aboutsummaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-05-12Merge "libstore: Fix sandbox=relaxed" into mainArtemis Tosini
2024-05-11filetransfer: fix decompression regression from 121edecfPierre Bourdon
121edecf654ec084274ba1a779c7140082f4115d added a new state field to carry over content encoding settings from transfer to sink creation, but never actually set that field. Change-Id: I714b2efe745561e851b78a4791479b3501db8c72
2024-05-10Merge "bump the extra --version info from info to notice, -vv -> -v" into mainQyriad
2024-05-10Merge "feat(libstore): print the first line of stdout of SSH in case of ↵Raito Bezarius
failure" into main
2024-05-10feat(libstore): print the first line of stdout of SSH in case of failureRaito Bezarius
In case of failure to connect as can be seen in https://buildbot.lix.systems/#/builders/39/builds/1386/steps/1/logs/stdio It is difficult to understand what happened, if we enabled the talkative verbose level, we could learn about the first line SSH sent us. In practice, this is not workable, we can just make it warn all the time. Change-Id: Iaaf56894060a58f2dfc78254bb60b1c43482f9bb Signed-off-by: Raito Bezarius <raito@lix.systems>
2024-05-10bump the extra --version info from info to notice, -vv -> -vQyriad
requiring *two* --verbose to print extra information on --version is a weird flex Change-Id: I05d043da1bf583f34e9d1fc206144ea4ca9a859d
2024-05-10libutil: remove callback.hheldritch horrors
it's no longer used. it really shouldn't have existed this long since it was just a mashup of both std::promise and std::packaged_task in a shape that makes composition unnecessarily difficult. all but a single case of Callback pattern calls were fully synchronous anyway, and even this sole outlier was by far not important enough to justify the extra complexity. Change-Id: I208aec4572bf2501cdbd0f331f27d505fca3a62f
2024-05-10libstore: de-callback-ify FileTransfereldritch horrors
also add a few more tests for exception propagation behavior. using packaged_tasks and futures (which only allow a single call to a few of their methods) introduces error paths that weren't there before. Change-Id: I42ca5236f156fefec17df972f6e9be45989cf805
2024-05-09libstore: de-callback-ify Store::queryRealisationeldritch horrors
Change-Id: I8d74745c519518f163f51dfaa39063836f17599e
2024-05-09libstore: un-callback-ify Store::queryRealisationUncachedeldritch horrors
Change-Id: I4a328f46eaac3bb8b19ddc091306de83348be9cf
2024-05-09libstore: de-callback-ify Store::queryPathInfoUncachedeldritch horrors
Change-Id: I23a156aaff5328f67ca16ccd85c0ea1711b21e35
2024-05-09libstore: de-callback-ify BinaryCacheStore::getFileeldritch horrors
Change-Id: I36b3eb9f645aa04058151e7b2353e15e6f29057b
2024-05-09libstore: de-callback-ify CA realisation substitutioneldritch horrors
this is the *only* real user of file transfer download completion callbacks, and a pretty spurious user at that (seeing how nothing here is even turned on by default and indeed a dependency of path substitution which *isn't* async, and concurrency-limited). it'll be a real pain to keep this around, and realistically it would be a lot better to overhaul substitution in general to be *actually* async. that requires a proper async framework footing though, and we don't have anything of the sort, but it's also blocking *that* Change-Id: I1bf671f217c654a67377087607bf608728cbfc83
2024-05-09add and fix -Wignored-qualifiersQyriad
Change-Id: I4bffa766ae04dd80355f9b8c10e59700e4b406da
2024-05-09add and fix -Wdeprecated-copyQyriad
*so* many warnings, from only two definitions Change-Id: If2561cd500c05a1e33cce984faf9f3e42a8a95ac
2024-05-09Merge "nix3-eval: don't elide top-level errors" into mainQyriad
2024-05-08nix3-eval: don't elide top-level errorsQyriad
Fixes #276. Change-Id: I83e71beb5c35d6f3b10a4186caa5e52a2f95b510
2024-05-08libstore: Fix sandbox=relaxedThéophane Hufschmitt
The fix for the Darwin vulnerability in ecdbc3b207eaec1a2cafd2a0d494bcbabdd60a11 also broke setting `__sandboxProfile` when `sandbox=relaxed` or `sandbox=false`. This cppnix change fixes `sandbox=relaxed` and adds a suitable test. Co-Authored-By: Artemis Tosini <lix@artem.ist> Co-Authored-By: Eelco Dolstra <edolstra@gmail.com> Change-Id: I40190f44f3e1d61846df1c7b89677c20a1488522
