Commit Graph

233 Commits

Author SHA1 Message Date
tomberek
1ee7a9b84f
Merge pull request from GHSA-q82p-44mg-mgh5
Fix sandbox escape 2.18
2024-06-26 18:49:22 -04:00
Maximilian Bosch
a75c34a2c9
Require at least libseccomp 2.5.5
Closes #10585

As it turns out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Nix against the project's flake.

To work around that

* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
  scheduled[1].

* the package now uses libseccomp 2.5.5 on its own already. This is to
  provide a quick fix since the correct fix for 23.11 is still a staging cycle
  away.

It must not be possible to build a Nix with an incompatible libseccomp
version (nothing can be built in a sandbox on Linux!), so configure.ac
rejects libseccomp if `__SNR_fchmodat2` is not defined.

We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷

[1] https://github.com/NixOS/nixpkgs/pull/306070

(cherry picked from commit 73918b0ae4)
2024-04-24 23:41:46 +02:00
Théophane Hufschmitt
d24431dea2 Add a test for the user sandboxing
test: add user-sandboxing to hydraJobs
2024-04-22 09:56:49 -04:00
Tom Bereknyei
f8d20e91a4 Add a NixOS test for the sandbox escape
Test that we can't leverage abstract unix domain sockets to leak file
descriptors out of the sandbox and modify the path after it has been
registered.

Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io>
2024-03-07 09:33:40 +01:00
John Ericson
f7f37035c8 Move tests to separate directories, and document
Today, with the tests inside a `tests` intermingled with the
corresponding library's source code, we have a few problems:

- We have to be careful that wildcards don't end up with tests being
  built as part of Nix proper, or test headers being installed as part
  of Nix proper.

- Tests in libraries but not executables is not right:

  - It means each executable runs the previous unit tests again, because
    it needs the libraries.

  - It doesn't work right on Windows, which doesn't want you to load a
    DLL just for the side global variable . It could be made to work
    with the dlopen equivalent, but that's gross!

This reorg solves these problems.

There is a remaining problem which is that sibbling headers (like
`hash.hh` the test header vs `hash.hh` the main `libnixutil` header) end
up shadowing each other. This PR doesn't solve that. That is left as
future work for a future PR.

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>

(cherry picked from commit 91b6833686)
(cherry picked from commit a61e42adb5)
2023-12-01 13:05:03 -05:00
John Ericson
30dcc19d1f Put functional tests in tests/functional
I think it is bad for these reasons when `tests/` contains a mix of
functional and integration tests

 - Concepts is harder to understand, the documentation makes a good
   unit vs functional vs integration distinction, but when the
   integration tests are just two subdirs within `tests/` this is not
   clear.

 - Source filtering in the `flake.nix` is more complex. We need to
   filter out some of the dirs from `tests/`, rather than simply pick
   the dirs we want and take all of them. This is a good sign the
   structure of what we are trying to do is not matching the structure
   of the files.

With this change we have a clean:
```shell-session
$ git show 'HEAD:tests'
tree HEAD:tests

functional/
installer/
nixos/
```

(cherry picked from commit 68c81c7375)
2023-12-01 12:06:43 -05:00
Gerg-L
277ba90779 flake: complete update to 23.05
(cherry picked from commit f264d9ff08)
2023-09-25 08:43:54 +00:00
Eelco Dolstra
44fb119218 Mark official release 2023-09-20 12:49:01 +02:00
Eelco Dolstra
126e2645f2 Disable rapidcheck tests in the coverage run
https://hydra.nixos.org/build/233688539
2023-09-19 16:04:00 +02:00
Eelco Dolstra
c8afa01bc2 Try aws-sdk-cpp fix 2023-09-19 14:51:50 +02:00
Vladimír Čunát
539cc5e5f0 flake: update nixpkgs: 22.11 -> 23.05
The lowdown input can't be updated; `nix build` would fail to find it.

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2023-09-01 14:07:25 +02:00
Robert Hensing
3384f70a3d nixpkgsLibTests: Only test our Nix
Interface has changed upstream.
It *should* be fine to test 23.05's other Nix versions as those
*should* succeed, but that's not the case and it's obfuscating
our terrible CI setup's log.
2023-08-30 19:34:35 -04:00
p01arst0rm
7d82341633 update system definitions 2023-08-23 19:28:24 +01:00
Robert Hensing
21a188a2b4 Add gc root for nixpkgs/lib content 2023-08-16 16:01:46 +02:00
Robert Hensing
63e0b5d081 GC root for fetched nixpkgs/lib content 2023-08-16 15:46:37 +02:00
Robert Hensing
b13fc7101f Add positive source filter
Source filtering is a really cool Nix feature that lets us avoid a
lot of rebuilds, which speeds up the iteration cycle a lot in cases
where the relevant source files aren't actually modified.

