diff options
Diffstat (limited to 'pkgs/build-support/build-fhs-userenv')
-rwxr-xr-x | pkgs/build-support/build-fhs-userenv/chroot-user.rb | 34 | ||||
-rw-r--r-- | pkgs/build-support/build-fhs-userenv/default.nix | 31 | ||||
-rw-r--r-- | pkgs/build-support/build-fhs-userenv/env.nix | 193 |
3 files changed, 216 insertions, 42 deletions
diff --git a/pkgs/build-support/build-fhs-userenv/chroot-user.rb b/pkgs/build-support/build-fhs-userenv/chroot-user.rb index 250e6a90843..2fb3b0954b3 100755 --- a/pkgs/build-support/build-fhs-userenv/chroot-user.rb +++ b/pkgs/build-support/build-fhs-userenv/chroot-user.rb @@ -2,16 +2,15 @@ # Bind mounts hierarchy: from => to (relative) # If 'to' is nil, path will be the same -mounts = { '/nix/store' => nil, - '/dev' => nil, +mounts = { '/' => 'host', '/proc' => nil, '/sys' => nil, - '/etc' => 'host-etc', - '/tmp' => 'host-tmp', - '/home' => nil, + '/nix' => nil, + '/tmp' => nil, '/var' => nil, '/run' => nil, - '/root' => nil, + '/dev' => nil, + '/home' => nil, } # Propagate environment variables @@ -62,9 +61,8 @@ $mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT # Read command line args -abort "Usage: chrootenv swdir program args..." unless ARGV.length >= 2 -swdir = Pathname.new ARGV[0] -execp = ARGV.drop 1 +abort "Usage: chrootenv program args..." unless ARGV.length >= 1 +execp = ARGV # Populate extra mounts if not ENV["CHROOTENV_EXTRA_BINDS"].nil? @@ -132,24 +130,6 @@ if $cpid == 0 Dir.chroot root Dir.chdir '/' - # Symlink swdir hierarchy - mount_dirs = Set.new mounts.map { |_, v| Pathname.new v } - link_swdir = lambda do |swdir, prefix| - swdir.find do |path| - rel = prefix.join path.relative_path_from(swdir) - # Don't symlink anything in binded or symlinked directories - Find.prune if mount_dirs.include? rel or rel.symlink? - if not rel.directory? - # File does not exist; make a symlink and bail out - rel.make_symlink path - Find.prune - end - # Recursively follow symlinks - link_swdir.call path.readlink, rel if path.symlink? - end - end - link_swdir.call swdir, Pathname.new('') - # New environment new_env = Hash[ envvars.map { |x| [x, ENV[x]] } ] diff --git a/pkgs/build-support/build-fhs-userenv/default.nix b/pkgs/build-support/build-fhs-userenv/default.nix index 94c72e29a22..233db39788b 100644 --- a/pkgs/build-support/build-fhs-userenv/default.nix +++ b/pkgs/build-support/build-fhs-userenv/default.nix @@ -1,28 +1,29 @@ -{ runCommand, lib, writeText, writeScriptBin, stdenv, ruby } : -{ env, runScript ? "bash", extraBindMounts ? [], extraInstallCommands ? "", meta ? {}, passthru ? {} } : +{ callPackage, runCommand, lib, writeScript, stdenv, coreutils, ruby }: + +let buildFHSEnv = callPackage ./env.nix { }; in + +args@{ name, runScript ? "bash", extraBindMounts ? [], extraInstallCommands ? "", meta ? {}, passthru ? {}, ... }: let - name = env.pname; + env = buildFHSEnv (removeAttrs args [ "runScript" "extraBindMounts" "extraInstallCommands" "meta" "passthru" ]); # Sandboxing script - chroot-user = writeScriptBin "chroot-user" '' + chroot-user = writeScript "chroot-user" '' #! ${ruby}/bin/ruby ${builtins.readFile ./chroot-user.rb} ''; - init = run: writeText "${name}-init" '' - source /etc/profile - - # Make /tmp directory - mkdir -m 1777 /tmp - - # Expose sockets in /tmp - for i in /host-tmp/.