linked * libutil: `zlib.h` should not be included Signed-off-by: Pamplemousse <xav.maso@gmail.com>
2021-06-23Apply OS checks to host platform, not buildAlyssa Ross
Previously, the build system used uname(1) output when it wanted to check the operating system it was being built for, which meant that it didn't take into-account cross-compilation when the build and host operating systems were different. To fix this, instead of consulting uname output, we consult the host triple, specifically the third "kernel" part. For "kernel"s with stable ABIs, like Linux or Cygwin, we can use a simple ifeq to test whether we're compiling for that system, but for other platforms, like Darwin, FreeBSD, or Solaris, we have to use a more complicated check to take into account the version numbers at the end of the "kernel"s. I couldn't find a way to just strip these version numbers in GNU Make without shelling out, which would be even more ugly IMO. Because these checks differ between kernels, and the patsubst ones are quite fiddly, I've added variables for each host OS we might want to check to make them easier to reuse.
2021-06-01Only link with libdl on LinuxAlyssa Ross
Linux is (as far as I know) the only mainstream operating system that requires linking with libdl for dlopen. On BSD, libdl doesn't exist, so on non-FreeBSD BSDs linking will currently fail. On macOS, it's apparently just a symlink to libSystem (macOS libc), presumably present for compatibility with things that assume Linux. So the right thing to do here is to only add -ldl on Linux, not to add it for everything that isn't FreeBSD.
2021-02-26Properly propagate libseccomp linker flagsPuck Meerburg
2020-12-11Rework the db schema for derivation outputsregnat
Add a new table for tracking the derivation output mappings. We used to hijack the `DerivationOutputs` table for that, but (despite its name), it isn't a really good fit: - Its entries depend on the drv being a valid path, making it play badly with garbage collection and preventing us to copy a drv output without copying the whole drv closure too; - It dosen't guaranty that the output path exists; By using a different table, we can experiment with a different schema better suited for tracking the output mappings of CA derivations. (incidentally, this also fixes #4138)
2020-10-12Prepare for build/*.hh headersJohn Ericson
2020-10-11Prepare for build/* filesJohn Ericson
2020-06-17Merge remote-tracking branch 'origin/master' into flakesEelco Dolstra
2020-06-16StorePath: Rewrite in C++Eelco Dolstra
On nix-env -qa -f '<nixpkgs>', this reduces maximum RSS by 20970 KiB and runtime by 0.8%. This is mostly because we're not parsing the hash part as a hash anymore (just validating that it consists of base-32 characters). Also, replace storePathToHash() by StorePath::hashPart().
2020-03-30Makefile cleanupEelco Dolstra
2020-03-30Remove global -I flagsEelco Dolstra
(cherry picked from commit 2c692a3b144523bca68dd6de618124ba6c9bb332)
2020-03-30Remove global -I flagsEelco Dolstra
2020-02-03Install headers in the correct locationEelco Dolstra
2020-01-21Pluggable fetchersEelco Dolstra
Flakes are now fetched using an extensible mechanism. Also lots of other flake cleanups.
2019-12-13Only install *.sb files on macOSEelco Dolstra
2019-12-10Make the Store API more type-safeEelco Dolstra
Most functions now take a StorePath argument rather than a Path (which is just an alias for std::string). The StorePath constructor ensures that the path is syntactically correct (i.e. it looks like <store-dir>/<base32-hash>-<name>). Similarly, functions like buildPaths() now take a StorePathWithOutputs, rather than abusing Path by adding a '!<outputs>' suffix. Note that the StorePath type is implemented in Rust. This involves some hackery to allow Rust values to be used directly in C++, via a helper type whose destructor calls the Rust type's drop() function. The main issue is the dynamic nature of C++ move semantics: after we have moved a Rust value, we should not call the drop function on the original value. So when we move a value, we set the original value to bitwise zero, and the destructor only calls drop() if the value is not bitwise zero. This should be sufficient for most types. Also lots of minor cleanups to the C++ API to make it more modern (e.g. using std::optional and std::string_view in some places).
2019-10-08Handle empty sandbox_shellMatthew Bauer
Previously, SANDBOX_SHELL was set to empty when unavailable. This caused issues when actually generating the sandbox. Instead, just set SANDBOX_SHELL when --with-sandbox-shell= is non-empty. Alternative implementation to https://github.com/NixOS/nix/pull/3038.
2019-01-05Remove mentions of `libformat`, it no longer existsJohn Ericson
2018-05-07Support multi-part uploads for large NARs that exceed the size ofAmineChikhaoui
5Gb.