We used to have a source filter that marked a few files as irrelevant,
but this is the wrong approach, as we have many more files that are
irrelevant. We may call this negative filtering.

This commit switches the source filtering to positive filtering, which
is a lot more robust. Instead of marking which files we don't need
we marked the files that we do need.

It's a superior approach because it is fail safe. Instead of allowing
build performance problems to creep in over time, we require that all
source inputs are declared.

I shouldn't have to explain that declaring inputs is a good practice,
so I'll stop over-explaining here.

I do have to acknowledge that this will cause a build failure when the
filter is incomplete. This is *good*, because it's the only realistic
way we could be reminded of these problems. These events will be
infrequent, so the small cost of extending the filter is worth it,
compared to the hidden cost of longer dev cycles for things like tests,
docker image, etc, etc.

(Also rebuilding Nix for stupid unnecessary reasons makes my blood boil)
2023-08-16 14:21:59 +02:00
Eelco Dolstra
1ad3328c5e Allow tarball URLs to redirect to a lockable immutable URL
Previously, for tarball flakes, we recorded the original URL of the
tarball flake, rather than the URL to which it ultimately
redirects. Thus, a flake URL like
http://example.org/patchelf-latest.tar that redirects to
http://example.org/patchelf-<revision>.tar was not really usable. We
couldn't record the redirected URL, because sites like GitHub redirect
to CDN URLs that we can't rely on to be stable.

So now we use the redirected URL only if the server returns the
`x-nix-is-immutable` or `x-amz-meta-nix-is-immutable` headers in its
response.
2023-06-13 14:17:45 +02:00
Philipp Otterbein
ca6b759f4e fix failing configure in nix-tests 2023-04-09 02:33:53 +02:00
Eelco Dolstra
2425121a59 Remove nixpkgsFor flake output
Fixes "warning: unknown flake output 'nixpkgsFor'".
2023-03-31 16:08:16 +02:00
Théophane Hufschmitt
e32ca3cf16
Merge pull request #8018 from tweag/ssh-password-prompt
SSH: don't erase password prompt if it is displayed
2023-03-31 12:06:10 +02:00
Alexander Bantyev
80f9231b69
Filter tests/nixos from source 2023-03-24 14:29:28 +04:00
Alexander Bantyev
85a2d1d94f
Add a test for nix copy over ssh
Check that nix copy can copy stuff, refuses to copy unsigned paths by
default, and doesn't hide the ssh password prompt.
2023-03-22 09:45:08 +04:00
Eelco Dolstra
658847179a Fix internal-api rendering in Hydra
Currently it gives a 500 error with "Do not know how to serve path
'/nix/store/bym5sm8z2wpavnvzancb9gjdlgyzs1l8-nix-internal-api-docs-2.15.0pre20230320_e37f436/share/doc/nix/internal-api'."
2023-03-20 13:13:57 +01:00
Théophane Hufschmitt
9ec1a3ae60
Merge pull request #7989 from sysedwinistrator/flake-compat-sha256-mr
add flake-compat to flake.nix and use sha256 in default.nix
2023-03-14 17:12:50 +01:00
John Ericson
6910f5dcb6 Generate API docs with Doxygen
The motivation is as stated in issue #7814: even though the the C++ API
is internal and unstable, people still want it to be well documented for
sake of learning, code review, and other purposes that aren't predicated
on it being stable.

Fixes #7814

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2023-03-10 12:51:06 -05:00
Eelco Dolstra
693b1be81f Run 'make installcheck' again
This was failing because the check for the existence of the
'installcheck' target failed silently, so the whole phase got
skipped. It works by running 'make -n installcheck 2> /dev/null',
which however barfs with

  /nix/store/039g378vc3pc3dvi9dzdlrd0i4q93qwf-binutils-2.39/bin/ld.gold: error: cannot open tests/plugins/plugintest.o: No such file or directory

Fixes #8004.
2023-03-08 14:48:29 +01:00
Eelco Dolstra
bda8d7f165 Fix coverage job
https://hydra.nixos.org/build/211747539
2023-03-08 14:20:10 +01:00
Edwin Mackenzie-Owen
934431d06c add flake-compat to flake.nix and use sha256 in default.nix 2023-03-06 21:11:24 +01:00
Eelco Dolstra
19c1a4699b
Merge pull request #7946 from cole-h/restore-static-bin-dist
flake: restore binary-dist artifact to Hydra static builds
2023-03-03 10:23:17 +01:00
Cole Helbling
a8d0ff1a11 flake: restore binary-dist artifact to Hydra static builds 2023-03-02 10:02:55 -08:00
Eelco Dolstra
9c79ce353d Fix 'make check' inside 'nix develop' 2023-03-02 16:11:49 +01:00
Robert Hensing
892d46adbb
flake.nix: Force the ./configure tests setting
This always forces the setting, rather than relying on its default, and cleans up the code a bit.

