aboutsummaryrefslogtreecommitdiff
path: root/src/libstore
AgeCommit message (Collapse)Author
2024-05-03libstore: check additionalSandboxProfileArtemis Tosini
Currently LocalDerivationGoal allows setting `__sandboxProfile` to add sandbox parameters on Darwin when `sandbox=true`. This was only supposed to have an effect when `sandbox=relaxed` Change-Id: Ide44ee82d7e4d6b545285eab26547e7014817d3f
2024-05-02Disallow store path names that are . or .. (plus opt. -)Robert Hensing
As discussed in the maintainer meeting on 2024-01-29. Mainly this is to avoid a situation where the name is parsed and treated as a file name, mostly to protect users. .-* and ..-* are also considered invalid because they might strip on that separator to remove versions. Doesn't really work, but that's what we decided, and I won't argue with it, because .-* probably doesn't seem to have a real world application anyway. We do still permit a 1-character name that's just "-", which still poses a similar risk in such a situation. We can't start disallowing trailing -, because a non-zero number of users will need it and we've seen how annoying and painful such a change is. What matters most is preventing a situation where . or .. can be injected, and to just get this done. (cherry picked from commit f1b4663805a9dbcb1ace64ec110092d17c9155e0) Change-Id: I900a8509933cee662f888c3c76fa8986b0058839
2024-05-02Revert "StorePath: reject names starting with '.'"Robert Hensing
This reverts commit 24bda0c7b381e1a017023c6f7cb9661fae8560bd. (cherry picked from commit 9ddd0f2af8fd95e1380027a70d0aa650ea2fd5e4) Change-Id: Ideb547e2a8ac911cf39d58d3e0c1553867bdd776
2024-04-27Run all derivation builders inside the sandbox on macOSPuck Meerburg
This replaces the external sandbox-exec call with direct calls into libsandbox. This API is technically deprecated and is missing some prototypes, but all major browsers depend on it, so it is unlikely to materially change without warning. This commit also ensures the netrc file is only written if the derivation is in fact meant to be able to access the internet. This change commits a sin of not actually actively declaring its dependency on macOS's libsandbox.dylib; this is due to the dylib cache in macOS making that explicit dependency unnecessary. In the future this might become a problem, so this commit marks our sins. Co-authored-by: Artemis Tosini <lix@artem.ist> Co-authored-by: Lunaphied <lunaphied@lunaphied.me> Change-Id: Ia302141a53ce7b0327c1aad86a117b6645fe1189
2024-04-27Fix progress bar on copyPathsPuck Meerburg
This variable should not be shared between activities. Change-Id: I4eee89bc7acb320a3972dc3a55bfb087d3a9eb3a
2024-04-27libstore/ssh: shutK900
This is just logspam, and we have NIX_SSHOPTS for people that want the logspam. Change-Id: Ieff71473686f0661f9c53c212f8952dd2c9565c3
2024-04-26Merge "ssh-ng: Set log-fd for ssh to `4` by default" into mainMaximilian Bosch
2024-04-26Merge "gc: Find roots using libproc on Darwin" into mainArtemis Tosini
2024-04-26ssh-ng: Set log-fd for ssh to `4` by defaultMaximilian Bosch
That's expected by `build-remote` and makes sure that errors are correctly forwarded to the user. For instance, let's say that the host-key of `example.org` is unknown and nix-build ../nixpkgs -A hello -j0 --builders 'ssh-ng://example.org' is issued, then you get the following output: cannot build on 'ssh-ng://example.org?&': error: failed to start SSH connection to 'example.org' Failed to find a machine for remote build! derivation: yh46gakxq3kchrbihwxvpn5bmadcw90b-hello-2.12.1.drv required (system, features): (x86_64-linux, []) 2 available machines: [...] The relevant information (`Host key verification failed`) ends up in the daemon's log, but that's not very obvious considering that the daemon isn't very chatty normally. This can be fixed - the same way as its done for legacy-ssh - by passing fd 4 to the SSH wrapper. Now you'd get the following error: cannot build on 'ssh-ng://example.org': error: failed to start SSH connection to 'example.org': Host key verification failed. Failed to find a machine for remote build! [...] ...and now it's clear what's wrong. Please note that this is won't end up in the derivation's log. For previous discussion about this change see https://github.com/NixOS/nix/pull/7659. Change-Id: I5790856dbf58e53ea3e63238b015ea06c347cf92
