nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-20 11:05:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge master into staging-next

Browse Source
This commit is contained in:
github-actions[bot] 2024-10-31 00:14:46 +00:00 committed by GitHub
commit c89d3d9070
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
108 changed files with 4893 additions and 735 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/languages-frameworks/cuda.section.md
View File

@ -150,7 +150,7 @@ All new projects should use the CUDA redistributables available in [`cudaPackage
In the scenario you are unable to run the resulting binary: this is arguably the most complicated as it could be any combination of the previous reasons. This type of failure typically occurs when a library attempts to load or open a library it depends on that it does not declare in its `DT_NEEDED` section. As a first step, ensure that dependencies are patched with [`autoAddDriverRunpath`](https://search.nixos.org/packages?channel=unstable&type=packages&query=autoAddDriverRunpath). Failing that, try running the application with [`nixGL`](https://github.com/guibou/nixGL) or a similar wrapper tool. If that works, it likely means that the application is attempting to load a library that is not in the `RPATH` or `RUNPATH` of the binary.
## Running Docker or Podman containers with CUDA support {#running-docker-or-podman-containers-with-cuda-support}
## Running Docker or Podman containers with CUDA support {#cuda-docker-podman}
It is possible to run Docker or Podman containers with CUDA support. The recommended mechanism to perform this task is to use the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/index.html).

12
maintainers/maintainer-list.nix
View File

@ -2951,6 +2951,12 @@
githubId = 535135;
name = "Brennon Loveless";
};
bloxx12 = {
email = "charlie@charlieroot.dev";
github = "bloxx12";
githubId = 75451918;
name = "Charlie Root";
};
bluescreen303 = {
email = "mathijs@bluescreen303.nl";
github = "bluescreen303";
@ -5868,6 +5874,12 @@
githubId = 1931963;
name = "David Sferruzza";
};
dsluijk = {
name = "Dany Sluijk";
email = "nix@dany.dev";
github = "dsluijk";
githubId = 8537327;
};
dstengele = {
name = "Dennis Stengele";
email = "dennis@stengele.me";

14
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -343,6 +343,11 @@
This change requires granting access to the repositories to this user or
setting the appropriate one through `services.cgit.some-instance.user`.
- `gradle_6` was removed due to being [unsupported upstream as of 10 Feb 2023](https://endoflife.date/gradle).
Additionally, it had numerous security vulnerabilities that were only patched
in later versions, such as [CVE-2021-29429](https://nvd.nist.gov/vuln/detail/CVE-2021-32751),
[CVE-2021-29427](https://nvd.nist.gov/vuln/detail/CVE-2021-29427), [CVE-2021-29428](https://nvd.nist.gov/vuln/detail/CVE-2021-29428), and [CVE-2021-32751](https://nvd.nist.gov/vuln/detail/CVE-2021-32751).
- `nvimpager` was updated to version 0.13.0, which changes the order of user and
nvimpager settings: user commands in `-c` and `--cmd` now override the
respective default settings because they are executed later.
@ -573,8 +578,17 @@
- The `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained.
Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead.
- The `services.prometheus.exporters.tor` option has been removed, as its upstream implementation was broken and unmaintained.
- The `services.patroni.raft` option has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300)
- The `jd-cli` package was removed due to an inactive upstream and a dependency on the shut down
JCenter JAR repository.
Java decompilers already packaged in Nixpkgs include `bytecode-viewer` (GUI), `cfr` (CLI), and `procyon` (CLI).
- The `jd-gui` package was removed due to an inactive upstream and a dependency on the end-of-life Gradle 6.
Java decompilers already packaged in Nixpkgs include `bytecode-viewer` (GUI), `cfr` (CLI), and `procyon` (CLI).
- `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments.
- The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer.

4
nixos/modules/services/monitoring/prometheus/exporters.nix
View File

@ -88,7 +88,6 @@ let
"statsd"
"surfboard"
"systemd"
"tor"
"unbound"
"unifi"
"unpoller"
@ -299,6 +298,9 @@ in
The Minio exporter has been removed, as it was broken and unmaintained.
See the 24.11 release notes for more information.
'')
(lib.mkRemovedOptionModule [ "tor" ] ''
The Tor exporter has been removed, as it was broken and unmaintained.
'')
];
};
description = "Prometheus exporter configuration";

43
nixos/modules/services/monitoring/prometheus/exporters/tor.nix
View File

@ -1,43 +0,0 @@
{ config, lib, pkgs, options, ... }:
let
cfg = config.services.prometheus.exporters.tor;
inherit (lib) mkOption types concatStringsSep;
in
{
port = 9130;
extraOpts = {
torControlAddress = mkOption {
type = types.str;
default = "127.0.0.1";
description = ''
Tor control IP address or hostname.
'';
};
torControlPort = mkOption {
type = types.port;
default = 9051;
description = ''
Tor control port.
'';
};
};
serviceOpts = {
serviceConfig = {
ExecStart = ''
${pkgs.prometheus-tor-exporter}/bin/prometheus-tor-exporter \
-b ${cfg.listenAddress} \
-p ${toString cfg.port} \
-a ${cfg.torControlAddress} \
-c ${toString cfg.torControlPort} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
};
# CPython requires a process to either have $HOME defined or run as a UID
# defined in /etc/passwd. The latter is false with DynamicUser, so define a
# dummy $HOME. https://bugs.python.org/issue10496
environment = { HOME = "/var/empty"; };
};
}

