From 914e9baefe9b606ed331ba427af50c41715f973d Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Fri, 6 Nov 2015 17:44:02 -0800 Subject: start on sandbox stuff --- .../CoreOSMakefiles/default.nix | 2 +- .../apple-source-releases/adv_cmds/default.nix | 67 +++++++++++++++------- .../apple-source-releases/bsdmake/default.nix | 45 +++++++++++++++ .../darwin/apple-source-releases/default.nix | 7 ++- 4 files changed, 96 insertions(+), 25 deletions(-) create mode 100644 pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix index 9f6031771c2..203ca010d62 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix @@ -1,7 +1,7 @@ { stdenv, appleDerivation, unifdef }: appleDerivation { - buildinputs = [ unifdef ]; + buildInputs = [ unifdef ]; phases = [ "unpackPhase" "installPhase" ]; diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index 4bc3a7a7fa4..baeca0f6fe3 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -1,32 +1,55 @@ -{ stdenv, appleDerivation, version }: +{ stdenv, appleDerivation, fetchzip, version, bsdmake, perl, flex, yacc, writeScriptBin +}: + +let recentAdvCmds = fetchzip { + url = "http://opensource.apple.com/tarballs/adv_cmds/adv_cmds-158.tar.gz"; + sha256 = "0z081kcprzg5jcvqivfnwvvv6wfxzkjg2jc2lagsf8c7j7vgm8nn"; +}; + +in appleDerivation { + buildInputs = [ bsdmake perl yacc flex (writeScriptBin "lex" "exec ${flex}/bin/flex $@") ]; + + patchPhase = '' + substituteInPlace BSDMakefile \ + --replace chgrp true \ + --replace /Developer/Makefiles/bin/compress-man-pages.pl true \ + --replace "ps.tproj" "" --replace "gencat.tproj" "" --replace "md.tproj" "" \ + --replace "tabs.tproj" "" --replace "cap_mkdb.tproj" "" \ + --replace "!= tconf --test TARGET_OS_EMBEDDED" "= NO" + + substituteInPlace Makefile --replace perl true + + substituteInPlace colldef.tproj/BSDmakefile --replace "-ll" "-lfl" + + for subproject in colldef mklocale monetdef msgdef numericdef timedef; do + substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \ + --replace /usr/share/locale "" \ + --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \ + --replace "rsync -a" "cp -r" + done + ''; -appleDerivation { - # Will override the name until we provide all of adv_cmds buildPhase = '' - pushd ps - cc -Os -Wall -I. -c -o fmt.o fmt.c - cc -Os -Wall -I. -c -o keyword.o keyword.c - cc -Os -Wall -I. -c -o nlist.o nlist.c - cc -Os -Wall -I. -c -o print.o print.c - cc -Os -Wall -I. -c -o ps.o ps.c - cc -Os -Wall -I. -c -o tasks.o tasks.c - cc -o ps fmt.o keyword.o nlist.o print.o ps.o tasks.o - popd - - pushd locale - c++ -o locale locale.cc - popd + bsdmake -C colldef.tproj + bsdmake -C mklocale.tproj + bsdmake -C usr-share-locale.tproj + + clang ${recentAdvCmds}/ps/*.c -o ps ''; installPhase = '' - mkdir -p $out/bin $out/share/man/man1 - - cp ps/ps $out/bin/ps - cp ps/ps.1 $out/share/man/man1 - cp locale/locale $out/bin/locale - cp locale/locale.1 $out/share/man/man1 + bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale" + install -d 0755 $ps/bin + install ps $ps/bin/ps ''; + outputs = [ + "ps" + "locale" + ]; + + # ps uses this syscall to get process info + __propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix b/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix new file mode 100644 index 00000000000..dcbf8b43308 --- /dev/null +++ b/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix @@ -0,0 +1,45 @@ +{ stdenv, appleDerivation, fetchurl, fetchpatch, makeWrapper }: + +appleDerivation { + buildInputs = [ makeWrapper ]; + + patchPhase = '' + substituteInPlace mk/bsd.prog.mk \ + --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \ + --replace '-o ''${SCRIPTSOWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${SCRIPTSGRP_''${.ALLSRC:T}}' "" + substituteInPlace mk/bsd.lib.mk --replace '-o ''${LIBOWN} -g ''${LIBGRP}' "" + substituteInPlace mk/bsd.info.mk --replace '-o ''${INFOOWN} -g ''${INFOGRP}' "" + substituteInPlace mk/bsd.doc.mk --replace '-o ''${BINOWN} -g ''${BINGRP}' "" + substituteInPlace mk/bsd.man.mk --replace '-o ''${MANOWN} -g ''${MANGRP}' "" + substituteInPlace mk/bsd.files.mk \ + --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \ + --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' "" + substituteInPlace mk/bsd.incs.mk \ + --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \ + --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' "" + ''; + + buildPhase = '' + objs=() + for file in $(find . -name '*.c'); do + obj="$(basename "$file" .c).o" + objs+=("$obj") + cc -c "$file" -o "$obj" -DDEFSHELLNAME='"sh"' -D__FBSDID=__RCSID -mdynamic-no-pic -g + done + cc "''${objs[@]}" -o bsdmake + ''; + + installPhase = '' + install -d 0644 $out/bin + install -m 0755 bsdmake $out/bin + install -d 0644 $out/share/mk + install -m 0755 mk/* $out/share/mk + ''; + + preFixup = '' + wrapProgram "$out/bin/bsdmake" --add-flags "-m $out/share/mk" + ''; +} diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index 906e0ad2d54..b494f5ae346 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -48,16 +48,19 @@ let IOKitSrcs = stdenv.lib.mapAttrs (name: value: if builtins.isFunction value then value name else value) IOKitSpecs; + adv_cmds = applePackage "adv_cmds" "119" "102ssayxbg9wb35mdmhswbnw0bg7js3pfd8fcbic83c5q3bqa6c6" {}; + packages = { - adv_cmds = applePackage "adv_cmds" "153" "174v6a4zkcm2pafzgdm6kvs48z5f911zl7k49hv7kjq6gm58w99v" {}; + inherit (adv_cmds) ps locale; architecture = applePackage "architecture" "265" "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {}; bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; + bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; - CoreOSMakefiles = applePackage "CoreOSMakefiles" "76" "0sw3w3sjil0kvxz8y86b81sz82rcd1nijayki1a1bsnsf0hz6qbf" {}; + CoreOSMakefiles = applePackage "CoreOSMakefiles" "40" "0kxp53spbn7109l7cvhi88pmfsi81lwmbws819b6wr3hm16v84f4" {}; Csu = applePackage "Csu" "79" "1hif4dz23isgx85sgh11yg8amvp2ksvvhz3y5v07zppml7df2lnh" {}; dtrace = applePackage "dtrace" "118.1" "0pp5x8dgvzmg9vvg32hpy2brm17dpmbwrcr4prsmdmfvd4767wcf" {}; dyld = applePackage "dyld" "239.4" "07z7lyv6x0f6gllb5hymccl31zisrdhz4gqp722xcs9nhsqaqvn7" {}; -- cgit 1.4.1 From df80090d092a9dec4393060bb1ab8f278aba11f2 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Thu, 12 Nov 2015 18:59:17 -0800 Subject: use per-derivation sandbox profiles --- lib/sandbox.nix | 26 +++++++-- pkgs/applications/editors/emacs-24/default.nix | 4 +- pkgs/applications/editors/vim/default.nix | 2 + .../git-and-tools/git/default.nix | 3 + pkgs/build-support/fetchurl/default.nix | 4 +- .../haskell-modules/configuration-common.nix | 4 ++ .../interpreters/python/2.7/default.nix | 8 ++- pkgs/os-specific/darwin/apple-sdk/default.nix | 17 +++++- .../apple-sdk/generate-framework-profile.nix | 64 ++++++++++++++++++++++ .../darwin/apple-source-releases/CF/default.nix | 12 ++-- .../apple-source-releases/adv_cmds/default.nix | 42 ++++++++++++-- .../apple-source-releases/configd/default.nix | 4 ++ .../darwin/apple-source-releases/default.nix | 4 +- .../libsecurity_generic/default.nix | 3 + .../libsecurity_utilities/default.nix | 3 + pkgs/stdenv/generic/default.nix | 13 +++-- pkgs/stdenv/pure-darwin/default.nix | 12 ++-- pkgs/stdenv/pure-darwin/standard-sandbox.sb | 27 ++++++--- pkgs/top-level/all-packages.nix | 2 +- pkgs/top-level/perl-packages.nix | 1 + pkgs/top-level/python-packages.nix | 4 ++ 21 files changed, 209 insertions(+), 50 deletions(-) create mode 100644 pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix (limited to 'pkgs/os-specific') diff --git a/lib/sandbox.nix b/lib/sandbox.nix index 2deee89e12c..9a429cf2ae6 100644 --- a/lib/sandbox.nix +++ b/lib/sandbox.nix @@ -17,11 +17,13 @@ let sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")"; generateFileList = files: if builtins.isList files - then concatMapStringsSep " " (x: sexp [ "literal" x ]) files - else concatStringsSep " " ( - (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++ - (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or [])) - ); + then concatMapStringsSep " " (x: sexp [ "literal" ''"${x}"'' ]) files + else if builtins.isString files + then generateFileList [ files ] + else concatStringsSep " " ( + (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++ + (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or [])) + ); applyToFiles = f: act: files: f "${act} ${generateFileList files}"; genActions = actionName: let action = feature: sexp [ actionName feature ]; @@ -30,11 +32,23 @@ genActions = actionName: let "${actionName}File" = applyToFiles action "file*"; "${actionName}FileRead" = applyToFiles action "file-read*"; "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata"; + "${actionName}DirectoryList" = self."${actionName}FileReadMetadata"; "${actionName}FileWrite" = applyToFiles action "file-write*"; "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata"; + "${actionName}Network" = sexp [ actionName "network*" ]; + "${actionName}NetworkBind" = sexp [ actionName "network-bind" ]; + "${actionName}NetworkInbound" = sexp [ actionName "network-inbound" ]; + "${actionName}NetworkOutbound" = sexp [ actionName "network-outbound" ]; + "${actionName}NetworkLocal" = sexp [ actionName "network*" (sexp [ "local" "ip" ]) ]; + "${actionName}NetworkInboundLocal" = sexp [ actionName "network-inbound" (sexp [ "local" "ip" ]) ]; + "${actionName}NetworkOutboundLocal" = sexp [ actionName "network-outbound" (sexp [ "local" "ip" ]) ]; }; in self; in -genActions "allow" // genActions "deny" +genActions "allow" // genActions "deny" // { + importProfile = derivation: '' + (import "${derivation}") + ''; +} diff --git a/pkgs/applications/editors/emacs-24/default.nix b/pkgs/applications/editors/emacs-24/default.nix index 59f9f711004..c2956006fb4 100644 --- a/pkgs/applications/editors/emacs-24/default.nix +++ b/pkgs/applications/editors/emacs-24/default.nix @@ -1,7 +1,7 @@ { stdenv, fetchurl, ncurses, xlibsWrapper, libXaw, libXpm, Xaw3d , pkgconfig, gettext, libXft, dbus, libpng, libjpeg, libungif , libtiff, librsvg, texinfo, gconf, libxml2, imagemagick, gnutls -, alsaLib, cairo, acl, gpm, AppKit +, alsaLib, cairo, acl, gpm, AppKit, CoreWLAN, Kerberos, GSS, ImageIO , withX ? !stdenv.isDarwin , withGTK3 ? false, gtk3 ? null , withGTK2 ? true, gtk2 @@ -49,7 +49,7 @@ stdenv.mkDerivation rec { ++ stdenv.lib.optional (withX && withGTK3) gtk3 ++ stdenv.lib.optional (stdenv.isDarwin && withX) cairo; - propagatedBuildInputs = stdenv.lib.optional stdenv.isDarwin AppKit; + propagatedBuildInputs = stdenv.lib.optionals stdenv.isDarwin [ AppKit GSS ImageIO ]; configureFlags = if stdenv.isDarwin diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index ab7b08d8186..08e0e05590f 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,6 +43,8 @@ stdenv.mkDerivation rec { ]; }; + __sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. # http://groups.google.com/group/vim_dev/browse_thread/thread/66c02efd1523554b?pli=1 diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 0f079314959..57ebb7397bc 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -36,6 +36,9 @@ stdenv.mkDerivation { # required to support pthread_cancel() NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; + # without this, git fails when trying to check for /etc/gitconfig existence + __propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") + (if stdenv.isSunOS then " INSTALL=install NO_INET_NTOP= NO_INET_PTON=" else "") diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index 96ad0c2864b..bcd279380a3 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -118,9 +118,7 @@ if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${s outputHashMode = if recursiveHash then "recursive" else "flat"; - __sandboxProfile = '' - (allow network-outbound) - ''; + __sandboxProfile = stdenv.lib.sandbox.allowNetworkOutbound; inherit curlOpts showURLs mirrorsFile impureEnvVars postFetch downloadToTemp; diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index edafbe5eab6..2dac800bace 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -924,4 +924,8 @@ self: super: { librarySystemDepends = (drv.librarySystemDepends or []) ++ [ pkgs.ncurses ]; }); + streaming-commons = pkgs.stdenv.lib.overrideDerivation super.streaming-commons (drv: { + __sandboxProfile = drv.__sandboxProfile + + pkgs.stdenv.lib.sandbox.allowNetworkLocal; + }); } diff --git a/pkgs/development/interpreters/python/2.7/default.nix b/pkgs/development/interpreters/python/2.7/default.nix index e08fde3c8bf..f624bd5d85e 100644 --- a/pkgs/development/interpreters/python/2.7/default.nix +++ b/pkgs/development/interpreters/python/2.7/default.nix @@ -97,7 +97,9 @@ let ] ++ optionals x11Support [ tcl tk xlibsWrapper libX11 ] ) ++ optional zlibSupport zlib - ++ optionals stdenv.isDarwin [ CF configd ]; + ++ optional stdenv.isDarwin CF; + + propagatedBuildInputs = optional stdenv.isDarwin configd; # Build the basic Python interpreter without modules that have # external dependencies. @@ -105,8 +107,8 @@ let name = "python-${version}"; pythonVersion = majorVersion; - inherit majorVersion version src patches buildInputs preConfigure - configureFlags; + inherit majorVersion version src patches buildInputs propagatedBuildInputs + preConfigure configureFlags; LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; C_INCLUDE_PATH = concatStringsSep ":" (map (p: "${p}/include") buildInputs); diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index 24083060e54..b31e5d043ef 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -1,6 +1,7 @@ { stdenv, fetchurl, xar, gzip, cpio, pkgs }: let + generateFrameworkProfile = pkgs.callPackage ./generate-framework-profile.nix {}; # sadly needs to be exported because security_tool needs it sdk = stdenv.mkDerivation rec { version = "10.9"; @@ -95,8 +96,12 @@ let propagatedBuildInputs = deps; - # Not going to bother being more precise than this... - __propagatedImpureHostDeps = (import ./impure-deps.nix).