2024-04-26filetransfer: don't decompress in curl wrapper itselfeldritch horrors
only decompress the response once all data has been received (in the fully buffered case), or at least outside of the curl wrapper itself (in the receive-to-sink case). unfortunately this means we will have to duplicate decompression logic for these two cases for time being, but once the curl wrapper has been rewritten to return a real future or Source we can deduplicate this logic again. the curl wrapper will have to turn into a proper Source first and use decompression source logic which also does not currently exist—only decompression *sinks* Change-Id: I66bc692f07d9b9e69fe10689ee73a2de8d65e35c
2024-04-26filetransfer: remove dataCallback from interfaceeldritch horrors
this is highly questionable. single-arg download calls will misbehave with it set, and two-arg download calls will just overwrite it. being an implementation detail this should not have been in the API at all. Change-Id: I613772951ee03d8302366085f06a53601d13f132
2024-04-26filetransfer: make two-arg download abstracteldritch horrors
this lets each implementation of FileTransfer (of which currently only the one exists at all) implement appropriate handling for its internal behaviours that are not otherwise exposed. in curl this lets us switch the buffer-full handling method from "block the entire curl thread" to "pause just the one transfer", move the non-libcurl body decompression out of the actual curl wrapper (which will let us eventually morph the curl wrapper intto an actual source of Sources), and some other things Change-Id: Id6d3593cde6b4915aab3e90a43b175c103cc3f18
2024-04-25gc: Find roots using libproc on DarwinArtemis Tosini
Previously, the garbage collector found runtime roots on Darwin by shelling out to `lsof -n -w -F n` then parsing the result. However, this requires an lsof binary and can be extremely slow. The official Apple lsof returns in a reasonable amount of time, about 250ms in my tests, but the lsof packaged in nixpkgs is quite slow, taking about 40 seconds to run the command. Using libproc directly is about the same speed as Apple lsof, and allows us to reënable several tests that were disabled on Darwin. Change-Id: Ifa0adda7984e13c15535693baba835aae79a3577
2024-04-25filetransfer: drop errorSinkeldritch horrors
just accumulate error data into result.data as we would for successful transfers without a dataCallback. errorSink and data would contain the same data in error cases anyway, so splitting them is not very useful. Change-Id: I00e449866454389ac6a564ab411c903fd357dabf
2024-04-25filetransfer: restore http status line reportingeldritch horrors
this was broken in 75b62e52600a44b42693944b50638bf580a2c86e. Change-Id: If8583e802afbcde822623036bf41a9708fbc7c8d
2024-04-25filetransfer: remove decompress request parametereldritch horrors
this is never read. Change-Id: I4c46f140519843a21e452958900e81edd2f78be2
2024-04-24Merge "libstore: Create platform LocalStore subclasses" into mainArtemis Tosini
2024-04-23libstore: Create platform LocalStore subclassesArtemis Tosini
This creates new subclasses of LocalStore for each OS to include platform-specific functionality. Currently this just includes garbage collector roots but it could be extended to sandboxing as well. In order to make sure that the generic LocalStore is not accidentally constructed, its constructor is protected. A Fallback is provided which implements no functionality except constructors. Change-Id: I836a28e90b68309873f75afb83e0f1b2e2c89fb3
2024-04-23Merge changes Ia3e7b1e6,If09be814 into mainQyriad
* changes: meson: flip the switch!! meson: fix cross compilation
2024-04-22meson: fix cross compilationQyriad
This should fix cross compilation in the base case, but this is difficult to test as cross compilation is broken in many different places right now. This should bring Meson back up to cross parity with the Make buildsystem though. Change-Id: If09be8142d1fc975a82b994143ff35be1297dad8
2024-04-23libstore: use curl functions for reading headerseldritch horrors
