Commit graph

4163 commits

Author SHA1 Message Date
Eelco Dolstra
99897f6979 Use chroots for all derivations
If ‘build-use-chroot’ is set to ‘true’, fixed-output derivations are
now also chrooted. However, unlike normal derivations, they don't get
a private network namespace, so they can still access the
network. Also, the use of the ‘__noChroot’ derivation attribute is
no longer allowed.

Setting ‘build-use-chroot’ to ‘relaxed’ gives the old behaviour.
2015-02-23 15:54:31 +01:00
Eelco Dolstra
15d2d3c34e Add restricted evaluation mode
If ‘--option restrict-eval true’ is given, the evaluator will throw an
exception if an attempt is made to access any file outside of the Nix
search path. This is primarily intended for Hydra, where we don't want
people doing ‘builtins.readFile ~/.ssh/id_dsa’ or stuff like that.
2015-02-23 15:54:31 +01:00
Shea Levy
47bdc52c1b Merge branch 'gh-476-fix-install-script' of git://github.com/jramnani/nix
sometimes cd prints to stdout
2015-02-22 12:00:51 -05:00
Shea Levy
a8494de0be Merge branch 'docs/channels-path' of git://github.com/iElectric/nix 2015-02-22 11:59:38 -05:00
Domen Kožar
7bd8299c6c fixes https://github.com/NixOS/nixpkgs/issues/6485 2015-02-22 08:39:29 -08:00
Eelco Dolstra
c33244d7c1 Merge branch 'tilde-paths' of https://github.com/shlevy/nix 2015-02-19 14:55:06 +01:00
Shea Levy
c4653afbcd tilde paths: The rest of the string has to start with a slash anyway 2015-02-19 08:52:13 -05:00
Shea Levy
e3e38a048e tilde paths: construct the entire path at parse time 2015-02-19 08:51:21 -05:00
Shea Levy
4b7c9f834c tilde paths: get HOME at parse time 2015-02-19 08:49:10 -05:00
Eelco Dolstra
9bedd9b09b Remove obsolete reference to ~ operator 2015-02-19 14:41:22 +01:00
Shea Levy
4646e94610 ExprConcatStrings: canonicalize concatenated paths 2015-02-19 08:39:25 -05:00
Eelco Dolstra
175935e053 FIXMEs 2015-02-19 14:10:33 +01:00
Shea Levy
e0953d53de Allow the leading component of a path to be a ~ 2015-02-19 08:05:16 -05:00
Eelco Dolstra
1816ac0db1 Escape arguments to nix-shell #! scripts 2015-02-18 20:13:53 +01:00
Eelco Dolstra
dc7e8fae48 Support passing command line arguments to nix-shell #! scripts 2015-02-18 15:55:18 +01:00
Eelco Dolstra
bb10010582 Fix nix-shell shebang scripts if -p is used 2015-02-18 12:40:07 +01:00
Eelco Dolstra
147deb236e nix-store --generate-binary-cache-key: Write key to disk
This ensures proper permissions for the secret key.
2015-02-18 11:19:44 +01:00
Eelco Dolstra
bd91064150 Use $<attr>Path instead of $<attr> for passAsFile 2015-02-17 16:42:54 +01:00
Eelco Dolstra
a70d275f3d Allow passing attributes via files instead of environment variables
Closes #473.
2015-02-17 14:42:15 +01:00
Eelco Dolstra
29e1ff675b Keep sorted 2015-02-17 13:55:37 +01:00
Eelco Dolstra
f19b4abfb2 Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
2015-02-17 13:16:58 +01:00
Eelco Dolstra
8c8750ae66 Test chroot building 2015-02-16 12:20:03 +01:00
Harald van Dijk
5451b8db9d Use pivot_root in addition to chroot when possible
chroot only changes the process root directory, not the mount namespace root
directory, and it is well-known that any process with chroot capability can
break out of a chroot "jail". By using pivot_root as well, and unmounting the
original mount namespace root directory, breaking out becomes impossible.

Non-root processes typically have no ability to use chroot() anyway, but they
can gain that capability through the use of clone() or unshare(). For security
reasons, these syscalls are limited in functionality when used inside a normal
chroot environment. Using pivot_root() this way does allow those syscalls to be
put to their full use.
2015-02-16 12:18:19 +01:00
Eelco Dolstra
b0bad3e615 Revert "Remove Fedora 18, 19 builds"
This reverts commit 9c58691ce3. Fedora
18/19 images should build again.
2015-02-12 17:44:29 +01:00
Jeff Ramnani
d53735c823 Nix install script failed when "cd" printed to stdout.
In some cases the bash builtin command "cd" can print the variable $CWD
to stdout.  This caused the install script to fail while copying files
because the source path was wrong.