2024-05-08repl: show a progress bar while performing buildsAlois Wohlschlager
In commit 946fc12e4e6d7e097c5b6ed4f6bc4d516b10b901, the progress bar in the repl was disabled again because it was observed to erase incremental output from attrset evaluations from the terminal. Let's try adding the progress bar again, this time showing up only when a build is initiated, which does not have incremental output that could be destroyed to begin with. While this does mean that we won't have a progress bar for eval-time fetching or IFD, it's still better than nothing. Change-Id: If4eb1035cd0c876f5b4ff1e2434b9baf99f150ac
2024-05-07remove the autoconf+Make buildsystemQyriad
We're not using it anymore. Any leftover bugs in the Meson buildsystem are now just bugs. Closes #249. Change-Id: I0465a0c37ae819f94d40e7829f5bff046aa63d73
2024-05-07Merge changes Icf26010a,Ib6161567 into mainNikodem Rabuliński
* changes: Always initialize curl in parent process on darwin Fix failing darwin tests
2024-05-07Always initialize curl in parent process on darwinNikodem Rabuliński
Because of an objc quirk[1], calling curl_global_init for the first time after fork() will always result in a crash. Up until now the solution has been to set OBJC_DISABLE_INITIALIZE_FORK_SAFETY for every nix process to ignore that error. This is less than ideal because we were setting it in package.nix, which meant that running nix tests locally would fail because that variable was not set. Instead of working around that error we address it at the core - by calling curl_global_init inside initLibStore, which should mean curl will already have been initialized by the time we try to do so in a forked process. [1] https://github.com/apple-oss-distributions/objc4/blob/01edf1705fbc3ff78a423cd21e03dfc21eb4d780/runtime/objc-initialize.mm#L614-L636 Change-Id: Icf26010a8be655127cc130efb9c77b603a6660d0
2024-05-07libutil: de-callback-ify computeClosureeldritch horrors
only two users of this function exist. only one used it in a way that even bears resemblance to asynchronicity, and even that one didn't do it right. fully async and parallel computation would have only worked if any getEdgesAsync never calls the continuation it receives itself, only from more derived callbacks running on other threads. calling it directly would cause the decoupling promise to be awaited immediately *on the original thread*, completely negating all nice async effects. Change-Id: I0aa640950cf327533a32dee410105efdabb448df
2024-05-07libstore: limit CA realisation info substitution concurrencyeldritch horrors
this seems to be an oversight, considering that regular substitutions are concurrency-limited. while not particularly necessary at present, once we've removed the `Callback` based interfaces it will be needed. Change-Id: Ide2d08169fcc24752cbd07a1d33fb8482f7034f5
2024-05-07libutil: throw EndOfFile at sourceToSink endeldritch horrors
... how has this never broken anything before Change-Id: If3789c02028e8f929481514f63d76b0b46bfc182
2024-05-06fix fallback chroot store creation after b247ef72dQyriad
When /nix/var (or, more precisely, NIX_STATE_DIR) does not exist at all, Lix falls back to creating an adhoc chroot store in XDG_DATA_HOME. b247ef72d[1] changed the way Store classes are initialized, and in the migration, a `params2` was accidentally changed to `params`. This commit restores the correct behavior, and in lieu of a single *character* fix, this commit also changes the variable name to something more reasonable. Fixes #274. [1]: b247ef72dc7bcc857288c0ddcceb3e42f76a78f1 n.b., this code might deserve some more looking at anyway. this fallback store creation throws away *all* Store params passed to openFromNonUri() in favor of an entirely new set which only contains the `root` param, which may or may not be the correct behavior Change-Id: Ibea559b88a50e6d6e75a1f87d9d7816cabb2a8f3
2024-05-06filetransfer: correctly abort empty transferseldritch horrors
returning 0 from the callback for errors signals successful transfer if the source returned no data even though the exception we've just caught clearly disagrees. while this is not all that important (since the only viable cause of such errors will be dataCallback, and the sole instance of it being used already takes care of exceptions) we can just do this. Change-Id: I2bb150eff447121d82e8e3aa4e00057c40523ac6