${name}; + # allows building the symlink tree + __sandboxProfile = '' + (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) + ''; + + __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -159,6 +164,12 @@ in rec { ''; }); + CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: { + __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ ['' + (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd")) + '']; + }); + Security = stdenv.lib.overrideDerivation super.Security (drv: { setupHook = ./security-setup-hook.sh; }); @@ -171,5 +182,5 @@ in rec { frameworks = bareFrameworks // overrides bareFrameworks; - inherit sdk; + inherit sdk generateFrameworkProfile; } diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix new file mode 100644 index 00000000000..eb6228db14d --- /dev/null +++ b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix @@ -0,0 +1,64 @@ +{ runCommand }: + +# In a normal programming language, one might store a hashmap +# { library name -> runtime dependencies }. +# associative arrays were only recently added to bash, and even then, bash arrays cannot +# be multidimensional. instead, the filesystem is the hash table! +# once every dependency in the tree has been visited, a comprehensive list of libraries +# will exist inside ./build. then `find ./build -type f` will give you the +# dependency tree you need! + +frameworkName: + +let path = "/System/Library/Frameworks/${frameworkName}.framework"; + +in runCommand "${frameworkName}-profile.sb" { + # __noChroot lite + __sandboxProfile = '' + (allow file* (subpath "/")) + ''; + + # inconsistencies may exist between self and hydra + allowSubstitutes = false; +} '' + if [ ! -f "${path}/${frameworkName}" ]; then + touch $out + exit + fi + base=./build + find_deps () { + if [ -f "$base/$1" ]; then + return + fi + dependencies=$(otool -l -arch x86_64 $1 \ + | grep 'LC_\w*_DYLIB' -A 2 \ + | grep name \ + | sed 's/^ *//' \ + | cut -d' ' -f2) + mkdir -p $base/"$(dirname "$1")" + touch $base/"$1" + for dep in $dependencies; do + find_deps "$dep" + done + } + find_deps "${path}/${frameworkName}" "$out" + set -o noglob + profile="(allow file-read*" + for file in $(find $base -type f); do + filename=''${file/$base/} + case $filename in + /usr/lib/system*) ;; + /usr/lib/libSystem.dylib) ;; + /usr/lib/libSystem.B.dylib) ;; + /usr/lib/libobjc.A.dylib) ;; + /usr/lib/libobjc.dylib) ;; + /usr/lib/libauto.dylib) ;; + /usr/lib/libc++abi.dylib) ;; + /usr/lib/libDiagnosticMessagesClient.dylib) ;; + *) profile+=" (literal \"$filename\")" ;; + esac + done + profile+=" (literal \"${path}/${frameworkName}\")" + profile+=" (literal \"${path}/Versions/Current\")" + echo "$profile)" > $out +'' diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index 55c8279340b..0eac8fcae39 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -1,4 +1,4 @@ -{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure }: +{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure, generateFrameworkProfile }: # this project uses blocks, a clang-only extension assert stdenv.cc.isClang; @@ -8,13 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedImpureHostDeps = [ - "/System/Library/Frameworks/CoreFoundation.framework" - "/usr/lib/libc++.1.dylib" - "/usr/lib/libc++abi.dylib" - "/usr/lib/libicucore.A.dylib" - "/usr/lib/libz.1.dylib" - ]; + __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); preBuild = '' substituteInPlace Makefile \ @@ -52,5 +46,7 @@ appleDerivation { postInstall = '' mv $out/System/* $out rmdir $out/System + mv $out/Library/Frameworks/CoreFoundation.framework/Versions/A/PrivateHeaders/* \ + $out/Library/Frameworks/CoreFoundation.framework/Versions/A/Headers ''; } diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index baeca0f6fe3..d465fa71ff0 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -1,13 +1,22 @@ { stdenv, appleDerivation, fetchzip, version, bsdmake, perl, flex, yacc, writeScriptBin }: +# this derivation sucks +# locale data was removed after adv_cmds-118, so our base is that because it's easier than +# replicating the bizarre bsdmake file structure +# +# sadly adv_cmds-118 builds a mklocale and colldef that generate files that our libc can no +# longer understand +# +# the more recent adv_cmds release is used for everything else in this package + let recentAdvCmds = fetchzip { url = "http://opensource.apple.com/tarballs/adv_cmds/adv_cmds-158.tar.gz"; sha256 = "0z081kcprzg5jcvqivfnwvvv6wfxzkjg2jc2lagsf8c7j7vgm8nn"; }; in appleDerivation { - buildInputs = [ bsdmake perl yacc flex (writeScriptBin "lex" "exec ${flex}/bin/flex $@") ]; + buildInputs = [ bsdmake perl yacc flex ]; patchPhase = '' substituteInPlace BSDMakefile \ @@ -19,8 +28,6 @@ in appleDerivation { substituteInPlace Makefile --replace perl true - substituteInPlace colldef.tproj/BSDmakefile --replace "-ll" "-lfl" - for subproject in colldef mklocale monetdef msgdef numericdef timedef; do substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \ --replace /usr/share/locale "" \ @@ -29,9 +36,28 @@ in appleDerivation { done ''; + preBuild = '' + cp -r --no-preserve=all ${recentAdvCmds}/colldef . + pushd colldef + mv locale/collate.h . + flex -t -8 -i scan.l > scan.c + yacc -d parse.y + clang *.c -o colldef -lfl + popd + mv colldef/colldef colldef.tproj/colldef + + cp -r --no-preserve=all ${recentAdvCmds}/mklocale . + pushd mklocale + flex -t -8 -i lex.l > lex.c + yacc -d yacc.y + clang *.c -o mklocale -lfl + popd + mv mklocale/mklocale mklocale.tproj/mklocale + ''; + buildPhase = '' - bsdmake -C colldef.tproj - bsdmake -C mklocale.tproj + runHook preBuild + bsdmake -C usr-share-locale.tproj clang ${recentAdvCmds}/ps/*.c -o ps @@ -39,6 +65,12 @@ in appleDerivation { installPhase = '' bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale" + + # need to get rid of runtime dependency on flex + # install -d 0755 $locale/bin + # install -m 0755 colldef.tproj/colldef $locale/bin + # install -m 0755 mklocale.tproj/mklocale $locale/bin + install -d 0755 $ps/bin install ps $ps/bin/ps ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index 8687f3fe532..c730a409609 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,6 +7,10 @@ appleDerivation { propagatedBuildInputs = [ Security ]; + __propagatedSandboxProfile = '' + (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) + ''; + patchPhase = '' substituteInPlace SystemConfiguration.fproj/SCNetworkReachabilityInternal.h \ --replace '#include ' "" diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index b494f5ae346..6b7858d374a 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -56,7 +56,9 @@ let bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; - CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; + CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" { + inherit (pkgs.darwin.apple_sdk) generateFrameworkProfile; + }; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; diff --git a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix index 4a739032e2a..ccce7448e5d 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix @@ -30,6 +30,9 @@ name: version: sha256: args: let ''; buildInputs = [ pkgs.gnustep-make + pkgs.darwin.apple_sdk.frameworks.AppKit + pkgs.darwin.apple_sdk.frameworks.Foundation + pkgs.darwin.cf-private ]; makeFlags = [ "-f${makeFile}" diff --git a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix index 23ac246b4af..9de1d120cc9 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix @@ -14,6 +14,9 @@ appleDerivation { substituteInPlace lib/debugging.cpp --replace PATH_MAX 1024 substituteInPlace lib/superblob.h --replace 'result->at' 'result->template at' substituteInPlace lib/ccaudit.cpp --replace '' '"bsm/libbsm.h"' + substituteInPlace