19
nixos/tests/prometheus-exporters.nix
View File

@ -1511,25 +1511,6 @@ let
'';
};
tor = {
exporterConfig = {
enable = true;
};
metricProvider = {
# Note: this does not connect the test environment to the Tor network.
# Client, relay, bridge or exit connectivity are disabled by default.
services.tor.enable = true;
services.tor.settings.ControlPort = 9051;
};
exporterTest = ''
wait_for_unit("tor.service")
wait_for_open_port(9051)
wait_for_unit("prometheus-tor-exporter.service")
wait_for_open_port(9130)
succeed("curl -sSf localhost:9130/metrics | grep 'tor_version{.\\+} 1'")
'';
};
unpoller = {
nodeName = "unpoller";
exporterConfig.enable = true;

6
pkgs/applications/audio/spotify-player/default.nix
View File

@ -34,16 +34,16 @@ assert lib.assertOneOf "withAudioBackend" withAudioBackend [ "" "alsa" "pulseaud
rustPlatform.buildRustPackage rec {
pname = "spotify-player";
version = "0.19.1";
version = "0.20.0";
src = fetchFromGitHub {
owner = "aome510";
repo = pname;
rev = "refs/tags/v${version}";
hash = "sha256-R8F7s8FPnCe+shNUN/u0qcxFy3IbyfVo2xZ5/E/qwaw=";
hash = "sha256-heycCm2Nwyo+DegMKeXZ+dF+ZqiFT/6P08/28buJc6I=";
};
cargoHash = "sha256-7vximGisIIXBrwHXSWQjO08OraaweG7ZT6v+gVdYGVc=";
cargoHash = "sha256-U3a/6uF7vOV3QnxqPnooBdvjyyIPLnQXiXtTwKeHAxA=";
nativeBuildInputs = [
pkg-config

16
pkgs/applications/editors/vscode/vscode.nix
View File

@ -31,21 +31,21 @@ let
archive_fmt = if stdenv.hostPlatform.isDarwin then "zip" else "tar.gz";
sha256 = {
x86_64-linux = "0w452wnzyb4wmr2qqq55dhfb1jd0zqmwf65fbmxdz7jn1jimjjrn";
x86_64-darwin = "1b333snvrw8khryhi5scfhhkg43m3b6ds3nvs24nbvx8k7h69hmm";
aarch64-linux = "12p5cdva14s9sfgyrzg3nylpmgdnmfavwx3xxxmblzq1gcal2g6i";
aarch64-darwin = "1l59fcdvynkl5kyz9bn31mld6pi89nynk1zw645rczjm940pac7p";
armv7l-linux = "07ylija6chg6jc2zcavdr9yw1laniigw57f2gilyjynv1cgjm76r";
x86_64-linux = "12cfks56pz1fljv4zrh4q2k6vai2rpdyw5lbap9y8wa9f5pz0m55";
x86_64-darwin = "0zxmlpilh83grcv6jk2avlxiy2w0a1vbwmv0fjzy6nvdma91j7lj";
aarch64-linux = "1gx5xg54mmkiglwmv8fjppqb8bj0fqn9yg0r5q9kzdhh9702dxsg";
aarch64-darwin = "13wnraa13msz7rxzwk232rwrnbmwx0dpq13aq68zjz80clsf4jgp";
armv7l-linux = "06kngg0scrk8sz3j874iffyci70ng8j8l1v83k572vw847956850";
}.${system} or throwSystem;
in
callPackage ./generic.nix rec {
# Please backport all compatible updates to the stable release.
# This is important for the extension ecosystem.
version = "1.94.2";
version = "1.95.0";
pname = "vscode" + lib.optionalString isInsiders "-insiders";
# This is used for VS Code - Remote SSH test
rev = "384ff7382de624fb94dbaf6da11977bba1ecd427";
rev = "912bb683695358a54ae0c670461738984cbb5b95";
executableName = "code" + lib.optionalString isInsiders "-insiders";
longName = "Visual Studio Code" + lib.optionalString isInsiders " - Insiders";
@ -69,7 +69,7 @@ in
src = fetchurl {
name = "vscode-server-${rev}.tar.gz";
url = "https://update.code.visualstudio.com/commit:${rev}/server-linux-x64/stable";
sha256 = "1mj9fg76b9x9r6ql21hbckpni179vfa9j8fiah9rd6ih7sb72048";
sha256 = "1chk0xwsiw6pm6ihjlp9695n0l1wfipwv4h04v5dmm9dcwlarp1m";
};
stdenv = stdenvNoCC;
};

7
pkgs/applications/graphics/ImageMagick/default.nix
View File

@ -24,6 +24,7 @@
, openjpegSupport ? !stdenv.hostPlatform.isMinGW, openjpeg
, libwebpSupport ? !stdenv.hostPlatform.isMinGW, libwebp
, libheifSupport ? true, libheif
, fftwSupport ? true, fftw
, potrace
, coreutils
, curl
@ -76,6 +77,7 @@ stdenv.mkDerivation (finalAttrs: {
(lib.withFeature libjxlSupport "jxl")
(lib.withFeatureAs ghostscriptSupport "gs-font-dir" "${ghostscript.fonts}/share/fonts")
(lib.withFeature ghostscriptSupport "gslib")
(lib.withFeature fftwSupport "fftw")
] ++ lib.optionals stdenv.hostPlatform.isMinGW [
# due to libxml2 being without DLLs ATM
"--enable-static" "--disable-shared"
@ -113,7 +115,8 @@ stdenv.mkDerivation (finalAttrs: {
++ lib.optional lcms2Support lcms2
++ lib.optional libX11Support libX11
++ lib.optional libXtSupport libXt
++ lib.optional libwebpSupport libwebp;
++ lib.optional libwebpSupport libwebp
++ lib.optional fftwSupport fftw;
postInstall = ''
(cd "$dev/include" && ln -s ImageMagick* ImageMagick)
@ -146,7 +149,7 @@ stdenv.mkDerivation (finalAttrs: {
description = "Software suite to create, edit, compose, or convert bitmap images";
pkgConfigModules = [ "ImageMagick" "MagickWand" ];
platforms = platforms.linux ++ platforms.darwin;
maintainers = with maintainers; [ dotlambda rhendric ];
maintainers = with maintainers; [ dotlambda rhendric bloxx12 ];
license = licenses.asl20;
mainProgram = "magick";
};

