Commit Graph

17076 Commits

Author SHA1 Message Date
Eelco Dolstra
a57ded2403 Add 'download-buffer-size' setting
We are piping curl downloads into `unpackTarfileToSink()`, but the
latter is typically slower than the former if you're on a fast
connection. So the download could appear unnecessarily slow. (There is
even a risk that if the Git import is *really* slow for whatever
reason, the TCP connection could time out.)

So let's make the download buffer bigger by default - 64 MiB is big
enough for the Nixpkgs tarball. Perhaps in the future, we could have
an unlimited buffer that spills data to disk beyond a certain
threshold, but that's probably overkill.

(cherry picked from commit 8ffea0a018)
2024-07-29 13:02:55 +00:00
Eelco Dolstra
cfef5cacda Log download durations
(cherry picked from commit caf4e98f0c)
2024-07-29 13:02:55 +00:00
Eelco Dolstra
aaed4a90b5 Bump version 2024-07-05 19:55:46 +02:00
Eelco Dolstra
fcaa72bdc7
Merge pull request #11044 from NixOS/backport-11031-to-2.22-maintenance
[Backport 2.22-maintenance] libstore: fix sandboxed builds on macOS
2024-07-05 17:39:27 +02:00
Emily
a500c90375 libstore: fix sandboxed builds on macOS
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.

The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.

Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.

Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.

Fixes: 1d3696f0fb
Closes: #11002
(cherry picked from commit af2e1142b1)
2024-07-05 15:09:00 +00:00
Emily
1a46fb95dd libstore: clean up the build directory properly
After the fix for CVE-2024-38531, this was only removing the nested
build directory, rather than the top‐level temporary directory.

Fixes: 1d3696f0fb
(cherry picked from commit 76e4adfaac)
2024-07-05 15:09:00 +00:00
Robert Hensing
5911f66eba
Merge pull request #11028 from NixOS/backport-11022-to-2.22-maintenance
[Backport 2.22-maintenance] Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
2024-07-03 20:27:41 +02:00
John Ericson
ca78fd9304 Remove invalid release notes YAML field
There is no PR for this, since it was an embargoed fix before
disclosure.

(cherry picked from commit 32e67eba8b)
2024-07-03 20:01:49 +02:00
kn
a06453e45f Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
getsockopt(2) documents this;  ucred is wrong ("cr_" member prefix, no pid).

(cherry picked from commit 10ccdb7a41)
2024-07-03 15:57:13 +00:00
John Ericson
e39cf2fa86 Ident some CPP in nix daemon
Makes it easier for me to read.

(cherry picked from commit a09360400b)
2024-07-03 15:57:13 +00:00
Eelco Dolstra
2de34c5d5f Bump version 2024-06-27 12:26:48 +02:00
tomberek
f5b7733e55
Merge pull request from GHSA-q82p-44mg-mgh5
Fix sandbox escape 2.22
2024-06-26 18:49:22 -04:00
Eelco Dolstra
54b27fcc60 Fix --no-sandbox
When sandboxing is disabled, we cannot put $TMPDIR underneath an
inaccessible directory.

(cherry picked from commit d54590fdf3)
2024-06-21 17:16:52 +02:00
Eelco Dolstra
a82010789e Formatting
(cherry picked from commit 58b7b3fd15)
2024-06-21 17:16:48 +02:00
Eelco Dolstra
f5f0d30597 Put the chroot inside a directory that isn't group/world-accessible
Previously, the .chroot directory had permission 750 or 755 (depending
on the uid-range system feature) and was owned by root/nixbld. This
makes it possible for any nixbld user (if uid-range is disabled) or
any user (if uid-range is enabled) to inspect the contents of the
chroot of an active build and maybe interfere with it (e.g. via /tmp
in the chroot, which has 1777 permission).

To prevent this, the root is now a subdirectory of .chroot, which has
permission 700 and is owned by root/root.