lib/powerwatch.h --replace \ + '' \ + '"${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/System/Library/Frameworks/IOKit.framework/Versions/A/PrivateHeaders/pwr_mgt/IOPMLibPrivate.h"' cp ${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/usr/include/security_utilities/utilities_dtrace.h lib cp -R ${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/usr/local/include/bsm lib diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index c2324c86eb5..196c8618c91 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -156,11 +156,10 @@ let "__impureHostDeps" "__propagatedImpureHostDeps" "__sandboxProfile" "__propagatedSandboxProfile"]) // (let - # TODO: remove lib.unique once nix has a list canonicalization primitive computedSandboxProfile = - lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (extraBuildInputs ++ buildInputs ++ nativeBuildInputs))); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (propagatedBuildInputs ++ propagatedNativeBuildInputs))); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,8 +177,12 @@ let propagatedNativeBuildInputs = propagatedNativeBuildInputs ++ (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { - __sandboxProfile = computedSandboxProfile + computedPropagatedSandboxProfile + __propagatedSandboxProfile + __sandboxProfile + __extraSandboxProfile; - __propagatedSandboxProfile = computedPropagatedSandboxProfile + __propagatedSandboxProfile; + # TODO: remove lib.unique once nix has a list canonicalization primitive + __sandboxProfile = + let profiles = [ __extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile __sandboxProfile ]; + final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); + in final; + __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index fb3559659e5..1770d48278d 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -5,7 +5,9 @@ }: let - libSystemProfile = builtins.readFile ./standard-sandbox.sb; + libSystemProfile = '' + (import "${./standard-sandbox.sb}") + ''; fetch = { file, sha256, executable ? true }: import { url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}"; @@ -253,7 +255,7 @@ in rec { }; darwin = orig.darwin // { - inherit (darwin) dyld Libsystem cctools CF libiconv; + inherit (darwin) dyld Libsystem cctools libiconv; }; }; @@ -263,7 +265,9 @@ in rec { name = "stdenv-darwin"; - preHook = commonPreHook; + preHook = commonPreHook + '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; __stdenvSandboxProfile = binShClosure + libSystemProfile; __extraSandboxProfile = binShClosure + libSystemProfile; @@ -294,7 +298,7 @@ in rec { coreutils ed diffutils gnutar gzip ncurses gnused bash gawk gnugrep llvmPackages.clang-unwrapped patch pcre binutils-raw binutils gettext ]) ++ (with pkgs.darwin; [ - dyld Libsystem CF cctools libiconv + dyld Libsystem CF cctools libiconv locale ]); overrides = orig: persistent4 orig // { diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb index 670ab01f347..37a9b736e53 100644 --- a/pkgs/stdenv/pure-darwin/standard-sandbox.sb +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -7,7 +7,7 @@ (allow sysctl-read) ; IPC -(allow ipc-posix-sem) +(allow ipc-posix*) ; Unix sockets (allow system-socket) @@ -33,6 +33,9 @@ ; used for bootstrap builders (allow process-exec* (literal "/bin/sh")) +; without this line clang cannot write to /dev/null, breaking some configure tests +(allow file-read-metadata (literal "/dev")) + ; standard devices (allow file* (literal "/dev/null") @@ -51,15 +54,21 @@ ; both are in libicucore and zoneinfo is in libsystem_c as well (allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo")) +; no idea what this is +(allow file-read-data (literal "/dev/autofs_nowait")) + ; lots of autoconf projects want to list this directory (allow file-read-metadata (literal "/var") (literal "/private/var/tmp")) +; send signals +(allow signal (target same-sandbox)) + +; allow getpwuid (for git and other packages) +(allow mach-lookup + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.opendirectoryd.libinfo")) + ; mute annoying failures -(deny file-read-metadata (with no-log) - (literal "/etc") - (subpath "/usr/bin")) - -(deny process-exec* (with no-log) - (literal "/usr/bin/arch") - (literal "/usr/bin/hostinfo") - (literal "/usr/bin/uname")) +(deny (with no-log) file-read-metadata (literal "/etc") (subpath "/usr/bin")) + +(deny process-exec* (literal "/usr/bin/arch") (literal "/usr/bin/hostinfo") (literal "/usr/bin/uname")) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 4531fbcc183..cdbb03bd0e5 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11349,7 +11349,7 @@ let imagemagick = null; acl = null; gpm = null; - inherit (darwin.apple_sdk.frameworks) AppKit; + inherit (darwin.apple_sdk.frameworks) AppKit CoreWLAN GSS Kerberos ImageIO; }; emacs24-nox = lowPrio (appendToName "nox" (emacs24.override { diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index ed00e4ea66d..4937a00bad9 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -8266,6 +8266,7 @@ let self = _self // overrides; _self = with self; { url = mirror://cpan/authors/id/E/ET/ETHER/Net-HTTP-6.09.tar.gz; sha256 = "52762b939d84806908ba544581c5708375f7938c3c0e496c128ca3fbc425e58d"; }; + __sandboxProfile = stdenv.lib.sandbox.allowNetworkLocal; propagatedBuildInputs = [ URI ]; meta = { description = "Low-level HTTP connection (client)"; diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 22cdc99fcef..dbd991d8205 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -3759,6 +3759,8 @@ let substituteInPlace test-requirements.txt --replace 'nose==1.3' 'nose' ''; + __sandboxProfile = pkgs.lib.sandbox.allowNetwork; + doCheck = !isPy3k; # lots of transient failures checkPhase = '' # Not worth the trouble @@ -6548,6 +6550,8 @@ let sha256 = "02rknqarwy7p50693cqswbibqwgxzrfzdq4yhwqxbdmhbsmh0rk6"; }; + __sandboxProfile = pkgs.lib.sandbox.allowNetwork; + # Only test dependencies buildInputs = with self; [ pkgs.git gevent geventhttpclient mock fastimport ]; -- cgit 1.4.1 From a63346e33ca05f691e6854b896eac5cef99b4ef8 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 11:17:30 -0800 Subject: use single underscore for sandboxProfile --- pkgs/applications/editors/vim/default.nix | 2 +- .../git-and-tools/git/default.nix | 2 +- .../development/interpreters/perl/5.20/default.nix | 2 +- pkgs/os-specific/darwin/apple-sdk/default.nix | 6 +++--- .../apple-sdk/generate-framework-profile.nix | 2 +- .../darwin/apple-source-releases/CF/default.nix | 2 +- .../apple-source-releases/adv_cmds/default.nix | 2 +- .../apple-source-releases/configd/default.nix | 2 +- pkgs/stdenv/generic/default.nix | 22 +++++++++++----------- pkgs/stdenv/pure-darwin/default.nix | 10 +++++----- 10 files changed, 26 insertions(+), 26 deletions(-) (limited to 'pkgs/os-specific') diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 08e0e05590f..42010f15421 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - __sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + _sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 57ebb7397bc..ed963d206e9 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; # without this, git fails when trying to check for /etc/gitconfig existence - __propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + _propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index b2f43d176e8..a85175bf0c3 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { --replace "/bin/pwd" "$pwd" ''; - __sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + _sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index b31e5d043ef..a422bfa6452 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -97,11 +97,11 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - __sandboxProfile = '' + _sandboxProfile = '' (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); + _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -165,7 +165,7 @@ in rec { }); CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: { - __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ ['' + _propagatedSandboxProfile = drv._propagatedSandboxProfile ++ ['' (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd")) '']; }); diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix index eb6228db14d..a0d37c5db38 100644 --- a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix +++ b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix @@ -14,7 +14,7 @@ let path = "/System/Library/Frameworks/${frameworkName}.framework"; in runCommand "${frameworkName}-profile.sb" { # __noChroot lite - __sandboxProfile = '' + _sandboxProfile = '' (allow file* (subpath "/")) ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index 0eac8fcae39..c02129d2afe 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); + _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index d465fa71ff0..2b2a9148f22 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -81,7 +81,7 @@ in appleDerivation { ]; # ps uses this syscall to get process info - __propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; + _propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index c730a409609..5fcb6a24204 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,7 +7,7 @@ appleDerivation { propagatedBuildInputs = [ Security ]; - __propagatedSandboxProfile = '' + _propagatedSandboxProfile = '' (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) ''; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 196c8618c91..e3ba2f27f22 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,8 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] -, __stdenvSandboxProfile ? "" -, __extraSandboxProfile ? "" +, _stdenvSandboxProfile ? "" +, _extraSandboxProfile ? "" }: let @@ -102,8 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] - , __sandboxProfile ? "" - , __propagatedSandboxProfile ? "" + , _sandboxProfile ? "" + , _propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -154,12 +154,12 @@ let (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" "__impureHostDeps" "__propagatedImpureHostDeps" - "__sandboxProfile" "__propagatedSandboxProfile"]) + "_sandboxProfile" "_propagatedSandboxProfile"]) // (let computedSandboxProfile = - lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); + lib.concatMap (input: input._propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + lib.concatMap (input: input._propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,11 +178,11 @@ let (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { # TODO: remove lib.unique once nix has a list canonicalization primitive - __sandboxProfile = - let profiles = [ __extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile __sandboxProfile ]; + _sandboxProfile = + let profiles = [ _extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile _sandboxProfile ]; final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; - __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile ]); + _propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -219,7 +219,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - __sandboxProfile = __stdenvSandboxProfile; + _sandboxProfile = _stdenvSandboxProfile; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index 1770d48278d..39ff3ebddb1 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -50,7 +50,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - __sandboxProfile = binShClosure + libSystemProfile; + _sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -93,8 +93,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - __stdenvSandboxProfile = binShClosure + libSystemProfile; - __extraSandboxProfile = binShClosure + libSystemProfile; + _stdenvSandboxProfile = binShClosure + libSystemProfile; + _extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -269,8 +269,8 @@ in rec { export PATH_LOCALE=${pkgs.darwin.locale}/share/locale ''; - __stdenvSandboxProfile = binShClosure + libSystemProfile; - __extraSandboxProfile = binShClosure + libSystemProfile; + _stdenvSandboxProfile = binShClosure + libSystemProfile; + _extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; -- cgit 1.4.1 From 69e7f3bb7405ad4bf81e6d8c1897116c3a4d77dc Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 12:06:41 -0800 Subject: switch to zero underscores for sandbox profiles; remove generateFrameworkProfile --- pkgs/applications/editors/vim/default.nix | 2 +- .../git-and-tools/git/default.nix | 2 +- .../development/interpreters/perl/5.20/default.nix | 2 +- pkgs/os-specific/darwin/apple-sdk/default.nix | 9 ++- .../apple-sdk/generate-framework-profile.nix | 64 ---------------------- .../darwin/apple-source-releases/CF/default.nix | 4 +- .../apple-source-releases/adv_cmds/default.nix | 2 +- .../apple-source-releases/configd/default.nix | 2 +- .../darwin/apple-source-releases/default.nix | 6 +- pkgs/stdenv/generic/default.nix | 22 ++++---- pkgs/stdenv/pure-darwin/default.nix | 10 ++-- 11 files changed, 29 insertions(+), 96 deletions(-) delete mode 100644 pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix (limited to 'pkgs/os-specific') diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 42010f15421..363413a698e 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - _sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index ed963d206e9..d060acef53e 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; # without this, git fails when trying to check for /etc/gitconfig existence - _propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index a85175bf0c3..aa384683728 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { --replace "/bin/pwd" "$pwd" ''; - _sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index a422bfa6452..f1e3556273e 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -1,7 +1,6 @@ { stdenv, fetchurl, xar, gzip, cpio, pkgs }: let - generateFrameworkProfile = pkgs.callPackage ./generate-framework-profile.nix {}; # sadly needs to be exported because security_tool needs it sdk = stdenv.mkDerivation rec { version = "10.9"; @@ -97,11 +96,11 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - _sandboxProfile = '' + sandboxProfile = '' (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); + __propagatedImpureHostDeps = "/System/Library/Frameworks/${name}.framework/${name}"; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -165,7 +164,7 @@ in rec { }); CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: { - _propagatedSandboxProfile = drv._propagatedSandboxProfile ++ ['' + __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ ['' (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd")) '']; }); @@ -182,5 +181,5 @@ in rec { frameworks = bareFrameworks // overrides bareFrameworks; - inherit sdk generateFrameworkProfile; + inherit sdk; } diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix deleted file mode 100644 index a0d37c5db38..00000000000 --- a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ runCommand }: - -# In a normal programming language, one might store a hashmap -# { library name -> runtime dependencies }. -# associative arrays were only recently added to bash, and even then, bash arrays cannot -# be multidimensional. instead, the filesystem is the hash table! -# once every dependency in the tree has been visited, a comprehensive list of libraries -# will exist inside ./build. then `find ./build -type f` will give you the -# dependency tree you need! - -frameworkName: - -let path = "/System/Library/Frameworks/${frameworkName}.framework"; - -in runCommand "${frameworkName}-profile.sb" { - # __noChroot lite - _sandboxProfile = '' - (allow file* (subpath "/")) - ''; - - # inconsistencies may exist between self and hydra - allowSubstitutes = false; -} '' - if [ ! -f "${path}/${frameworkName}" ]; then - touch $out - exit - fi - base=./build - find_deps () { - if [ -f "$base/$1" ]; then - return - fi - dependencies=$(otool -l -arch x86_64 $1 \ - | grep 'LC_\w*_DYLIB' -A 2 \ - | grep name \ - | sed 's/^ *//' \ - | cut -d' ' -f2) - mkdir -p $base/"$(dirname "$1")" - touch $base/"$1" - for dep in $dependencies; do - find_deps "$dep" - done - } - find_deps "${path}/${frameworkName}" "$out" - set -o noglob - profile="(allow file-read*" - for file in $(find $base -type f); do - filename=''${file/$base/} - case $filename in - /usr/lib/system*) ;; - /usr/lib/libSystem.dylib) ;; - /usr/lib/libSystem.B.dylib) ;; - /usr/lib/libobjc.A.dylib) ;; - /usr/lib/libobjc.dylib) ;; - /usr/lib/libauto.dylib) ;; - /usr/lib/libc++abi.dylib) ;; - /usr/lib/libDiagnosticMessagesClient.dylib) ;; - *) profile+=" (literal \"$filename\")" ;; - esac - done - profile+=" (literal \"${path}/${frameworkName}\")" - profile+=" (literal \"${path}/Versions/Current\")" - echo "$profile)" > $out -'' diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index c02129d2afe..aededa1a073 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -1,4 +1,4 @@ -{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure, generateFrameworkProfile }: +{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure }: # this project uses blocks, a clang-only extension assert stdenv.cc.isClang; @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); + __propagatedImpureHostDeps = "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index 2b2a9148f22..a0261875c10 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -81,7 +81,7 @@ in appleDerivation { ]; # ps uses this syscall to get process info - _propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; + propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index 5fcb6a24204..1fbacfb9284 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,7 +7,7 @@ appleDerivation { propagatedBuildInputs = [ Security ]; - _propagatedSandboxProfile = '' + propagatedSandboxProfile = '' (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index 6b7858d374a..f1b72b4123f 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -54,11 +54,9 @@ let inherit (adv_cmds) ps locale; architecture = applePackage "architecture" "265" "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {}; bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; - bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; + bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; - CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" { - inherit (pkgs.darwin.apple_sdk) generateFrameworkProfile; - }; + CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index e3ba2f27f22..850a2796259 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,8 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] -, _stdenvSandboxProfile ? "" -, _extraSandboxProfile ? "" +, stdenvSandboxProfile ? "" +, extraSandboxProfile ? "" }: let @@ -102,8 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] - , _sandboxProfile ? "" - , _propagatedSandboxProfile ? "" + , sandboxProfile ? "" + , propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -154,12 +154,12 @@ let (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" "__impureHostDeps" "__propagatedImpureHostDeps" - "_sandboxProfile" "_propagatedSandboxProfile"]) + "sandboxProfile" "propagatedSandboxProfile"]) // (let computedSandboxProfile = - lib.concatMap (input: input._propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatMap (input: input._propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,11 +178,11 @@ let (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { # TODO: remove lib.unique once nix has a list canonicalization primitive - _sandboxProfile = - let profiles = [ _extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile _sandboxProfile ]; + __sandboxProfile = + let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ]; final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; - _propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile ]); + __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -219,7 +219,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - _sandboxProfile = _stdenvSandboxProfile; + __sandboxProfile = stdenvSandboxProfile; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index 39ff3ebddb1..bc3b433e922 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -50,7 +50,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - _sandboxProfile = binShClosure + libSystemProfile; + __sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -93,8 +93,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - _stdenvSandboxProfile = binShClosure + libSystemProfile; - _extraSandboxProfile = binShClosure + libSystemProfile; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -269,8 +269,8 @@ in rec { export PATH_LOCALE=${pkgs.darwin.locale}/share/locale ''; - _stdenvSandboxProfile = binShClosure + libSystemProfile; - _extraSandboxProfile = binShClosure + libSystemProfile; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; -- cgit 1.4.1 From f5609a4d2ab02a1a39499e78e65ab2ea1f93ff10 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:51:48 -0800 Subject: reintroduce impure host deps to all derivations --- pkgs/os-specific/darwin/apple-sdk/default.nix | 2 +- pkgs/os-specific/darwin/apple-source-releases/CF/default.nix | 2 +- pkgs/stdenv/generic/default.nix | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index f1e3556273e..7c3d1482f81 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -100,7 +100,7 @@ let (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedImpureHostDeps = "/System/Library/Frameworks/${name}.framework/${name}"; + __propagatedImpureHostDeps = [ "/System/Library/Frameworks/${name}.framework/${name}" ]; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index aededa1a073..3993a360156 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedImpureHostDeps = "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"; + __propagatedImpureHostDeps = [ "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation" ]; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 850a2796259..dbb3e25a147 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -160,6 +160,10 @@ let lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + computedImpureHostDeps = + lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs)); + computedPropagatedImpureHostDeps = + lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs)); in { builder = attrs.realBuilder or shell; @@ -183,6 +187,13 @@ let final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]); + __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [ + "/dev/zero" + "/dev/random" + "/dev/urandom" + "/bin/sh" + ]; + __propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps; } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -220,6 +231,7 @@ let } // ifDarwin { __sandboxProfile = stdenvSandboxProfile; + __impureHostDeps = __stdenvImpureHostDeps; }) // rec { -- cgit 1.4.1 From 4cd86cb068558c68308dfeda47fefd7329dd561c Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:55:19 -0800 Subject: in cf-private, use correct path to CoreFoundation --- pkgs/os-specific/darwin/cf-private/setup-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/darwin/cf-private/setup-hook.sh b/pkgs/os-specific/darwin/cf-private/setup-hook.sh index a83a1323bf8..7594c07977b 100644 --- a/pkgs/os-specific/darwin/cf-private/setup-hook.sh +++ b/pkgs/os-specific/darwin/cf-private/setup-hook.sh @@ -6,7 +6,7 @@ linkWithRealCF() { # gross! many symbols (such as _OBJC_CLASS_$_NSArray) are defined in system CF, but not # in the opensource release # if the package needs private headers, we assume they also want to link with system CF - NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation" + NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation" } preConfigureHooks+=(prependSearchPath linkWithRealCF) -- cgit 1.4.1 From 32cb70bb0743b81a011bb3e4e33f26ea0caca1a1 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:59:43 -0800 Subject: propagate nothing for Kernel.framework since it exposes no library --- pkgs/os-specific/darwin/apple-sdk/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index 7c3d1482f81..847738158da 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -100,7 +100,7 @@ let (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedImpureHostDeps = [ "/System/Library/Frameworks/${name}.framework/${name}" ]; + __propagatedImpureHostDeps = stdenv.lib.optional (name != "Kernel") "/System/Library/Frameworks/${name}.framework/${name}"; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; -- cgit 1.4.1 From d539d9c935813a8d71d8c6e660a60f07a5ab15a5 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Wed, 25 Nov 2015 10:09:35 -0800 Subject: revert to __impureHostDeps where possible --- pkgs/applications/editors/vim/default.nix | 2 +- pkgs/os-specific/darwin/apple-sdk/default.nix | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) (limited to 'pkgs/os-specific') diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 363413a698e..a09eb846e50 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + __impureHostDeps = [ "/dev/ptmx" ]; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index 847738158da..c18d3f6cc6d 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -96,9 +96,7 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - sandboxProfile = '' - (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) - ''; + __impureHostDeps = [ "/System/Library/Frameworks/${name}.framework" ]; __propagatedImpureHostDeps = stdenv.lib.optional (name != "Kernel") "/System/Library/Frameworks/${name}.framework/${name}"; -- cgit 1.4.1 From 03a3a905b9c547f5ac687f341fb8f1ce636f2959 Mon Sep 17 00:00:00 2001 From: aszlig Date: Tue, 1 Dec 2015 09:32:49 +0100 Subject: linux-testing: 4.4.0-rc1 -> 4.4.0-rc3 Upstream changes can be found at: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/?id=v4.4-rc1&id2=v4.4-rc3 Signed-off-by: aszlig --- pkgs/os-specific/linux/kernel/linux-testing.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index 3a57839b85c..33f78f5580e 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -1,13 +1,13 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.4-rc1"; - modDirVersion = "4.4.0-rc1"; + version = "4.4-rc3"; + modDirVersion = "4.4.0-rc3"; extraMeta.branch = "4.4"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/testing/linux-${version}.tar.xz"; - sha256 = "05zz8vvkd2jm3l19vydz627lmhc6zvhh5v9ij5hrh8m6g3zhyfga"; + sha256 = "1c45bjclz5y039nqwrfil8yzv108r6vvbjfrq7dpz64iyf7iqnv4"; }; features.iwlwifi = true; -- cgit 1.4.1 From 4a2b075154a629679d296f40283bc1f9c5cd5d3d Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Mon, 19 Oct 2015 04:00:32 +0200 Subject: jool: 3.3.2 -> 3.4.2, fixes #11299 --- pkgs/os-specific/linux/jool/source.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/linux/jool/source.nix b/pkgs/os-specific/linux/jool/source.nix index 196167667e0..7a341b9e82b 100644 --- a/pkgs/os-specific/linux/jool/source.nix +++ b/pkgs/os-specific/linux/jool/source.nix @@ -1,9 +1,9 @@ { fetchzip }: rec { - version = "3.3.2"; + version = "3.4.2"; src = fetchzip { url = "https://www.jool.mx/download/Jool-${version}.zip"; - sha256 = "0hc6vlxzmjrgf7vjcwprdqcbx3biq8kphks5k725mrd9rb84drgw"; + sha256 = "1qv7wwipylb76n8m8vphbf9rgxrryb42dsyw6mm43zjc9knsz7r0"; }; } -- cgit 1.4.1 From 79bd2b08ee56cc5e900d2f3ad8bd3ea0b5d88415 Mon Sep 17 00:00:00 2001 From: aszlig Date: Tue, 1 Dec 2015 11:08:12 +0100 Subject: linux-testing: Fix build with default config. Regression introduced by 03a3a905b9c547f5ac687f341fb8f1ce636f2959. Our default config includes all modules and since torvalds/linux@47ca6ec this results in a regression due to in a circular dependency between libcfs and LNet: depmod: ERROR: Found 2 modules in dependency cycles! depmod: ERROR: Cycle detected: lnet -> libcfs -> lnet The discussion regarding this in the LKML is here: https://lkml.org/lkml/2015/11/2/388 So this adds a patch which is not yet included in mainline and has been submitted to the LKML at: https://lkml.org/lkml/2015/11/6/987 Built successfully via "nix-build -A linux-testing". Signed-off-by: aszlig --- pkgs/os-specific/linux/kernel/linux-testing.nix | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index 33f78f5580e..3a9cb410487 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -19,4 +19,13 @@ import ./generic.nix (args // rec { # Should the testing kernels ever be built on Hydra? extraMeta.hydraPlatforms = []; + kernelPatches = stdenv.lib.singleton { + name = "fix-depmod-cycle"; + patch = fetchurl { + name = "lustre-remove-IOC_LIBCFS_PING_TEST-ioctl.patch"; + url = "https://lkml.org/lkml/diff/2015/11/6/987/1"; + sha256 = "0ja9103f4s65fyn5b6z6lggplnm97hhz4rmpfn4m985yqw7zgihd"; + }; + }; + } // (args.argsOverride or {})) -- cgit 1.4.1 From 43a1cfccf55b5e4cb8a38199373087d0f3c22e2e Mon Sep 17 00:00:00 2001 From: Jan Malakhovski Date: Fri, 4 Dec 2015 16:15:44 +0000 Subject: conky: build the docs, fixes #11461 --- pkgs/os-specific/linux/conky/default.nix | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/linux/conky/default.nix b/pkgs/os-specific/linux/conky/default.nix index 62c883b6ab8..46b749f55e8 100644 --- a/pkgs/os-specific/linux/conky/default.nix +++ b/pkgs/os-specific/linux/conky/default.nix @@ -8,6 +8,12 @@ , ibmSupport ? true # IBM/Lenovo notebooks # optional features with extra dependencies + +# ouch, this is ugly, but this gives the man page +, docsSupport ? true, docbook2x, libxslt ? null + , man ? null, less ? null + , docbook_xsl ? null , docbook_xml_dtd_44 ? null + , ncursesSupport ? true , ncurses ? null , x11Support ? true , xlibsWrapper ? null , xdamageSupport ? x11Support, libXdamage ? null @@ -27,6 +33,10 @@ , libxml2 ? null }: +assert docsSupport -> docbook2x != null && libxslt != null + && man != null && less != null + && docbook_xsl != null && docbook_xml_dtd_44 != null; + assert ncursesSupport -> ncurses != null; assert x11Support -> xlibsWrapper != null; @@ -63,11 +73,20 @@ stdenv.mkDerivation rec { postPatch = '' sed -i -e '/include.