nordic-dev.net/nix
nordic-dev.net/nix
2
0
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2024-11-23 23:32:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
Nix, the purely functional package manager
14,970 Commits 198 Branches 183 Tags 244 MiB
C++ 77.3%
Shell 10.7%
Nix 7.2%
Meson 1.9%
C 1%
Other 1.9%
backport-11046-to-2.18-maintenance
Go to file
Emily 0b97319ed4 libstore: fix sandboxed builds on macOS 
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.

The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.

Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.

Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.

Fixes: 1d3696f0fb
Closes: #11002
(cherry picked from commit af2e1142b1)
(cherry picked from commit 9feee13952)
2024-07-05 15:59:20 +00:00
.github Put functional tests in tests/functional 2023-12-01 12:06:43 -05:00
config Run autoupdate 2021-06-01 11:42:38 +02:00
contrib function-trace: always show the trace 2019-09-18 23:23:21 +02:00
doc Add a release note for the build-dir hardening 2024-04-22 18:37:54 -04:00
m4 autoconf: Fix C++17 detection not working on Ubuntu 16.04. 2019-07-03 04:32:25 +02:00
maintainers maintainers: add note on marking PRs as draft 2023-06-19 10:55:34 +02:00
misc Choose a reasonable number similar to LimitNOFile 2023-07-07 07:52:16 -07:00
mk Put functional tests in tests/functional 2023-12-01 12:06:43 -05:00
perl Allow dynamic derivation deps in inputDrvs 2023-09-07 10:39:37 -04:00
scripts Merge pull request #8512 from scarf005/install-show-uid 2023-06-15 13:49:44 +02:00
src libstore: fix sandboxed builds on macOS 2024-07-05 15:59:20 +00:00
tests Run the builds in a daemon-controled directory 2024-04-22 18:37:52 -04:00
.dir-locals.el .dir-locals.el: Set c-block-comment-prefix 2020-07-10 11:21:06 +02:00
.editorconfig Add .editorconfig 2017-06-05 22:57:28 +01:00
.gitignore Move tests to separate directories, and document 2023-12-01 13:05:03 -05:00
.version Bump version 2024-06-27 11:24:27 +02:00
boehmgc-coroutine-sp-fallback.diff Always disable GC in a coroutine unless the patch is applied 2023-04-07 14:54:38 +02:00
bootstrap.sh bootstrap: Simplify & make more robust. 2011-09-06 12:11:05 +00:00
configure.ac Require at least libseccomp 2.5.5 2024-04-24 23:41:46 +02:00
CONTRIBUTING.md Put functional tests in tests/functional 2023-12-01 12:06:43 -05:00
COPYING * Change this to LGPL to keep the government happy. 2006-04-25 16:41:06 +00:00
default.nix add flake-compat to flake.nix and use sha256 in default.nix 2023-03-06 21:11:24 +01:00
docker.nix fix "add an option to include flake-registry..." 2023-05-16 14:35:31 +02:00
flake.lock flake.lock: Update 2023-12-01 11:08:15 -05:00
flake.nix Merge pull request from GHSA-q82p-44mg-mgh5 2024-06-26 18:49:22 -04:00
local.mk Enable -Werror=switch-enum 2023-04-03 18:45:20 +02:00
Makefile Move tests to separate directories, and document 2023-12-01 13:05:03 -05:00
Makefile.config.in Generate API docs with Doxygen 2023-03-10 12:51:06 -05:00
precompiled-headers.h Config: Use nlohmann/json 2020-08-20 11:02:16 +02:00
README.md Improve hacking.md 2023-02-13 12:00:00 +04:00
shell.nix Remove url literals 2022-01-24 13:28:21 +01:00

README.md

Nix

Open Collective supporters Test

Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Please refer to the Nix manual for more details.

Installation

On Linux and macOS the easiest way to install Nix is to run the following shell command (as a user other than root):

$ curl -L https://nixos.org/nix/install | sh

Information on additional installation methods is available on the Nix download page.

Building And Developing

See our Hacking guide in our manual for instruction on how to to set up a development environment and build Nix from source.

Additional Resources

License

Nix is released under the LGPL v2.1.