*-unix; do - ln -s "$i" "/tmp/$(basename "$i")" + init = run: writeScript "${name}-init" '' + #! ${stdenv.shell} + for i in ${env}/* /host/*; do + path="/''${i##*/}" + [ -e "$path" ] || ${coreutils}/bin/ln -s "$i" "$path" done [ -d "$1" ] && [ -r "$1" ] && cd "$1" shift + + source /etc/profile exec ${run} "$@" ''; @@ -32,7 +33,7 @@ in runCommand name { env = runCommand "${name}-shell-env" { shellHook = '' export CHROOTENV_EXTRA_BINDS="${lib.concatStringsSep ":" extraBindMounts}:$CHROOTENV_EXTRA_BINDS" - exec ${chroot-user}/bin/chroot-user ${env} bash ${init "bash"} "$(pwd)" + exec ${chroot-user} ${init "bash"} "$(pwd)" ''; } '' echo >&2 "" @@ -46,7 +47,7 @@ in runCommand name { cat <<EOF >$out/bin/${name} #! ${stdenv.shell} export CHROOTENV_EXTRA_BINDS="${lib.concatStringsSep ":" extraBindMounts}:\$CHROOTENV_EXTRA_BINDS" - exec ${chroot-user}/bin/chroot-user ${env} bash ${init runScript} "\$(pwd)" "\$@" + exec ${chroot-user} ${init runScript} "\$(pwd)" "\$@" EOF chmod +x $out/bin/${name} ${extraInstallCommands} diff --git a/pkgs/build-support/build-fhs-userenv/env.nix b/pkgs/build-support/build-fhs-userenv/env.nix new file mode 100644 index 00000000000..c776abe761d --- /dev/null +++ b/pkgs/build-support/build-fhs-userenv/env.nix @@ -0,0 +1,193 @@ +{ stdenv, buildEnv, writeText, pkgs, pkgsi686Linux, system }: + +{ name, profile ? "" +, targetPkgs ? pkgs: [], multiPkgs ? pkgs: [] +, extraBuildCommands ? "", extraBuildCommandsMulti ? "" +, extraOutputsToInstall ? [] +}: + +# HOWTO: +# All packages (most likely programs) returned from targetPkgs will only be +# installed once--matching the host's architecture (64bit on x86_64 and 32bit on +# x86). +# +# Packages (most likely libraries) returned from multiPkgs are installed +# once on x86 systems and twice on x86_64 systems. +# On x86 they are merged with packages from targetPkgs. +# On x86_64 they are added to targetPkgs and in addition their 32bit +# versions are also installed. The final directory structure looks as +# follows: +# /lib32 will include 32bit libraries from multiPkgs +# /lib64 will include 64bit libraries from multiPkgs and targetPkgs +# /lib will link to /lib32 + +let + is64Bit = system == "x86_64-linux"; + isMultiBuild = multiPkgs != null && is64Bit; + isTargetBuild = !isMultiBuild; + + # list of packages (usually programs) which are only be installed for the + # host's architecture + targetPaths = targetPkgs pkgs ++ (if multiPkgs == null then [] else multiPkgs pkgs); + + # list of packages which are installed for both x86 and x86_64 on x86_64 + # systems + multiPaths = multiPkgs pkgsi686Linux; + + # base packages of the chroot + # these match the host's architecture, glibc_multi is used for multilib + # builds. + basePkgs = with pkgs; + [ (if isMultiBuild then glibc_multi else glibc) + gcc.cc.lib bashInteractive coreutils less shadow su + gawk diffutils findutils gnused gnugrep + gnutar gzip bzip2 xz glibcLocales + ]; + baseMultiPkgs = with pkgsi686Linux; + [ gcc.cc.lib + ]; + + etcProfile = writeText "profile" '' + export PS1='${name}-chrootenv:\u@\h:\w\$ ' + export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive' + export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32' + export PATH='/var/setuid-wrappers:/usr/bin:/usr/sbin' + export PKG_CONFIG_PATH=/usr/lib/pkgconfig + + # Force compilers to look in default search paths + export NIX_CFLAGS_COMPILE='-idirafter /usr/include' + export NIX_LDFLAGS_BEFORE='-L/usr/lib -L/usr/lib32' + + ${profile} + ''; + + # Compose /etc for the chroot environment + etcPkg = stdenv.mkDerivation { + name = "${name}-chrootenv-etc"; + buildCommand = '' + mkdir -p $out/etc + cd $out/etc + + # environment variables + ln -s ${etcProfile} profile + + # compatibility with NixOS + ln -s /host/etc/static static + + # symlink some NSS stuff + ln -s /host/etc/passwd passwd + ln -s /host/etc/group group + ln -s /host/etc/shadow shadow + ln -s /host/etc/hosts hosts + ln -s /host/etc/resolv.conf resolv.conf + ln -s /host/etc/nsswitch.conf nsswitch.conf + + # symlink sudo and su stuff + ln -s /host/etc/login.defs login.defs + ln -s /host/etc/sudoers sudoers + ln -s /host/etc/sudoers.d sudoers.d + + # symlink other core stuff + ln -s /host/etc/localtime localtime + ln -s /host/etc/machine-id machine-id + ln -s /host/etc/os-release os-release + + # symlink PAM stuff + ln -s /host/etc/pam.d pam.d + + # symlink fonts stuff + ln -s /host/etc/fonts fonts + + # symlink ALSA stuff + ln -s /host/etc/asound.conf asound.conf + + # symlink SSL certs + mkdir -p ssl + ln -s /host/etc/ssl/certs ssl/certs + + # symlink /etc/mtab -> /proc/mounts (compat for old userspace progs) + ln -s /proc/mounts mtab + ''; + }; + + # Composes a /usr-like directory structure + staticUsrProfileTarget = buildEnv { + name = "${name}-usr-target"; + paths = [ etcPkg ] ++ basePkgs ++ targetPaths; + extraOutputsToInstall = [ "lib" "out" ] ++ extraOutputsToInstall; + ignoreCollisions = true; + }; + + staticUsrProfileMulti = buildEnv { + name = "${name}-usr-multi"; + paths = baseMultiPkgs ++ multiPaths; + extraOutputsToInstall = [ "lib" "out" ] ++ extraOutputsToInstall; + ignoreCollisions = true; + }; + + # setup library paths only for the targeted architecture + setupLibDirs_target = '' + # link content of targetPaths + cp -rsHf ${staticUsrProfileTarget}/lib lib + ln -s lib lib${if is64Bit then "64" else "32"} + ''; + + # setup /lib, /lib32 and /lib64 + setupLibDirs_multi = '' + mkdir -m0755 lib32 + mkdir -m0755 lib64 + ln -s lib64 lib + + # copy glibc stuff + cp -rsHf ${staticUsrProfileTarget}/lib/32/* lib32/ && chmod u+w -R lib32/ + + # copy content of multiPaths (32bit libs) + [ -d ${staticUsrProfileMulti}/lib ] && cp -rsHf ${staticUsrProfileMulti}/lib/* lib32/ && chmod u+w -R lib32/ + + # copy content of targetPaths (64bit libs) + cp -rsHf ${staticUsrProfileTarget}/lib/* lib64/ && chmod u+w -R lib64/ + + # symlink 32-bit ld-linux.so + ln -Ls ${staticUsrProfileTarget}/lib/32/ld-linux.so.2 lib/ + ''; + + setupLibDirs = if isTargetBuild then setupLibDirs_target + else setupLibDirs_multi; + + # the target profile is the actual profile that will be used for the chroot + setupTargetProfile = '' + mkdir -m0755 usr + cd usr + ${setupLibDirs} + for i in bin sbin share include; do + if [ -d "${staticUsrProfileTarget}/$i" ]; then + cp -rsHf "${staticUsrProfileTarget}/$i" "$i" + fi + done + cd .. + + for i in var etc; do + if [ -d "${staticUsrProfileTarget}/$i" ]; then + cp -rsHf "${staticUsrProfileTarget}/$i" "$i" + fi + done + for i in usr/{bin,sbin,lib,lib32,lib64}; do + if [ -d "$i" ]; then + ln -s "$i" + fi + done + ''; + +in stdenv.mkDerivation { + name = "${name}-fhs"; + buildCommand = '' + mkdir -p $out + cd $out + ${setupTargetProfile} + cd $out + ${extraBuildCommands} + cd $out + ${if isMultiBuild then extraBuildCommandsMulti else ""} + ''; + preferLocalBuild = true; +} |