aboutsummaryrefslogtreecommitdiff
path: root/src/libstore
AgeCommit message (Collapse)Author
2016-01-05libstore: mmap() returns MAP_FAILED, not NULL on failureTuomas Tynkkynen
2016-01-04Don't allow sandbox profile except in relaxed modeEelco Dolstra
This makes Darwin consistent with Linux: Nix expressions can't break out of the sandbox unless relaxed sandbox mode is enabled. For the normal sandbox mode this will require fixing #759 however.
2016-01-04~PathLocks(): Handle exceptionsEelco Dolstra
Otherwise, since the call to write a "d" character to the lock file can fail with ENOSPC, we can get an unhandled exception resulting in a call to terminate().
2015-12-29Fix regression in passAsFileEelco Dolstra
Caused by 8063fc497ab78fa72962b93874fe25dcca2b55ed. If tmpDir != tmpDirInSandbox (typically when there are multiple concurrent builds with the same name), the *Path attribute would not point to an existing file. This caused Nixpkgs' writeTextFile to write an empty file. In particular this showed up as hanging VM builds (because it would run an empty run-nixos-vm script and then wait for it to finish booting).
2015-12-22Handle /tmp being a symlinkEelco Dolstra
Hopefully fixes Darwin sandbox regression introduced in 8063fc497ab78fa72962b93874fe25dcca2b55ed.
2015-12-22Fix bad error message in Darwin chrootsEelco Dolstra
2015-12-10Build sandbox support etc. unconditionally on LinuxEelco Dolstra
Also, use "#if __APPLE__" instead of "#if SANDBOX_ENABLED" to prevent ambiguity.
2015-12-08Clarify error message for hash mismatches (again)Bjørn Forsman
This is arguably nitpicky, but I think this new formulation is even clearer. My thinking is that it's easier to comprehend when the calculated hash value is displayed close to the output path. (I think it is somewhat similar to eliminating double negatives in logic statements.) The formulation is inspired / copied from the OpenEmbedded build tool, bitbake.
2015-12-02daemon: Add 'buildMode' parameter to 'buildPaths' RPCLudovic Courtès
2015-12-02Use deterministic $TMPDIR in sandboxEelco Dolstra
Rather than using $<host-TMPDIR>/nix-build-<drvname>-<number>, the temporary directory is now always /tmp/nix-build-<drvname>-0. This improves bitwise-exact reproducibility for builds that store $TMPDIR in their build output. (Of course, those should still be fixed...)
2015-11-25Merge branch 'p/sandbox-rename-minimal' of https://github.com/vcunat/nixEelco Dolstra
2015-11-25Fix build failure introduced by #704Eelco Dolstra
Also, make the FreeBSD checks conditional on FreeBSD.
2015-11-24Merge pull request #704 from ysangkok/freebsd-supportEelco Dolstra
FreeBSD support with knowledge about Linux emulation
2015-11-21reintroduce host deps in tandem with sandbox profilesJude Taylor
2015-11-21Revert "remove sandbox-defaults.sb"Shea Levy
As discussed in NixOS/nixpkgs#11001, we still need some of the old sandbox mechanism. This reverts commit d760c2638c9e1f4b8cd9b4ec90d68bf0c76a800b.