2018-03-20Move builtinFetchurl to its own fileEelco Dolstra
2018-02-18configure: Add a flag to disable seccomp.Shea Levy
This is needed for new arches where libseccomp support doesn't exist yet. Fixes #1878.
2018-02-15Set backup MANPATH in case man path isn’t set correctly.Matthew Bauer
Previously, this would fail at startup for non-NixOS installs: nix-env --help The fix for this is to just use "nixManDir" as the value for MANPATH when spawning "man". To test this, I’m using the following: $ nix-build release.nix -A build $ MANPATH= ./result/bin/nix-env --help Fixes #1627
2018-02-08Add plugins to make Nix more extensible.Shea Levy
All plugins in plugin-files will be dlopened, allowing them to statically construct instances of the various Register* types Nix supports.
2017-10-17Shift Darwin sandbox to separate installed filesDan Peebles
This makes it slightly more manageable to see at a glance what in a build's sandbox profile is unique to the build and what is standard. Also a first step to factoring more of our Darwin logic into scheme functions that will allow us a bit more flexibility. And of course less of that nasty codegen in C++! 😀
2017-06-06Always use the Darwin sandboxEelco Dolstra
Even with "build-use-sandbox = false", we now use sandboxing with a permissive profile that allows everything except the creation of setuid/setgid binaries.
2017-05-31OS X sandbox: Improve builtin sandbox profileEelco Dolstra
Also, add rules to allow fixed-output derivations to access the network. These rules are sufficient to build stdenvDarwin without any __sandboxProfile magic.
2017-05-30Darwin sandbox: Use sandbox-defaults.sbEelco Dolstra
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
2017-05-29Add a seccomp filter to prevent creating setuid/setgid binariesEelco Dolstra
This prevents builders from setting the S_ISUID or S_ISGID bits, preventing users from using a nixbld* user to create a setuid/setgid binary to interfere with subsequent builds under the same nixbld* uid. This is based on aszlig's seccomp code (47f587700d646f5b03a42f2fa57c28875a31efbe). Reported by Linus Heckemann.
2017-05-15Add --with-sandbox-shell configure flagEelco Dolstra
And add a 116 KiB ash shell from busybox to the release build. This helps to make sandbox builds work out of the box on non-NixOS systems and with diverted stores.
2017-04-20Detect lsofEelco Dolstra
Also, don't use lsof on Linux since it's not needed. Fixes #1328.
2016-12-19Revert "Merge branch 'seccomp' of https://github.com/aszlig/nix"Eelco Dolstra
This reverts commit 9f3f2e21edb17dbcd674539dff96efb6cceca10c, reversing changes made to 47f587700d646f5b03a42f2fa57c28875a31efbe.
2016-11-16Add build dependency for libseccompaszlig
We're going to use libseccomp instead of creating the raw BPF program, because we have different syscall numbers on different architectures. Although our initial seccomp rules will be quite small it really doesn't make sense to generate the raw BPF program because we need to duplicate it and/or make branches on every single architecture we want to suuport. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-04Make the aws-cpp-sdk dependency optionalEelco Dolstra
2016-04-29Eliminate the substituter mechanismEelco Dolstra
Substitution is now simply a Store -> Store copy operation, most typically from BinaryCacheStore to LocalStore.
2016-04-21Move S3BinaryCacheStore from HydraEelco Dolstra
This allows running arbitrary Nix commands against an S3 binary cache. To do: make this a compile time option to prevent a dependency on aws-sdk-cpp.
2016-02-16Add C++ functions for .narinfo processing / signingEelco Dolstra
This is currently only used by the Hydra queue runner rework, but like eff5021eaa6dc69f65ea1a8abe8f3ab11ef5eb0a it presumably will be useful for the C++ rewrite of nix-push and download-from-binary-cache. (@shlevy)
2015-11-24Merge pull request #704 from ysangkok/freebsd-supportEelco Dolstra
FreeBSD support with knowledge about Linux emulation
2015-11-21Revert "remove sandbox-defaults.sb"Shea Levy
As discussed in NixOS/nixpkgs#11001, we still need some of the old sandbox mechanism. This reverts commit d760c2638c9e1f4b8cd9b4ec90d68bf0c76a800b.
2015-11-14remove sandbox-defaults.sbJude Taylor
2015-10-21Add resolve-system-dependencies.plJude Taylor
2015-10-21remove sandbox defaults into a new fileJude Taylor
2015-10-06Use pkg-config-provided LDFLAGS for libsqlite3 and libcurl.Manuel Jacob
Previously, pkg-config was already queried for libsqlite3's and libcurl's link flags. However they were not used, but hardcoded instead. This commit replaces the hardcoded LDFLAGS by the ones provided by pkg-config in a similar pattern as already used for libsodium.