(cherry picked from commit ede95b1fc1)
2024-06-21 17:16:44 +02:00
Théophane Hufschmitt
51909005e0 Add a release note for the build-dir hardening
(cherry picked from commit d99c868b04)
2024-06-21 17:16:39 +02:00
Théophane Hufschmitt
8c20f0fc33 Run the builds in a daemon-controled directory
Instead of running the builds under
`$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them
under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}`
where the build directory is only readable and traversable by the daemon user.

This achieves two things:

1. It prevents builders from making their build directory world-readable
   (or even writeable), which would allow the outside world to interact
   with them.
2. It prevents external processes running as the build user (either
   because that somehow leaked, maybe as a consequence of 1., or because
   `build-users` isn't in use) from gaining access to the build
   directory.

(cherry picked from commit 1d3696f0fb)
2024-06-21 17:16:37 +02:00
Théophane Hufschmitt
f8f1d7eb54 Add a test for the user sandboxing
(cherry picked from commit 717f3eea39)
2024-06-21 17:16:33 +02:00
Robert Hensing
329ed85134
Merge pull request #10859 from NixOS/backport-10858-to-2.22-maintenance
[Backport 2.22-maintenance] flake check: Recognize well known homeModule/homeModules attribute
2024-06-05 13:45:32 +02:00
Enno Richter
0a78a55d51 flake check: Recognize well known homeModule/homeModules attributes
(cherry picked from commit 80ba7778e7)
2024-06-05 11:15:00 +00:00
Robert Hensing
283d68c4c7
Merge pull request #10846 from NixOS/backport-9897-to-2.22-maintenance
[Backport 2.22-maintenance] libutil/url: fix git+file:./ parse error
2024-06-04 11:07:42 +02:00
Bryan Lai
4f68558c9a libutil/url: fix git+file:./ parse error
Previously, the "file:./" prefix was not correctly recognized in
fixGitURL; instead, it was mistaken as a file path, which resulted in a
parsed url of the form "file://file:./".

This commit fixes the issue by properly detecting the "file:" prefix.
Note, however, that unlike "file://", the "file:./" URI is _not_
standardized, but has been widely used to referred to relative file
paths. In particular, the "git+file:./" did work for nix<=2.18, and was
broken since nix 2.19.0.

Finally, this commit fixes the issue completely for the 2.19 series, but
is still inadequate for the 2.20 series due to new behaviors from the
switch to libgit2. However, it does improve the correctness of parsing
even though it is not yet a complete solution.

(cherry picked from commit 8594f3cd5a)
2024-06-04 08:27:15 +00:00
John Ericson
37ef226e61
Merge pull request #10808 from Mic92/fix-repl
[2.22-maintainance]: backport nix repl edit fixes
2024-05-30 15:11:06 -04:00
eihqnh
f00aa37873 nix repl: make runNix() isInteractive is true by default
(cherry picked from commit bb1a4ea21a)
2024-05-30 19:15:37 +02:00
Sarah Brofeldt
12967aea53 nix repl: hide progress bar during :edit
(cherry picked from commit e5f509ef0b)
2024-05-30 19:15:28 +02:00
Eelco Dolstra
374715cb44
Merge pull request #10721 from NixOS/backport-10675-to-2.22-maintenance
[Backport 2.22-maintenance] Handle zip files containing symlinks
2024-05-16 09:51:54 +02:00
github-actions[bot]
0d42fd0dcf
remove link to relocated manual page (#10707)
fix old anchor redirects to point to the correct location

(cherry picked from commit 45697ba502)

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2024-05-15 22:41:41 +02:00
github-actions[bot]
682c71855c
Revert "manual: fold sidebar sections" (#10700)
(cherry picked from commit 937e7bae48)

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2024-05-15 22:40:57 +02:00
Eelco Dolstra
92b4adcab8 Handle zip files containing symlinks
In streaming mode, libarchive doesn't handle symlinks in zip files
correctly. So write the entire file to disk so libarchive can access
it in random-access mode.

Fixes #10649. This was broken in cabee98152.