don't reimplement header parsing. this was only really needed due to the ancient github bug we no longer care about, everything else we have done in custom code can also be done using curl itself. doing this also fixes possible sources of header smuggling (because the header function didn't unfold headers and we'd trim them before parsing, which would've made us read contents of one header as a fully formed header in itself). this is a slight behavior change because we now honor only the first instance of a given header where previous behavior was to honor either the last or a combination of all of them (accept-ranges was logical-or'd by accident). Change-Id: I93cb93ddb91ab98c8991f846014926f6ef039fdb
2024-04-23libstore: remove github etag workaroundeldritch horrors
this was a workaround for a *github* bug that happend *in 2015*. not only is github no longer buggy, it shouldn't have been nix's responsibility to work around these bugs like this to begin with while we're at it we'll also remove another workaround—again for github specifically and again for etag handling—from 2021 that's also not needed any more. future workarounds for serverside bugs should probably come with an expiration date that mutates into a build warning after a while, otherwise this *will* happen again. Change-Id: I74f739ae3e36d40350f78bebcb5869aa8cc9adcd
2024-04-22libstore: use curl_multi_{poll,wakeup}eldritch horrors
the previous solution to the wakeup problem (adding a pipe and passing it as an additional fd to curl_multi_wait) worked, but there have been builtin alternatives for this since 2020. not only do these save code, they're also a lot more likely to work natively on windows when needed Change-Id: Iab751b900997110a8d15de45ea3ab0c42f7e5973
2024-04-22libstore: remove ancient libcurl feature checkseldritch horrors
the oldest version checked for here is 7.47, which was released in 2016. it's probably safe to say that we do not need these any more Change-Id: I003411f6b2ce6d56f7ca337390df3ea86bd59a99
2024-04-21Fix exportReferencesGraph when given store subpathAlyssa Ross
With Nix 2.3, it was possible to pass a subpath of a store path to exportReferencesGraph: with import <nixpkgs> {}; let hello = writeShellScriptBin "hello" '' echo ${toString builtins.currentTime} ''; in writeClosure [ "${hello}/bin/hello" ] This regressed with Nix 2.4, with a very confusing error message, that presumably indicates it was unintentional: error: path '/nix/store/3gl7kgjr4pwf03f0x70dgx9ln3bhl7zc-hello/bin/hello' is not in the Nix store (cherry picked from commit 0774e8ba33c060f56bad3ff696796028249e915a) Change-Id: I00920fb33077b831a1bb4a1b68d515ba8c3c2a69
2024-04-18meson: correctly embed sandbox shell when askedQyriad
Change-Id: I2f6c0d42245204a516d2e424eea26a6391e975ad
2024-04-18meson: correctly set -DSANDBOX_SHELL if we have itQyriad
The statically embedded busybox is not required for Lix to work, but package.nix explicitly sets this, which was accidentally being ignored. Change-Id: Ieeff830ac7d1f5fabe84d1a6cfd82f13d79035bf
2024-04-16Merge "libstore/build: set NO_NEW_PRIVS for the sandbox" into mainIlya K
2024-04-15fix probable format bug in DerivationGoal::buildDoneQyriad
Either the contents of `line` could cause format errors, or this usage is Technically safe. However, I trust nothing, especially with boost::format. Change-Id: I07933b20bde3b305a6e5d61c2a7bab6ecb042ad9
2024-04-15libstore/build: set NO_NEW_PRIVS for the sandboxK900
Change-Id: I711f64e2b68495ed9c85c1a4bd5025405805e43a
2024-04-14don't throw an exception for the trivial case of isStorePath()...Qyriad
Previously if isStorePath() was called on anything other than a top-level /nix/store/some-path, it would throw a BadStorePath exception. This commit duplicates the absolutely trivial check, into maybeParseStorePath(), and leaves exception throwing to parseStorePath(), the function that assumes you're already giving a valid path instead of the one whose purpose is to check if its valid or not... Change-Id: I8dda548f0f88d14ca8c3ee927d64e0ec0681fc7b
2024-04-13libstore/build: just copy the magic /etc files into the sandboxK900
Saves us a bunch of thinking about how to handle symlinks, and prevents the DNS config from changing on the fly under the build, which may or may not be a good thing? Change-Id: I071e6ae7e220884690b788d94f480866f428db71
2024-04-11Merge "Merge pull request #10456 from NixOS/fixpermdeniedbind" into mainIlya K
2024-04-11Merge "Merge pull request #10362 from obsidiansystems/maybeLstat" into mainIlya K
2024-04-11Merge pull request #10456 from NixOS/fixpermdeniedbindThéophane Hufschmitt