*CheckIncludeFile)/i include(CheckIncludeFiles)' \ cmake/ConkyPlatformChecks.cmake + '' + optionalString docsSupport '' + # Drop examples, since they contain non-ASCII characters that break docbook2x :( + sed -i 's/ Example: .*$//' doc/config_settings.xml + + substituteInPlace cmake/Docbook.cmake \ + --replace "http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl" "${docbook_xsl}/xml/xsl/docbook/html/docbook.xsl" + substituteInPlace doc/docs.xml \ + --replace "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" "${docbook_xml_dtd_44}/xml/dtd/docbook/docbookx.dtd" ''; NIX_LDFLAGS = "-lgcc_s"; buildInputs = [ pkgconfig glib cmake ] + ++ optionals docsSupport [ docbook2x libxslt man less ] ++ optional ncursesSupport ncurses ++ optional x11Support xlibsWrapper ++ optional xdamageSupport libXdamage @@ -82,6 +101,7 @@ stdenv.mkDerivation rec { ; cmakeFlags = [ "-DCMAKE_BUILD_TYPE=Release" ] + ++ optional docsSupport "-DMAINTAINER_MODE=ON" ++ optional curlSupport "-DBUILD_CURL=ON" ++ optional (!ibmSupport) "-DBUILD_IBM=OFF" ++ optional imlib2Support "-DBUILD_IMLIB2=ON" -- cgit 1.4.1 From f4c01fc004dfb10d5d2a3988d7ddb199a0aa11e8 Mon Sep 17 00:00:00 2001 From: Gabriel Ebner Date: Sun, 6 Dec 2015 14:30:18 +0100 Subject: systemd: enable timedated, hostnamed, localed. --- nixos/modules/system/boot/systemd.nix | 6 ++++++ pkgs/os-specific/linux/systemd/default.nix | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'pkgs/os-specific') diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index d145baeebe9..826368e711a 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -148,6 +148,12 @@ let # Misc. "systemd-sysctl.service" + "dbus-org.freedesktop.timedate1.service" + "dbus-org.freedesktop.locale1.service" + "dbus-org.freedesktop.hostname1.service" + "systemd-timedated.service" + "systemd-localed.service" + "systemd-hostnamed.service" ] ++ cfg.additionalUpstreamSystemUnits; diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index a78f51ddb36..234c60a37f2 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -48,13 +48,13 @@ stdenv.mkDerivation rec { "--enable-compat-libs" # get rid of this eventually "--disable-tests" - "--disable-hostnamed" + "--enable-hostnamed" "--enable-networkd" "--disable-sysusers" - "--disable-timedated" + "--enable-timedated" "--enable-timesyncd" "--disable-firstboot" - "--disable-localed" + "--enable-localed" "--enable-resolved" "--disable-split-usr" "--disable-libcurl" -- cgit 1.4.1 From 1da87d40628c99081bac0a5d8b32c27123889826 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 7 Dec 2015 20:24:02 +0100 Subject: systemd: Update to 228 --- pkgs/os-specific/linux/systemd/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 234c60a37f2..35bd117f0bb 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -12,14 +12,14 @@ assert stdenv.isLinux; assert pythonSupport -> pythonPackages != null; stdenv.mkDerivation rec { - version = "227"; + version = "228"; name = "systemd-${version}"; src = fetchFromGitHub { owner = "NixOS"; repo = "systemd"; - rev = "7d94d27801d20278103d8c146633fe81e06697d6"; - sha256 = "0cvzsrazqgbia3zajb0z4ik8myfil4bdy2c29qs6w93d6yvrjfkj"; + rev = "17c30663f79499ad0163c7ffe2c79e5c28525a6f"; + sha256 = "0jyqwqyh7l2qp7k4h83gzzp9bgijz0bx02jhd0063jcl1s2amlnh"; }; outputs = [ "out" "man" "doc" ]; -- cgit 1.4.1 From c00feace3984b779e5a2f8e89ac0d0822ecf74a8 Mon Sep 17 00:00:00 2001 From: aszlig Date: Tue, 8 Dec 2015 03:48:46 +0100 Subject: linux-testing: 4.4.0-rc3 -> 4.4.0-rc4 Upstream changes can be found at: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/?id=v4.4-rc4 Signed-off-by: aszlig --- pkgs/os-specific/linux/kernel/linux-testing.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index 3a9cb410487..5006f0519eb 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -1,13 +1,13 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "4.4-rc3"; - modDirVersion = "4.4.0-rc3"; + version = "4.4-rc4"; + modDirVersion = "4.4.0-rc4"; extraMeta.branch = "4.4"; src = fetchurl { url = "mirror://kernel/linux/kernel/v4.x/testing/linux-${version}.tar.xz"; - sha256 = "1c45bjclz5y039nqwrfil8yzv108r6vvbjfrq7dpz64iyf7iqnv4"; + sha256 = "040ddm61rifscssnycd1lq9bfni3yrsdrrgg172rb9h5d7ya6981"; }; features.iwlwifi = true; -- cgit 1.4.1 From 54d6f1f683a448e094f31b5732c424c2467eaf8d Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 10 Dec 2015 16:26:33 +0100 Subject: linux: 3.14.56 -> 3.14.58 --- pkgs/os-specific/linux/kernel/linux-3.14.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/linux/kernel/linux-3.14.nix b/pkgs/os-specific/linux/kernel/linux-3.14.nix index afb4437459b..987452618f0 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.14.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.14.nix @@ -1,13 +1,13 @@ { stdenv, fetchurl, perl, buildLinux, ... } @ args: import ./generic.nix (args // rec { - version = "3.14.56"; + version = "3.14.58"; # Remember to update grsecurity! extraMeta.branch = "3.14"; src = fetchurl { url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz"; - sha256 = "1ggvjrz51nfhj7amn3v2nd0b0x8dnz68k9cldzl729cqp9gsc3hf"; + sha256 = "0jw1023cpn4bjmi0db86lrxri9xj75cj8p2iqs44jabvh35idl7l"; }; features.iwlwifi = true; -- cgit 1.4.1 From fc6d1471ce114dc91085b68337535ea83ca56682 Mon Sep 17 00:00:00 2001 From: aszlig Date: Fri, 11 Dec 2015 11:29:49 +0100 Subject: linux-testing: Revert build fix for -rc3. This reverts commit 79bd2b08ee56cc5e900d2f3ad8bd3ea0b5d88415. The commit was from an upstream commit anyway and has since been applied to mainline. Signed-off-by: aszlig --- pkgs/os-specific/linux/kernel/linux-testing.nix | 9 --------- 1 file changed, 9 deletions(-) (limited to 'pkgs/os-specific') diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index 5006f0519eb..54ad2183382 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -19,13 +19,4 @@ import ./generic.nix (args // rec { # Should the testing kernels ever be built on Hydra? extraMeta.hydraPlatforms = []; - kernelPatches = stdenv.lib.singleton { - name = "fix-depmod-cycle"; - patch = fetchurl { - name = "lustre-remove-IOC_LIBCFS_PING_TEST-ioctl.patch"; - url = "https://lkml.org/lkml/diff/2015/11/6/987/1"; - sha256 = "0ja9103f4s65fyn5b6z6lggplnm97hhz4rmpfn4m985yqw7zgihd"; - }; - }; - } // (args.argsOverride or {})) -- cgit 1.4.1