2024-05-06filetransfer: extract decompressor creationeldritch horrors
this will be necessary if we want download() to return a source instead of consuming a sink, which will in turn be needed to remove coroutines. Change-Id: I34ec241e9bbc5d32fbcd243b244e29c3757533aa
2024-05-05Fix the pages in the manual for LixJade Lovelace
This doesn't comprehensively fix everything outdated in the manual, or make the manual greatly better, but it does note down where at least jade noticed it was wrong, and it does fix all the instances of referencing Nix to conform to the style guide to the best of our ability. A lot of things have been commented out for being wrong, and there are three types of FIXME introduced: - FIXME(Lix): generically Lix needs to fix it - FIXME(Qyriad): re https://git.lix.systems/lix-project/lix/issues/215 - FIXME(meson): docs got outdated by meson changes and need rewriting I did fix a bunch of it that I could, but there could certainly be mistakes and this is definitely just an incremental improvement. Fixes: https://git.lix.systems/lix-project/lix/issues/266 Change-Id: I5993c4603d7f026a887089fce77db08394362135
2024-05-05fix integer overflow on i686 with high phys memoryQyriad
sizeof(long) is 4 bytes on i686 GCC. With ~32 GiB of memory and a page size of 4096, there are 7988420 pages. (7988420 * 4096) is bigger than INT32_MAX folks. This has gone unnoticed for 9 years, and only came up thanks to 94ea517db[1] adding integer overflow sensitization checks, which caused this broken code to emit an illegal instruction, crashing Lix the instant the buildsystem ran Lix to generate the docs files. [1]: 94ea517dbe729765b69638190f4bea3f6a632b40 Change-Id: I50bb9ea072aac11b449d79e5d55525887a6e5a99
2024-05-05Merge "point nix3-upgrade-nix to releases.lix.systems/manifest.nix" into mainQyriad
2024-05-05Merge "Warn on untrusted client settings being ignored" into mainjade
2024-05-05filetransfer: abort transfer on receiver exceptioneldritch horrors
not doing this will cause transfers that had their readers disappear to linger. with lingering transfers the curl thread can't shut down, which will cause nix itself to not shut down until the transfer finishes some other way (most likely network timeouts). also add a new test for this. Change-Id: Id2401b3ac85731c824db05918d4079125be25b57
2024-05-05point nix3-upgrade-nix to releases.lix.systems/manifest.nixQyriad
This file is currently manually managed, but will be automated along with the rest of the release process. Change-Id: I77839919549aaac73de582b2e563ce3ef914a8cb
2024-05-04Warn on untrusted client settings being ignoredJade Lovelace
These are such a footgun and trip people up a lot. Let's make Lix louder about this. Related: https://git.lix.systems/lix-project/lix/issues/261 Change-Id: I6a8d57c9817caaa6b0cbf886c615dda51038f628
2024-05-05Merge "Actually try making a userns before assuming they don't work" into mainjade
2024-05-05Merge "Fix /etc/group having desynced IDs from the actual UID in the ↵jade
sandbox" into main
2024-05-05Actually try making a userns before assuming they don't workJade Lovelace
If unprivileged userns are *believed* to be disabled (such as with "kernel.unprivileged_userns_clone = 0"), Lix would previously *give up* on trying to use a user namespace before actually trying it, even if, in cases such as unprivileged_userns_clone, it would actually be allowed since Nix has CAP_SYS_ADMIN when running as daemon. (see, e.g. https://github.com/archlinux/linux/commit/25d4709a4fc0e4f3b432c24b60dd508fb84f0cb2) We changed it to actually try it first, and then diagnose possible causes, and also to be more loud about the whole thing, using warnings instead of debugs. These warnings will only print on the first build run by the daemon, which is, tbh, eh, shrug. This is what led to us realizing that no-userns was a poorly exercised condition. Change-Id: I8e4f21afc89c574020dc7e89a560cc740ce6573a
2024-05-04Fix /etc/group having desynced IDs from the actual UID in the sandboxJade Lovelace