64
pkgs/applications/misc/bambu-studio/default.nix
View File

@ -22,10 +22,7 @@
glib,
glib-networking,
gmp,
gstreamer,
gst-plugins-base,
gst-plugins-bad,
gst-plugins-good,
gst_all_1,
gtest,
gtk3,
hicolor-icon-theme,
@ -36,6 +33,7 @@
nlopt,
opencascade-occt_7_6,
openvdb,
opencv,
pcre,
systemd,
tbb_2021_11,
@ -45,14 +43,20 @@
withSystemd ? stdenv.hostPlatform.isLinux,
}:
let
opencascade-occt = opencascade-occt_7_6;
wxGTK31' = wxGTK31.overrideAttrs (old: {
configureFlags = old.configureFlags ++ [
# Disable noisy debug dialogs
"--enable-debug=no"
];
});
openvdb_tbb_2021_8 = openvdb.overrideAttrs (old: {
wxGTK' =
(wxGTK31.override {
withCurl = true;
withPrivateFonts = true;
withWebKit = true;
}).overrideAttrs
(old: {
configureFlags = old.configureFlags ++ [
# Disable noisy debug dialogs
"--enable-debug=no"
];
});
openvdb' = openvdb.overrideAttrs (old: {
buildInputs = [
openexr
boost179
@ -65,13 +69,13 @@ let
in
stdenv.mkDerivation rec {
pname = "bambu-studio";
version = "01.09.00.70";
version = "01.09.07.52";
src = fetchFromGitHub {
owner = "bambulab";
repo = "BambuStudio";
rev = "v${version}";
hash = "sha256-RBctBhKo7mjxsP7OJhGfoU1eIiGVuMiAqwwSU+gsMds=";
hash = "sha256-fhH4N29P/ysdHHbZt+FnBl3+QtTNhbVE3j4ZnFJyJH0=";
};
nativeBuildInputs = [
@ -95,10 +99,10 @@ stdenv.mkDerivation rec {
glib
glib-networking
gmp
gstreamer
gst-plugins-base
gst-plugins-bad
gst-plugins-good
gst_all_1.gstreamer
gst_all_1.gst-plugins-base
gst_all_1.gst-plugins-bad
gst_all_1.gst-plugins-good
gtk3
hicolor-icon-theme
ilmbase
@ -106,20 +110,23 @@ stdenv.mkDerivation rec {
mesa.osmesa
mpfr
nlopt
opencascade-occt
openvdb_tbb_2021_8
opencascade-occt_7_6
openvdb'
pcre
tbb_2021_11
webkitgtk_4_0
wxGTK31'
wxGTK'
xorg.libX11
opencv
] ++ lib.optionals withSystemd [ systemd ] ++ checkInputs;
patches = [
# Fix for webkitgtk linking
./0001-not-for-upstream-CMakeLists-Link-against-webkit2gtk-.patch
./patches/0001-not-for-upstream-CMakeLists-Link-against-webkit2gtk-.patch
# Fix build with cgal-5.6.1+
./meshboolean-const.patch
./patches/meshboolean-const.patch
# Fix an issue with
./patches/dont-link-opencv-world-bambu.patch
];
doCheck = true;
@ -136,7 +143,10 @@ stdenv.mkDerivation rec {
# Disable compiler warnings that clutter the build log.
# It seems to be a known issue for Eigen:
# http://eigen.tuxfamily.org/bz/show_bug.cgi?id=1221
NIX_CFLAGS_COMPILE = "-Wno-ignored-attributes";
NIX_CFLAGS_COMPILE = toString [
"-Wno-ignored-attributes"
"-I${opencv.out}/include/opencv4"
];
# prusa-slicer uses dlopen on `libudev.so` at runtime
NIX_LDFLAGS = lib.optionalString withSystemd "-ludev";
@ -181,8 +191,12 @@ stdenv.mkDerivation rec {
meta = with lib; {
description = "PC Software for BambuLab's 3D printers";
homepage = "https://github.com/bambulab/BambuStudio";
changelog = "https://github.com/bambulab/BambuStudio/releases/tag/v${version}";
license = licenses.agpl3Plus;
maintainers = with maintainers; [ zhaofengli ];
maintainers = with maintainers; [
zhaofengli
dsluijk
];
mainProgram = "bambu-studio";
platforms = platforms.linux;
};

24
pkgs/applications/misc/bambu-studio/orca-slicer.nix
View File

@ -2,7 +2,6 @@
lib,
fetchFromGitHub,
bambu-studio,
opencv,
}:
bambu-studio.overrideAttrs (
finalAttrs: previousAttrs: {
@ -16,20 +15,15 @@ bambu-studio.overrideAttrs (
hash = "sha256-7fusdSYpZb4sYl5L/+81PzMd42Nsejj+kCZsq0f7eIk=";
};
patches =
previousAttrs.patches
++ [
# FIXME: only required for 2.1.1, can be removed in the next version
./0002-fix-build-for-gcc-13.diff
./dont-link-opencv-world.patch
];
buildInputs =
previousAttrs.buildInputs
++ [
opencv
];
patches =[
# FIXME: only required for 2.1.1, can be removed in the next version
./patches/0002-fix-build-for-gcc-13.diff
# Fix for webkitgtk linking
./patches/0001-not-for-upstream-CMakeLists-Link-against-webkit2gtk-.patch
# Fix build with cgal-5.6.1+
./patches/meshboolean-const.patch
./patches/dont-link-opencv-world-orca.patch
];
preFixup = ''
gappsWrapperArgs+=(