Fixes #476.
2015-02-11 12:39:14 -06:00
Eelco Dolstra
b4e7eec16a Don't depend on libsodium on Darwin
It doesn't build at the moment.

http://hydra.nixos.org/build/19557641
2015-02-10 14:15:42 +01:00
Eelco Dolstra
1c972cba14 Make libsodium an optional dependency 2015-02-10 11:54:06 +01:00
Eelco Dolstra
5d9cd27dce Add Fedora 21 build
Fixes #467.
2015-02-10 11:33:33 +01:00
Eelco Dolstra
a596c525ad Add base64 encoder/decoder 2015-02-10 11:33:33 +01:00
Shea Levy
70cae879e3 nix-build: Respect -Q during evaluation
Fixes #474
2015-02-08 20:44:05 -05:00
Eelco Dolstra
2be7f79fd4 Remove tab 2015-02-05 17:21:30 +01:00
Eelco Dolstra
de8ed5c1d3 Typo 2015-02-04 18:17:06 +01:00
Shea Levy
d66d9e8425 Require linux 3.13 or later for chroot
Fixes #453
2015-02-04 18:15:56 +01:00
Eelco Dolstra
f3a5930488 Sign a subset of the .narinfo
We only need to sign the store path, NAR hash and references (the
"fingerprint"). Everything else is irrelevant to security. For
instance, the compression algorithm or the hash of the compressed NAR
don't matter as long as the contents of the uncompressed NAR are
correct.

(Maybe we should include derivers in the fingerprint, but they're
broken and nobody cares about them. Also, it might be nice in the
future if .narinfos contained signatures from multiple independent
signers. But that's impossible if the deriver is included in the
fingerprint, since everybody will tend to have a different deriver for
the same store path.)

Also renamed the "Signature" field to "Sig" since the format changed
in an incompatible way.
2015-02-04 17:59:31 +01:00
Eelco Dolstra
e0def5bc4b Use libsodium instead of OpenSSL for binary cache signing
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.

The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.
2015-02-04 17:10:31 +01:00
Eelco Dolstra
0d1dafa0c4 Simplify parseHash32 2015-02-03 18:56:47 +01:00
Eelco Dolstra
db2ec59903 Simplify printHash32 2015-02-03 18:35:24 +01:00
Jaka Hudoklin
3688db3d43 nix-install-package: follow symlinks 2015-01-30 11:30:21 +01:00
Shea Levy
73bf32ce94 Merge remote-tracking branch 'shlevy/baseNameOf-no-copy'
baseNameOf: Don't copy paths to the store first
2015-01-29 03:29:09 -05:00
Oliver Dunkl
de91a42c6e Moves runHook to a later execution position
It moves runHook to a later position in the rcfile. After that we are
able to set the PS1 environment-variable for a nix-shell environment
e.g.:

  # turn the color of the prompt to blue
  shellHook = ''
    export PS1="\n\[\033[1;34m\][\u@\h:\w]$\[\033[0m\] ";
  '';
2015-01-28 13:39:48 +01:00
Daniel Peebles
f46e329a13 Make inputs writeable in the sandbox (builds still can’t actually write due to user permissions) 2015-01-18 23:25:29 -05:00
Eelco Dolstra
f6716e95bb Shut up "Wide character in print" warning in copy-from-other-stores.pl 2015-01-15 17:56:56 +01:00
Eelco Dolstra
c2a8b5c42d Fix assertion failure in nix-env
$ nix-env -f ~/Dev/nixops/ -iA foo
  nix-env: src/libexpr/eval.hh:57: void nix::Bindings::push_back(const nix::Attr&): Assertion `size_ < capacity' failed.
  Aborted
2015-01-15 12:15:22 +01:00
Eelco Dolstra
a5e2c8e560 Set correct user agent for NAR downloads from binary caches 2015-01-15 12:05:27 +01:00
Shea Levy
79ca503332 Allow using /bin and /usr/bin as impure prefixes on non-darwin by default
These directories are generally world-readable anyway, and give us the two
most common linux impurities (env and sh)
2015-01-13 15:41:46 +01:00
Eelco Dolstra
fcf57aad27 SysError -> Error 2015-01-13 11:17:56 +01:00
Eelco Dolstra
100961e370 Don't resolve symlinks while checking __impureHostDeps
Since these come from untrusted users, we shouldn't do any I/O on them
before we've checked that they're in an allowed prefix.
2015-01-13 11:16:32 +01:00
Daniel Peebles
f1151a3373 Add basic Apple sandbox support 2015-01-12 12:00:01 +01:00
Tobias Geerinckx-Rice
c23d67920e doc: nix-channel --remove takes a name, not a url 2015-01-12 10:56:58 +01:00
Eelco Dolstra
2a3b1df423 Fix builtins.readDir on XFS
The DT_UNKNOWN fallback code was getting the type of the wrong path,
causing readDir to report "directory" as the type of every file.

Reported by deepfire on IRC.
2015-01-09 14:56:25 +01:00