This was found when `logrotate.conf` failed to build in a NixOS system with: /nix/store/26zdl4pyw5qazppj8if5lm8bjzxlc07l-coreutils-9.3/bin/id: cannot find name for group ID 30000 This was surprising because it seemed to mean that /etc/group was busted in the sandbox. Indeed it was: root:x:0: nixbld:!:100: nogroup:x:65534: We diagnosed this to sandboxUid() being called before usingUserNamespace() was called, in setting up /etc/group inside the sandbox. This code desperately needs refactoring. We also moved the /etc/group code to be with the /etc/passwd code, but honestly this code is all spaghetti'd all over the place and needs some more serious tidying than we did here. We also moved some checks to be earlier to improve locality with where the things they are checking come from. Change-Id: Ie29798771f3593c46ec313a32960fa955054aceb
2024-05-04Remove a URL literal from fetchTarball docsJade Lovelace
Change-Id: I254b793b42f77ffe9f357f3b376683e5758f23b5
2024-05-04Merge "Revert "Revert "Merge pull request #6621 from Kha/nested-follows""" ↵Maximilian Bosch
into main
2024-05-04Merge "libstore/local-derivation-goal: prohibit creating setuid/setgid ↵Maximilian Bosch
binaries" into main
2024-05-03Revert "Revert "Merge pull request #6621 from Kha/nested-follows""Maximilian Bosch
This reverts commit a8b3d777fbdaf0b732f129e5be62cd2a1227674b. This undoes the revert of PR#6621, which allows nested `follows`, i.e. { inputs = { foo.url = "github:bar/foo"; foo.inputs.bar.inputs.nixpkgs = "nixpkgs"; }; } does the expected thing now. This is useful to avoid the 1000 instances of nixpkgs problem without having each flake in the dependency tree to expose all of its transitive dependencies for modification. This was in fact part of Nix before and the C++ changes applied w/o conflicts. However, it got reverted then because people didn't want to merge lazy-trees against it which was supposed to be merged soon back in October 2022. Fixes: https://git.lix.systems/lix-project/lix/issues/201 Change-Id: I5ddef914135b695717b2ef88862d57ced5e7aa3c
2024-05-03Merge "Rename `nix show-config` to `nix config show`" into mainMaximilian Bosch
2024-05-03libstore/local-derivation-goal: prohibit creating setuid/setgid binariesMaximilian Bosch
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that isn't filtered away by the libseccomp sandbox. Being able to use this to bypass that restriction has surprising results for some builds such as lxc[1]: > With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2, > which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663. > The fixupPhase then uses fchmodat, which fails. > With older kernel or glibc, setting the suid bit fails in the > install phase, which is not treated as fatal, and then the > fixup phase does not try to set it again. Please note that there are still ways to bypass this sandbox[2] and this is mostly a fix for the breaking builds. This change works by creating a syscall filter for the `fchmodat2` syscall (number 452 on most systems). The problem is that glibc 2.39 is needed to have the correct syscall number available via `__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on nixpkgs 23.11. To have this change everywhere and not dependent on the glibc this package is built against, I added a header "fchmodat2-compat.hh" that sets the syscall number based on the architecture. On most platforms its 452 according to glibc with a few exceptions: $ rg --pcre2 'define __NR_fchmodat2 (?!452)' sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h 58:#define __NR_fchmodat2 1073742276 sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h 67:#define __NR_fchmodat2 6452 sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h 62:#define __NR_fchmodat2 5452 sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h 70:#define __NR_fchmodat2 4452 sysdeps/unix/sysv/linux/alpha/arch-syscall.h 59:#define __NR_fchmodat2 562 I added a small regression-test to the setuid integration-test that attempts to set the suid bit on a file using the fchmodat2 syscall. I confirmed that the test fails without the change in local-derivation-goal. Additionally, we require libseccomp 2.5.5 or greater now: as it turns out, libseccomp maintains an internal syscall table and validates each rule against