Fix adding symlink to the sandbox paths (cherry-picked from commit da1e977bf48cff2a635034c85e7c13878e38efc2) Change-Id: I221c85a38180800ec6552d2e86a88df48398fad8
2024-04-11Merge pull request #10362 from obsidiansystems/maybeLstatJohn Ericson
Factor out `nix::maybeLstat` (cherry-picked from commit 9b88e5284608116b7db0dbd3d5dd7a33b90d52d7) Change-Id: Id890525e847c890fad6593c594772826ac4d1d50
2024-04-11libstore: fix glossary link in documentationeldritch horrors
this should be a link, not an anchor. it should also point to the `gloss-store` element, not the `#gloss-store` element. Change-Id: I1f2803093179549637e10f917ad73399a419131b
2024-04-09meson: correctly set NIX_CONF_DIR to $sysconfdir/nixQyriad
Instead of $sysconfdir. Fixes #231, but there's more to do in following commits to make Meson-built Lix actually look in /etc/nix. Change-Id: Ia8d627070f405843add46e05cff5134b76b8eb48
2024-04-08pragma once and ///@file everything missing itJade Lovelace
Change-Id: Ia1a72348336794b5fb9f2694dd750266089b904e
2024-04-05Revert "libutil: remove Pool::Handle::bad"eldritch horrors
This reverts commit 792844fb861ea7367ac2316c78fec055363f2f9e. Change-Id: I3ca208b62edfd5cd1199478f75cd2edf19a364f6
2024-04-05Revert "libstore: remove one Resource::good flag"eldritch horrors
This reverts commit 87249eb579bf57f4f09e9fca100588a4d6b90b4c. Change-Id: Ide4c6e00c4155216a17e46671ff47151d7bb85b4
2024-04-05Revert "libstore: using throwing finally in withFramedSink"eldritch horrors
This reverts commit 491caad6f62c21ffbcdebe662e63ec0f72e6f3a2. this is not actually legal for nix! throwing exceptions in destructors is fine, but the way nix is set up we'll end up throwing the exception we received from the remote *twice* in some cases, and such cases will cause an immediate terminate without active exception. Change-Id: I74c46b9f26fd791086e4193ec60eb1deb9a5bb2a
2024-04-05Revert "libutil: drop Fs{Source,Sink}::good"eldritch horrors
This reverts commit 1340807e30dba4b3972c31f02861bbaeaeb60e61. Change-Id: I34d2a80eb3c3e9d79cb02b92cd1189da32d18cb6
2024-03-31libutil: drop Fs{Source,Sink}::goodeldritch horrors
setting this only on exceptions caused by actual fd access is not sufficient to diagnose all errors (such as SerialisationError) in some cases. this usually does not have any negative effects since those errors will end up killing the process in another way. this is not a reliable assumption though and we should be using proper error handling (and closing connections more often, preferring to close over keeping something open that might be in a weird state) Change-Id: I1b792cd7ad8ba9ff0f6bd174945ab2575ff2208e
2024-03-31Merge changes Ib62d3d68,Ic3e7affe into mainjade
* changes: Make things that can throw not noexcept anymore Fix various clang-tidy lints
2024-03-31libstore: using throwing finally in withFramedSinkeldritch horrors
the duplication of exception handling was added without justification, so we can only assume that it was done like this because Finally could not throw exceptions safely. since this has now been rectified we will deduplicate this handler code again. Change-Id: I40721f3378c0fd9f34e2914a16d383f6e2713b40
2024-03-31libstore: remove one Resource::good flageldritch horrors
usage of this flag previously kept connections open much longer than necessary, and at the same time obscured that a connection was being dropped when it *was* set. new variable names clarify this somewhat. Change-Id: I11f6f08f37a5e4dc04ea6c6036ea589154b121c6
2024-03-31libutil: remove Pool::Handle::badeldritch horrors
it was used incorrectly (not swapped on handle move), only used in one place (that is now handled with exception handling detection in Handle itself), and if ever reintroduced should be replaced with a different, more understandable mechanism (like an explicit dropAsInvalid method). Change-Id: Ie3e5d5cfa81d335429cb2ee5c3ad85c74a9df17b
2024-03-31libutil: remove Pool::flushBadeldritch horrors
this was never actually used, and bad design in the first place—why should a bad resource be put back into the idle pool? just drop it. Change-Id: Idab8774bee19dadae0209d404c4fb86dd4aeba1e
2024-03-29Add `pre-commit` checksRebecca Turner
The big ones here are `trim-trailing-whitespace` and `end-of-file-fixer` (which makes sure that every file ends with exactly one newline character). Change-Id: Idca73b640883188f068f9903e013cf0d82aa1123