0
pkgs/applications/misc/bambu-studio/0001-not-for-upstream-CMakeLists-Link-against-webkit2gtk-.patch → pkgs/applications/misc/bambu-studio/patches/0001-not-for-upstream-CMakeLists-Link-against-webkit2gtk-.patch
View File

0
pkgs/applications/misc/bambu-studio/0002-fix-build-for-gcc-13.diff → pkgs/applications/misc/bambu-studio/patches/0002-fix-build-for-gcc-13.diff
View File

14
pkgs/applications/misc/bambu-studio/patches/dont-link-opencv-world-bambu.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/src/libslic3r/CMakeLists.txt b/src/libslic3r/CMakeLists.txt
index 2cdc525..44e6602 100644
--- a/src/libslic3r/CMakeLists.txt
+++ b/src/libslic3r/CMakeLists.txt
@@ -533,7 +533,8 @@ target_link_libraries(libslic3r
${OCCT_LIBS}
Clipper2
mcut
- opencv_world
+ opencv_core
+ opencv_imgproc
)
if(NOT WIN32)

0
pkgs/applications/misc/bambu-studio/dont-link-opencv-world.patch → pkgs/applications/misc/bambu-studio/patches/dont-link-opencv-world-orca.patch
View File

0
pkgs/applications/misc/bambu-studio/meshboolean-const.patch → pkgs/applications/misc/bambu-studio/patches/meshboolean-const.patch
View File

9
pkgs/applications/misc/gallery-dl/default.nix
View File

@ -10,13 +10,13 @@
buildPythonApplication rec {
pname = "gallery-dl";
version = "1.27.6";
version = "1.27.7";
format = "setuptools";
src = fetchPypi {
inherit version;
pname = "gallery_dl";
hash = "sha256-bxh15aZIupTaHnYM65MAYuYtKx0z2OIQl3WKEU1gO4Q=";
hash = "sha256-9YcxD7AH4U2dOhAiUnknwwGFy9pplFFQ7Rn4cOvDdEc=";
};
propagatedBuildInputs = [
@ -26,6 +26,11 @@ buildPythonApplication rec {
nativeCheckInputs = [ pytestCheckHook ];
disabledTests = [
# requires network access
"test_init"
];
pytestFlagsArray = [
# requires network access
"--ignore=test/test_results.py"

4
pkgs/applications/misc/gremlin-console/default.nix
View File

@ -2,10 +2,10 @@
stdenv.mkDerivation rec {
pname = "gremlin-console";
version = "3.7.2";
version = "3.7.3";
src = fetchzip {
url = "https://downloads.apache.org/tinkerpop/${version}/apache-tinkerpop-gremlin-console-${version}-bin.zip";
sha256 = "sha256-lIrqMvI/sYGu36X3jNptoIz7mPVomk8YCIR/6y8mpEc=";
sha256 = "sha256-27S1ukq9rHncFuPBZmwIP/bKuPYm3AxdBK3PliYTGEQ=";
};
nativeBuildInputs = [ makeWrapper ];

12
pkgs/applications/video/qctools/default.nix
View File

@ -1,4 +1,4 @@
{ lib, stdenv, fetchurl, qmake, wrapQtAppsHook, ffmpeg, qtmultimedia, qwt }:
{ lib, stdenv, fetchurl, qmake, wrapQtAppsHook, ffmpeg_6, qtmultimedia, qwt }:
stdenv.mkDerivation rec {
pname = "qctools";
@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ qmake wrapQtAppsHook ];
buildInputs = [ ffmpeg qtmultimedia qwt ];
buildInputs = [ ffmpeg_6 qtmultimedia qwt ];
installPhase = ''
runHook preInstall
@ -30,11 +30,11 @@ stdenv.mkDerivation rec {
runHook postInstall
'';
meta = with lib; {
meta = {
description = "Audiovisual analytics and filtering of video files";
homepage = "https://mediaarea.net/QCTools";
license = licenses.gpl3Only;
maintainers = with maintainers; [ orivej ];
platforms = platforms.linux;
license = lib.licenses.gpl3Only;
maintainers = with lib.maintainers; [ orivej ];
platforms = lib.platforms.linux;
};
}

28
pkgs/by-name/ar/armitage/gradle-8.patch Normal file
View File

@ -0,0 +1,28 @@
Upstream PR: https://github.com/r00t0v3rr1d3/armitage/pull/1
diff --git a/armitage/build.gradle b/armitage/build.gradle
index 43a5d08..50ae084 100644
--- a/armitage/build.gradle
+++ b/armitage/build.gradle
@@ -19,7 +19,7 @@ jar {
from {
configurations.compileClasspath.filter { it.exists() }.collect { it.isDirectory() ? it : zipTree(it) }
}
- archiveName 'armitage.jar'
+ archiveFileName.set 'armitage.jar'
}
dependencies {
diff --git a/cortana/build.gradle b/cortana/build.gradle
index c7d08bb..aa54635 100644
--- a/cortana/build.gradle
+++ b/cortana/build.gradle
@@ -19,7 +19,8 @@ jar {
from {
configurations.compileClasspath.filter { it.exists() }.collect { it.isDirectory() ? it : zipTree(it) }
}
- archiveName 'cortana.jar'
+ duplicatesStrategy DuplicatesStrategy.INCLUDE
+ archiveFileName.set 'cortana.jar'
}
dependencies {