it. This means that when using libseccomp 2.5.4 or older, one may pass `452` as syscall number against it, but since it doesn't exist in the internal structure, `libseccomp` will refuse to create a filter for that. This happens with nixpkgs-23.11, i.e. on stable NixOS and when building Lix against the project's flake. To work around that * a backport of libseccomp 2.5.5 on upstream nixpkgs has been scheduled[3]. * the package now uses libseccomp 2.5.5 on its own already. This is to provide a quick fix since the correct fix for 23.11 is still a staging cycle away. We still need the compat header though since `SCMP_SYS(fchmodat2)` internally transforms this into `__SNR_fchmodat2` which points to `__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38. The updated syscall table from libseccomp 2.5.5 is NOT used for that step, but used later, so we need both, our compat header and their syscall table 🤷 Relevant PRs in CppNix: * https://github.com/NixOS/nix/pull/10591 * https://github.com/NixOS/nix/pull/10501 [1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804 [2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251 [3] https://github.com/NixOS/nixpkgs/pull/306070 (cherry picked from commit ba6804518772e6afb403dd55478365d4b863c854) Change-Id: I6921ab5a363188c6bff617750d00bb517276b7fe
2024-05-03Rename `nix show-config` to `nix config show`Théophane Hufschmitt
Part of #7672 My main motivation is to be able to use `nix.checkConfig`[1]. This doesn't work with Lix currently since the module uses `nix show-config` if the Nix version is <2.20pre and `nix config show` otherwise. I think this is the only instance where nixpkgs checks for which Nix commands exist that affects us now, so I figured we could just perform the rename here as well[2] and still provide the current version number[3]. I don't have a strong opinion on whether to deprecate `nix show-config`, the warning is added there automatically. (cherry picked from commit f300e11b056dea414d7d77bbc6e5a7dc5d9ddd41) [1] https://nixos.org/manual/nixos/stable/options.html#opt-nix.checkConfig [2] I should add that I don't use the "official" ways of installing Lix because using the flake directly and callPackaging it seemed to fit better into my workflow: I already have a little mess to make sure Hydra from the flake uses the correct pkgs.nix and I didn't want to complicate it further while keeping a single package-set I can build in CI. Don't get me wrong, I think such a module for a quick-start is very important, just giving context on why I bother in the first place :) [3] When we go public, I think it's worth considering to add support in nixpkgs itself for Lix. Change-Id: I47b4239b05cbeda3c370d2fa56ea768b768768ac
2024-05-03Merge changes Id1a67156,I03f4c7c1,I146736bb,I3b1453cb into mainQyriad
* changes: docs: clarify how ^ works for -E/-f installables docs: give translation examples from nix-build -E/-A to installables docs: clarify how the different kinds of installables are selected docs: guide to installables docs in installable commands' docs
2024-05-03Merge "libstore: check additionalSandboxProfile" into mainArtemis Tosini
2024-05-03libstore: check additionalSandboxProfileArtemis Tosini
Currently LocalDerivationGoal allows setting `__sandboxProfile` to add sandbox parameters on Darwin when `sandbox=true`. This was only supposed to have an effect when `sandbox=relaxed` Change-Id: Ide44ee82d7e4d6b545285eab26547e7014817d3f
2024-05-03libutil: make rewriteStrings soundeldritch horrors
this is used in CA rewriting, replacement of placeholders in derivations, generating scripts for devShells, and some more places. in all of these transitive replacements are unsound, and overlapping replacements would be as well. there even is a test that transitive replacements do not happen (in the CA RewriteSink suite), but none for overlapping replacements. a minimally surprising binary rewriter surely would not do any of these replacements, the only reason we have not seen this break yet is probably that rewriteStrings is only called for store paths and things that look like store paths (and those should never overlap nor admit such transitive replacements) Change-Id: I6fc29f939d5061d9f56c752624a823ece8437c07