Co-authored-by: John Ericson <git@JohnEricson.me>
2023-02-28 15:56:46 +01:00
Robert Hensing
8648ebc2cc Add ./configure --disable-tests option
Building without tests is useful for bootstrapping with a smaller footprint
or running the tests in a separate derivation. Otherwise, we do compile and
run them.

This isn't fine grained as to allow picking `check` but not `installcheck`
or vice versa, but it's good enough for now.

I've tried to use Nixpkgs' `checkInputs`, but those inputs weren't discovered
properly by the configure script. We can emulate its behavior very well though.
2023-02-24 09:50:21 +01:00
Eelco Dolstra
c30907829c Fix the static build
It doesn't produce a "debug" output, so the build failed without an
error message in Hydra (https://hydra.nixos.org/build/210121811).
2023-02-22 14:10:07 +01:00
John Ericson
16111aa32e Fix isStatic arguments to commonDeps
Some dependencies supposed to be skipped in the cross build, along with
not using the gold linker. But in https://github.com/NixOS/nix/pull/6538
this was accidentally not preserved.

Also since https://github.com/NixOS/nix/pull/6538 we saw some new
aarch64-linux static build failures. This is a first attempt to try to
fix those failures. If this is not sufficient, there are other things we
can try next.
2023-02-21 10:21:51 -05:00
John Ericson
d7a4f08d42
Nix's own flake: Dedup and memoize more
- `nixpkgsFor` does all of native, static, cross, and the different stdenvs.

- The main Nix derivation is no longer duplicated for static.

- DRY nixpkgs.lib and lib.genAttrs calls.
2023-02-20 11:35:51 +01:00
Théophane Hufschmitt
9a3f66d9d9
Merge pull request #7433 from yorickvP/improv-onboarding
Improve hacking.md and add clangd+bear to devshell
2023-02-20 10:50:08 +01:00
Yorick van Pelt
f2e427942d
Improve hacking.md
- Refer to current version in readme
- Split into flakes and non-flakes section
- Change order to move nix-build to the end, since people often start
  with it in the beginning.
- Use proper "Note" syntax
- Add notes about editor integration
- Move information about target platforms and stdenvs into separate
  sections

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-authored-by: Alexander Bantyev <alexander.bantyev@tweag.io>
Co-authored-by: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
2023-02-13 12:00:00 +04:00
Yorick van Pelt
012ddaa322
flake.nix: add clangd and bear 2023-02-10 14:29:59 +04:00
Robert Hensing
72b18f05a2 Add a basic daemon authorization test 2023-02-07 16:43:09 +01:00
Théophane Hufschmitt
ccaadc9575
Merge pull request #7648 from hercules-ci/move-nixos-tests
Move nixos tests
2023-01-27 15:11:48 +01:00
John Ericson
75892710f8 Fix the coverage job
See https://hydra.nixos.org/build/206790960
2023-01-24 19:19:19 -05:00
Robert Hensing
f233fd496d
Merge pull request #7679 from hercules-ci/re-add-boehmgc-patch
Revert "fixup: remove boehmgc patch"
2023-01-24 16:26:47 +01:00
Robert Hensing
8270dccf60 Actually complete the revert 2023-01-24 14:57:18 +01:00
John Ericson
a91709a604 Try to fix #7669
The issue *seems* to be the cross jobs, which are missing the `CXXFLAGS`
needed to get rapidcheck.

PR #6538 would be really nice to resurrect which will prevent the
`configureFlags` from going out of sync between the regular build and
the cross build again.
2023-01-23 15:47:26 -05:00
John Ericson
7fe308c2f8 Add rapidcheck dependency for testing
Property tests are great!

Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
2023-01-23 07:05:50 -05:00
Robert Hensing
261c25601d Use the official, documented NixOS runTest interface 2023-01-20 16:23:52 +01:00
Robert Hensing
74026bb101 tests: Move NixOS tests to tests/nixos
This will allow contributors to find them more easily.
2023-01-20 15:33:13 +01:00
Robert Hensing
620e4fb89b flake.nix: Add nixpkgs/lib/tests as regression test 2023-01-18 01:55:21 +01:00
Robert Hensing
be10c09d23 manual: Check links
mdbook-linkcheck is not consistent about its warning setting.
It disables some warnings, but not the warnings about lack of
fragment checking support; hence the extra filtering.
2023-01-10 22:30:41 +01:00