6
pkgs/by-name/ar/armitage/package.nix
View File

@ -3,7 +3,7 @@
, fetchurl
, fetchFromGitHub
, jdk11
, gradle_6
, gradle
, metasploit
, makeWrapper
, makeDesktopItem
@ -15,8 +15,6 @@ let
pname = "armitage";
version = "unstable-2022-12-05";
gradle = gradle_6;
src = fetchFromGitHub {
owner = "r00t0v3rr1d3";
repo = "armitage";
@ -45,6 +43,8 @@ let
url = "https://gitlab.com/kalilinux/packages/armitage/-/raw/042beb7494a10227761ecb3ddabf4019bbb78681/debian/patches/fix-meterpreter.patch";
hash = "sha256-p4fs5xFdC2apW0U8x8u9S4p5gq3Eiv+0E4CGccQZYKY=";
})
# Update for Gradle 8 (https://github.com/r00t0v3rr1d3/armitage/pull/1)
./gradle-8.patch
];
in

6
pkgs/by-name/at/atproto-goat/package.nix
View File

@ -7,13 +7,13 @@
buildGoModule rec {
pname = "atproto-goat";
version = "0-unstable-2024-10-08";
version = "0-unstable-2024-10-29";
src = fetchFromGitHub {
owner = "bluesky-social";
repo = "indigo";
rev = "06bacb465af714feb77609566aba15ab1ed41e24";
hash = "sha256-wWsE3sAGZQmOBVqTgy4RjoU8zmtuvyQIj9DjwSbtmKw=";
rev = "983ce4a481a32a3eb2944c4c76e885d0f6006f83";
hash = "sha256-Jo3pI4uRyKh3yV03ijOcg+Uyu75Spmy/VS116MVgleU=";
};
postPatch = ''

10
pkgs/by-name/aw/awscli2/package.nix
View File

@ -62,22 +62,20 @@ let
in
py.pkgs.buildPythonApplication rec {
pname = "awscli2";
version = "2.17.64"; # N.B: if you change this, check if overrides are still up-to-date
version = "2.18.15"; # N.B: if you change this, check if overrides are still up-to-date
pyproject = true;
src = fetchFromGitHub {
owner = "aws";
repo = "aws-cli";
rev = "refs/tags/${version}";
hash = "sha256-Hq86KhAIATSz3dF1zO6aSdZQAfLs4EcRqWglAOJUVGk=";
hash = "sha256-dm4Z3WsFq5GQN6gvi5OS9J96PqhGx8Qz2OsHwUBrsAs=";
};
patches = [ ];
postPatch = ''
substituteInPlace pyproject.toml \
--replace-fail 'awscrt>=0.19.18,<=0.21.2' 'awscrt>=0.19.18' \
--replace-fail 'cryptography>=40.0.0,<40.0.2' 'cryptography>=43.0.0' \
--replace-fail 'awscrt>=0.19.18,<=0.22.0' 'awscrt>=0.22.0' \
--replace-fail 'cryptography>=40.0.0,<43.0.2' 'cryptography>=43.0.0' \
--replace-fail 'distro>=1.5.0,<1.9.0' 'distro>=1.5.0' \
--replace-fail 'docutils>=0.10,<0.20' 'docutils>=0.10' \
--replace-fail 'prompt-toolkit>=3.0.24,<3.0.39' 'prompt-toolkit>=3.0.24'

4
pkgs/by-name/bi/bitbake-language-server/package.nix
View File

@ -7,14 +7,14 @@
python3.pkgs.buildPythonApplication rec {
pname = "bitbake-language-server";
version = "0.0.14";
version = "0.0.15";
format = "pyproject";
src = fetchFromGitHub {
owner = "Freed-Wu";
repo = pname;
rev = version;
hash = "sha256-aGj9lW420A+iTQWSCdIITAJj3p89VUkPvdhQ/0M6uXo=";
hash = "sha256-NLDQ2P5peweugkoNYskpCyCEgBwVFA7RTs8+NvH8fj8=";
};
nativeBuildInputs = with python3.pkgs; [

59
pkgs/by-name/ct/ctune/cmake_disable_git_clone.patch Normal file
View File

@ -0,0 +1,59 @@
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1a30d61..bea8d7c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -50,13 +50,6 @@ include(FetchContent)
set(CMAKE_VERBOSE_MAKEFILE ON)
-#========================================== PRE-CHECKS ============================================#
-include(FindGit)
-find_package(Git)
-
-if (NOT Git_FOUND)
- message(FATAL_ERROR "Required package 'Git' not found on system.")
-endif ()
#======================================== LIB IMPORTS =============================================#
# ======= #
@@ -68,28 +61,9 @@ include_directories(${OPENSSL_INCLUDE_DIR})
# ============== #
# JSON-C library #
# ============== #
-set(JSONC_DOWNLOAD_PATH "${TEMP_DIR_PATH}/libjsonc")
-set(JSONC_INSTALL_PATH "${CMAKE_EXTERNAL_OUTPUT_DIRECTORY}")
-
-add_custom_target(make-jsonc-install-dir ALL
- COMMAND ${CMAKE_COMMAND} -E make_directory ${JSONC_INSTALL_PATH}
-)
-
-ExternalProject_Add(libjsonc
- PREFIX "${JSONC_DOWNLOAD_PATH}"
- SOURCE_DIR "${JSONC_DOWNLOAD_PATH}/src/libjsonc-build"
- GIT_REPOSITORY "https://github.com/json-c/json-c.git"
- CMAKE_ARGS "-DBUILD_STATIC_LIBS=ON"
- "-DBUILD_SHARED_LIBS=OFF"
- "-DCMAKE_INSTALL_PREFIX:PATH=${JSONC_INSTALL_PATH}"
- "-DHAVE_ARC4RANDOM=OFF"
- "-DCMAKE_BUILD_TYPE=release"
-)
-
-set(JSONC_LIBRARIES
- ${CMAKE_EXTERNAL_OUTPUT_DIRECTORY}/lib/libjson-c.a
- bsd
-)
+find_package(PkgConfig REQUIRED)
+pkg_check_modules(JSONC REQUIRED json-c)
+include_directories(${JSONC_INCLUDE_DIRS})
# ============ #
# Curl library #
@@ -408,7 +382,7 @@ add_subdirectory(docs)
#endforeach()
add_executable(ctune ${SOURCE_FILES})
-add_dependencies(ctune ctune_logger libjsonc)
+add_dependencies(ctune ctune_logger)
include_directories(${CMAKE_EXTERNAL_OUTPUT_DIRECTORY}/include)
add_dependencies(ctune ${CTUNE_PLUGIN_LIST_AUDIO_PLAYER})