2015-11-19re-fix permissions for GHCJude Taylor
2015-11-19Merge branch 'sandbox-profiles' of git://github.com/pikajude/nixShea Levy
Temporarily allow derivations to describe their full sandbox profile. This will be eventually scaled back to a more secure setup, see the discussion at #695
2015-11-19src/libstore/build.cc: clarify error message for hash mismatchesPeter Simons
Nix reports a hash mismatch saying: output path ‘foo’ should have sha256 hash ‘abc’, instead has ‘xyz’ That message is slightly ambiguous and some people read that statement to mean the exact opposite of what it is supposed to mean. After this patch, the message will be: Nix expects output path ‘foo’ to have sha256 hash ‘abc’, instead it has ‘xyz’
2015-11-17FreeBSD can build Linux 32-bit binariesjanus
2015-11-16AutoDelete: Add default constructor with deletion disabledShea Levy
2015-11-15Use AutoDelete for sandbox profile fileShea Levy
2015-11-14simplify build.cc using modern C++ featuresJude Taylor
2015-11-14simplify build permissionsJude Taylor
2015-11-14remove sandbox-defaults.sbJude Taylor
2015-11-14use per-derivation sandbox profilesJude Taylor
2015-11-10rename `chroot` to `sandbox` (fixes #656, close #682)Vladimír Čunát
- rename options but leav old names as lower-priority aliases, also "-dirs" -> "-paths" to get closer to the meaning - update docs to reflect the new names (old aliases are not documented), including a new file with release notes - tests need an update after corresponding changes to nixpkgs - __noChroot is left as it is (after discussion on the PR)
2015-11-09Add option to verify build determinismEelco Dolstra
Passing "--option build-repeat <N>" will cause every build to be repeated N times. If the build output differs between any round, the build is rejected, and the output paths are not registered as valid. This is primarily useful to verify build determinism. (We already had a --check option to repeat a previously succeeded build. However, with --check, non-deterministic builds are registered in the DB. Preventing that is useful for Hydra to ensure that non-deterministic builds don't end up getting published at all.)
2015-11-09Revert "Allow using /bin and /usr/bin as impure prefixes on non-darwin by ↵Eelco Dolstra
default" This reverts commit 79ca5033329053caa364bb2f7e50953f859cc97f. Ouch, never noticed this. We definitely don't want to allow builds to have arbitrary access to /bin and /usr/bin, because then they can (for instance) bring in a bunch of setuid programs. Also, we shouldn't be encouraging the use of impurities in the default configuration.
2015-11-09optimizePath(): Detect some .links corruptionEelco Dolstra
If automatic store optimisation is enabled, and a hard-linked file in the store gets corrupted, then the corresponding .links entry will also be corrupted. In that case, trying to repair with --repair or --repair-path won't work, because the new "good" file will be replaced by a hard link to the corrupted file. We can catch most of these cases by doing a sanity-check on the file sizes.
2015-11-03fix syntax errorJude Taylor
2015-11-03darwin: allow reading system locale and zoneinfoJude Taylor
2015-10-31allow reading ICU dataJude Taylor
2015-10-30add special devices to sandbox-defaultsJude Taylor
2015-10-30<nix/fetchurl.nix>: Support xz-compressed NARsEelco Dolstra
2015-10-30<nix/fetchurl.nix>: Support downloading and unpacking NARsEelco Dolstra
This removes the need to have multiple downloads in the stdenv bootstrap process (like a separate busybox binary for Linux, or curl/mkdir/sh/bzip2 for Darwin). Now all those files can be combined into a single NAR.
2015-10-29int2String() -> std::to_string()Eelco Dolstra
2015-10-21use nixDataDir instead of appending /share to PREFIXJude Taylor
2015-10-21clarifying commentJude Taylor
2015-10-21move preBuildHook defaulting to globals.ccJude Taylor
2015-10-21restore old DEFAULT_ALLOWED_IMPURE_PREFIXESJude Taylor
2015-10-21Add resolve-system-dependencies.plJude Taylor
2015-10-21remove usr paths from allowed inputsJude Taylor
2015-10-21allow access to SystemVersion for python buildersJude Taylor
2015-10-21fix line reading in preBuildHookJude Taylor
2015-10-21remove sandbox defaults into a new fileJude Taylor
2015-10-21restore allowed impure prefixesJude Taylor
2015-10-21remove an unneeded default impure-depJude Taylor
2015-10-21make sandbox builds more permissiveJude Taylor
2015-10-21add a few more permissionsJude Taylor
2015-10-21Allow builtin fetchurl regardless of the derivation's system attributeEelco Dolstra