(cherry picked from commit 9951e14ae0)
2024-05-15 20:07:41 +00:00
Eelco Dolstra
f06bf9d4f7
Merge pull request #10692 from NixOS/backport-10686-to-2.22-maintenance
[Backport 2.22-maintenance] git putFile: support flake maximalists
2024-05-13 15:55:39 +02:00
Graham Christensen
0b245b7ad1 git putFile: support flake maximalists
Passing the commit message as an argument causes update failures on repositories with lots of flake inputs. In some cases, the commit message is over 250,000 bytes.

(cherry picked from commit 8b5e8f4fba)
2024-05-13 13:32:11 +00:00
Eelco Dolstra
031f7a7750 Bump version 2024-05-10 11:35:30 +02:00
Robert Hensing
adba2f19a0
Merge pull request #10669 from NixOS/backport-10588-to-2.22-maintenance
[Backport 2.22-maintenance] Fix fetchGit/fetchTree for nested submodules
2024-05-09 11:28:48 +02:00
Robert Hensing
293d59382e Fix fetchGit nested submodules
(cherry picked from commit 750bcaa330)
2024-05-09 09:07:45 +00:00
Eelco Dolstra
1c8150ac31 Bump version 2024-04-23 14:12:50 +02:00
Eelco Dolstra
5fd799cfa7 Mark official release 2024-04-23 11:01:23 +02:00
Eelco Dolstra
1cfc9da472
Merge pull request #10593 from NixOS/release-notes
2.22 release notes
2024-04-23 10:50:43 +02:00
Eelco Dolstra
b219017b88 Typo 2024-04-23 10:21:45 +02:00
Eelco Dolstra
34c5346e98 release notes: 2.22.0 2024-04-23 10:19:32 +02:00
Eelco Dolstra
df424667a3
Merge pull request #10591 from Ma27/require-libseccomp-2.5.5
Require at least libseccomp 2.5.5
2024-04-22 23:27:39 +02:00
Maximilian Bosch
73918b0ae4
Require at least libseccomp 2.5.5
Closes #10585

As it turns out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Nix against the project's flake.

To work around that

* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
  scheduled[1].

* the package now uses libseccomp 2.5.5 on its own already. This is to
  provide a quick fix since the correct fix for 23.11 is still a staging cycle
  away.

It must not be possible to build a Nix with an incompatible libseccomp
version (nothing can be built in a sandbox on Linux!), so configure.ac
rejects libseccomp if `__SNR_fchmodat2` is not defined.

We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷

[1] https://github.com/NixOS/nixpkgs/pull/306070
2024-04-22 22:37:34 +02:00
Dylan Green
aa165301d1
Pathlocks Implementation for Windows (#10586)
Based on Volth's original port.

Co-authored-by: volth <volth@volth.com>
2024-04-22 15:08:10 +00:00
Eelco Dolstra
e1fd0e0a8c
Merge pull request #10581 from bam80/patch-3
Update uninstall.md: mention .profile
2024-04-22 11:33:58 +02:00
Eelco Dolstra
790202232c
Merge pull request #10580 from bam80/patch-1
Update installing-binary.md: give TTY to the installer
2024-04-22 11:17:39 +02:00
Eelco Dolstra
16669ae445
Update doc/manual/src/installation/uninstall.md 2024-04-22 11:00:09 +02:00
Eelco Dolstra
cf1adbdd64
Merge pull request #10572 from NorfairKing/no-more-prev
Remove the 'prev' check entirely.
2024-04-22 10:53:31 +02:00
Robert Hensing
6fd2f42c2d
Merge pull request #10573 from RCoeurjoly/Rename_SearchPath
Rename SearchPath to LookupPath and searchPath to lookupPath
2024-04-21 17:33:46 +02:00
Andrey Butirsky
a6d08e3502
Update uninstall.md: remove ~/.nix-* files also 2024-04-21 17:08:37 +03:00
Andrey Butirsky
d4b44a41fb
Update uninstall.md: mention .profile
~/.profile is auto-edited by the single-mode installer so we should mention it in the uninstall instructions
2024-04-21 16:46:03 +03:00
Andrey Butirsky
722dfe9908
Update installing-binary.md: give TTY to the installer
Run the installer with TTY so the process can go interactively
2024-04-21 16:24:09 +03:00