66
pkgs/by-name/ct/ctune/package.nix Normal file
View File

@ -0,0 +1,66 @@
{
stdenv,
lib,
fetchFromGitHub,
openssl,
curl,
ffmpeg,
vlc,
SDL2,
lame,
json_c,
cmake,
pkg-config,
ncurses,
libuuid,
pandoc,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "ctune";
version = "1.3.2";
src = fetchFromGitHub {
owner = "An7ar35";
repo = "ctune";
rev = "refs/tags/v${finalAttrs.version}";
hash = "sha256-fy7Wb4R6HDa+cLxI5YWq67gxw1XS/iDDN4M3Rn7GYeI=";
};
nativeBuildInputs = [
cmake
pkg-config
pandoc
];
buildInputs = [
openssl
curl
ffmpeg
vlc
SDL2
lame
json_c
ncurses
libuuid
];
strictDeps = true;
cmakeFlags = [
# Avoid a wrong nested install path location
# Set to "$out" instead of "$out/$out"
"-DCMAKE_INSTALL_PREFIX=''"
];
patches = [ ./cmake_disable_git_clone.patch ];
meta = {
description = "A nice terminal nCurses (tui) internet radio player for Linux, browse and search from api.radio-browser.info";
homepage = " https://github.com/An7ar35/ctune";
changelog = "https://github.com/An7ar35/ctune/blob/master/CHANGELOG.md";
license = lib.licenses.agpl3Plus;
maintainers = with lib.maintainers; [ theobori ];
mainProgram = "ctune";
platforms = lib.platforms.linux;
};
})

2
pkgs/by-name/fa/facter/Gemfile.lock
View File

@ -1,7 +1,7 @@
GEM
remote: https://rubygems.org/
specs:
facter (4.8.0)
facter (4.10.0)
hocon (~> 1.3)
thor (>= 1.0.1, < 1.3)
hocon (1.4.0)

4
pkgs/by-name/fa/facter/gemset.nix
View File

@ -5,10 +5,10 @@
platforms = [];
source = {
remotes = ["https://rubygems.org"];
sha256 = "1130mzk90pi0y9fnraqqak7gcfg61dhx92axwnhchbpw09akfl09";
sha256 = "17d561xf4s5016fm9jkfkkafn6660g04fz1yp5xfvkb0j4xj32mp";
type = "gem";
};
version = "4.8.0";
version = "4.10.0";
};
hocon = {
groups = ["default"];

66
pkgs/tools/security/fulcio/default.nix → pkgs/by-name/fu/fulcio/package.nix
View File

@ -1,14 +1,27 @@
{ lib, buildGoModule, fetchFromGitHub, installShellFiles }:
{
lib,
buildGoModule,
fetchFromGitHub,
# required for completion and cross-complilation
installShellFiles,
buildPackages,
stdenv,
# required for testing
testers,
fulcio,
}:
buildGoModule rec {
pname = "fulcio";
version = "1.6.4";
version = "1.6.5";
src = fetchFromGitHub {
owner = "sigstore";
repo = pname;
rev = "v${version}";
hash = "sha256-eRf504i9kYQua/p0SNlDGNeXa9ztoyz6M8nukhRyzIY=";
hash = "sha256-TCWZrTqNXTcTsLqTnwnJPXN+kMYVVwLm2J3Y6gd2CV8=";
# populate values that require us to use git. By doing this in postFetch we
# can delete .git afterwards and maintain better reproducibility of the src.
leaveDotGit = true;
@ -20,7 +33,7 @@ buildGoModule rec {
find "$out" -name .git -print0 | xargs -0 rm -rf
'';
};
vendorHash = "sha256-VTJhQrsqwGHq8211N3pUf4fmU4H90gRWYJTdEufNGg4=";
vendorHash = "sha256-3E2Y0UlJMjTiM4ILEiaNqVmt4fWMvCRAqzm//CvRIl4=";
nativeBuildInputs = [ installShellFiles ];
@ -42,26 +55,32 @@ buildGoModule rec {
preCheck = ''
# test all paths
unset subPackages
# skip test that requires networking
substituteInPlace pkg/config/config_network_test.go \
--replace "TestLoad" "SkipLoad"
'';
postInstall = ''
installShellCompletion --cmd fulcio \
--bash <($out/bin/fulcio completion bash) \
--fish <($out/bin/fulcio completion fish) \
--zsh <($out/bin/fulcio completion zsh)
'';
checkFlags = [
"-skip=TestLoad"
];
doInstallCheck = true;
installCheckPhase = ''
runHook preInstallCheck
$out/bin/fulcio --help
$out/bin/fulcio version 2>&1 | grep "v${version}"
runHook postInstallCheck
'';
postInstall =
let
fulcio =
if stdenv.buildPlatform.canExecute stdenv.hostPlatform then
placeholder "out"
else
buildPackages.fulcio;
in
''
installShellCompletion --cmd fulcio \
--bash <(${fulcio}/bin/fulcio completion bash) \
--fish <(${fulcio}/bin/fulcio completion fish) \
--zsh <(${fulcio}/bin/fulcio completion zsh)
'';
passthru.tests.version = testers.testVersion {
package = fulcio;
command = "fulcio version";
version = "v${version}";
};
meta = with lib; {
homepage = "https://github.com/sigstore/fulcio";
@ -79,6 +98,9 @@ buildGoModule rec {
disconnected instance.
'';
license = licenses.asl20;
maintainers = with maintainers; [ lesuisse jk ];
maintainers = with maintainers; [
lesuisse
jk
];
};
}

0
pkgs/by-name/ma/matrix-hebbot/package.nix → pkgs/by-name/he/hebbot/package.nix
View File

29
pkgs/tools/misc/hexyl/default.nix → pkgs/by-name/he/hexyl/package.nix
View File

@ -1,19 +1,23 @@
{ lib, rustPlatform, fetchFromGitHub }:
{
lib,
rustPlatform,
fetchFromGitHub,
}:
rustPlatform.buildRustPackage rec {
pname = "hexyl";
version = "0.14.0";
version = "0.15.0";
src = fetchFromGitHub {
owner = "sharkdp";
repo = pname;
rev = "v${version}";
hash = "sha256-di7SBuB4LsnqlP3BdMcsSLj4zpyKA/ninVpRyR9AJaI=";
repo = "hexyl";
rev = "refs/tags/v${version}";
hash = "sha256-v/mB0W/AyoJSoK00pqxpfMGZR/4DkkTCnPU6eorl/GI=";
};
cargoHash = "sha256-fXrdOiCmRgMPJxZIS/SkTkZZkag8ZUhNnMlU4k1m/+0=";
cargoHash = "sha256-QaOp7dCXfkIpxAJ+J+Pt9op3uj+LYoYvR78BmHBgnqE=";
meta = with lib; {
meta = {
description = "Command-line hex viewer";
longDescription = ''
`hexyl` is a simple hex viewer for the terminal. It uses a colored
@ -23,8 +27,15 @@ rustPlatform.buildRustPackage rec {
'';
homepage = "https://github.com/sharkdp/hexyl";
changelog = "https://github.com/sharkdp/hexyl/blob/v${version}/CHANGELOG.md";
license = with licenses; [ asl20 /* or */ mit ];
maintainers = with maintainers; [ dywedir figsoda SuperSandro2000 ];
license = with lib.licenses; [
asl20
mit
];
maintainers = with lib.maintainers; [
dywedir
figsoda
SuperSandro2000
];
mainProgram = "hexyl";
};
}

4
pkgs/by-name/mu/mullvad-browser/package.nix
View File

@ -90,7 +90,7 @@ let
++ lib.optionals mediaSupport [ ffmpeg ]
);
version = "13.5.7";
version = "13.5.9";
sources = {
x86_64-linux = fetchurl {
@ -102,7 +102,7 @@ let
"https://tor.eff.org/dist/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
"https://tor.calyxinstitute.org/dist/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
];
hash = "sha256-Te6Cw3fUs4XGz07lL54bKUU9HYC5soaKFlbWGujd/oU=";
hash = "sha256-hyFYI42IfFY0vqkqInkLQAWSY8flsmWGN8CaXBwXbGA=";
};
};

17
pkgs/by-name/or/orbiton/package.nix
View File

@ -4,32 +4,27 @@
buildGoModule rec {
pname = "orbiton";
version = "2.65.12";
version = "2.67.1";
src = fetchFromGitHub {
owner = "xyproto";
repo = "orbiton";
rev = "v${version}";
hash = "sha256-1KVw2dj//6vwUUj1jVWe2J/9F6J8BQsvCAEbJZnW26c=";
hash = "sha256-/5USD588kr3uB/Zs1ASKVgxH4kAWZCNBrZL7qqx49gU=";
};
vendorHash = null;
postPatch = lib.optionalString stdenv.hostPlatform.isDarwin ''
substituteInPlace Makefile \
--replace "-Wl,--as-needed" ""
# Requires impure pbcopy and pbpaste
substituteInPlace v2/pbcopy_test.go \
--replace TestPBcopy SkipTestPBcopy
'';
nativeBuildInputs = [ installShellFiles makeWrapper pkg-config ];
buildInputs = lib.optional withGui vte;
preBuild = "cd v2";
checkFlags = [
"-skip=TestPBcopy" # Requires impure pbcopy and pbpaste
];
postInstall = ''
cd ..
installManPage o.1

2
pkgs/by-name/pd/pdk/Gemfile
View File

@ -1,2 +1,2 @@
source 'https://rubygems.org'
gem 'pdk', '3.2.0'
gem 'pdk', '3.3.0'

28
pkgs/by-name/pd/pdk/Gemfile.lock
View File

@ -1,24 +1,26 @@
GEM
remote: https://rubygems.org/
specs:
addressable (2.8.6)
public_suffix (>= 2.0.2, < 6.0)
childprocess (4.1.0)
cri (2.15.11)
addressable (2.8.7)
public_suffix (>= 2.0.2, < 7.0)
childprocess (5.1.0)
logger (~> 1.5)
cri (2.15.12)
deep_merge (1.2.2)
diff-lcs (1.5.1)
ffi (1.17.0)
hitimes (2.0.0)
json-schema (4.3.0)
json-schema (4.3.1)
addressable (>= 2.8)
json_pure (2.6.3)
minitar (0.9)
logger (1.6.1)
minitar (0.12.1)
pastel (0.8.0)
tty-color (~> 0.5)
pathspec (1.1.3)
pdk (3.2.0)
pdk (3.3.0)
bundler (>= 2.1.0, < 3.0.0)
childprocess (~> 4.1.0)
childprocess (~> 5.0)
cri (~> 2.15.11)
deep_merge (~> 1.2.2)
diff-lcs (>= 1.5.0)
@ -28,10 +30,14 @@ GEM
json_pure (~> 2.6.3)
minitar (~> 0.8)
pathspec (~> 1.1)
puppet-modulebuilder (~> 1.0)
tty-prompt (~> 0.23)
tty-spinner (~> 0.9)
tty-which (~> 0.5)
public_suffix (5.0.5)
public_suffix (6.0.1)
puppet-modulebuilder (1.1.0)
minitar (~> 0.9)
pathspec (>= 0.2.1, < 3.0.0)
tty-color (0.6.0)
tty-cursor (0.7.1)
tty-prompt (0.23.1)
@ -51,7 +57,7 @@ PLATFORMS
ruby
DEPENDENCIES
pdk (= 3.2.0)
pdk (= 3.3.0)
BUNDLED WITH
2.5.9
2.5.16

52
pkgs/by-name/pd/pdk/gemset.nix
View File

@ -5,30 +5,31 @@
platforms = [];
source = {
remotes = ["https://rubygems.org"];
sha256 = "0irbdwkkjwzajq1ip6ba46q49sxnrl2cw7ddkdhsfhb6aprnm3vr";
sha256 = "0cl2qpvwiffym62z991ynks7imsm87qmgxf0yfsmlwzkgi9qcaa6";
type = "gem";
};
version = "2.8.6";
version = "2.8.7";
};
childprocess = {
dependencies = ["logger"];
groups = ["default"];
platforms = [];
source = {
remotes = ["https://rubygems.org"];
sha256 = "1lvcp8bsd35g57f7wz4jigcw2sryzzwrpcgjwwf3chmjrjcww5in";
sha256 = "1v5nalaarxnfdm6rxb7q6fmc6nx097jd630ax6h9ch7xw95li3cs";
type = "gem";
};
version = "4.1.0";
version = "5.1.0";
};
cri = {
groups = ["default"];
platforms = [];
source = {
remotes = ["https://rubygems.org"];
sha256 = "1bhsgnjav94mz5vf3305gxz1g34gm9kxvnrn1dkz530r8bpj0hr5";
sha256 = "1rank6i9p2drwdcmhan6ifkzrz1v3mwpx47fwjl75rskxwjfkgwa";
type = "gem";
};
version = "2.15.11";
version = "2.15.12";
};
deep_merge = {
groups = ["default"];
@ -76,10 +77,10 @@
platforms = [];
source = {
remotes = ["https://rubygems.org"];
sha256 = "1ljqbpjc5aa8a2cgq8f64iwbx7rr9dqvpk7v8n5jpslyz6mvyddc";
sha256 = "09bq393nrxa7hmphc3li8idgxdnb5hwgj15d0q5qsh4l5g1qvrnm";
type = "gem";
};
version = "4.3.0";
version = "4.3.1";
};
json_pure = {
groups = ["default"];
@ -91,15 +92,25 @@
};
version = "2.6.3";
};
logger = {
groups = ["default"];
platforms = [];
source = {
remotes = ["https://rubygems.org"];
sha256 = "0lwncq2rf8gm79g2rcnnyzs26ma1f4wnfjm6gs4zf2wlsdz5in9s";
type = "gem";
};
version = "1.6.1";
};
minitar = {
groups = ["default"];
platforms = [];
source = {
remotes = ["https://rubygems.org"];
sha256 = "126mq86x67d1p63acrfka4zx0cx2r0vc93884jggxnrmmnzbxh13";
sha256 = "0f307mpj4j0gp7iq77xj4p149f4krcvbll9rismng3jcijpbn79s";
type = "gem";
};
version = "0.9";
version = "0.12.1";
};
pastel = {
dependencies = ["tty-color"];
@ -123,25 +134,36 @@
version = "1.1.3";
};
pdk = {
dependencies = ["childprocess" "cri" "deep_merge" "diff-lcs" "ffi" "hitimes" "json-schema" "json_pure" "minitar" "pathspec" "tty-prompt" "tty-spinner" "tty-which"];
dependencies = ["childprocess" "cri" "deep_merge" "diff-lcs" "ffi" "hitimes" "json-schema" "json_pure" "minitar" "pathspec" "puppet-modulebuilder" "tty-prompt" "tty-spinner" "tty-which"];
groups = ["default"];
platforms = [];
source = {
remotes = ["https://rubygems.org"];
sha256 = "1avc2dgcdi9l6xam9crka790jhpx04536387f1vq2p9yqpr5lw7h";
sha256 = "1gildcnii3ayw585as8d8bqhnfb9diqg7n3vmgaz8c5b9wb8c106";
type = "gem";
};
version = "3.2.0";
version = "3.3.0";
};
public_suffix = {
groups = ["default"];
platforms = [];
source = {
remotes = ["https://rubygems.org"];
sha256 = "14y4vzjwf5gp0mqgs880kis0k7n2biq8i6ci6q2n315kichl1hvj";
sha256 = "0vqcw3iwby3yc6avs1vb3gfd0vcp2v7q310665dvxfswmcf4xm31";
type = "gem";
};
version = "5.0.5";
version = "6.0.1";
};
puppet-modulebuilder = {
dependencies = ["minitar" "pathspec"];
groups = ["default"];
platforms = [];
source = {
remotes = ["https://rubygems.org"];
sha256 = "0rh31hq24nkddd83cx7n9ln5bsib3a052hrmn120sq0937337173";
type = "gem";
};
version = "1.1.0";
};
tty-color = {
groups = ["default"];

137
pkgs/by-name/po/positron-bin/package.nix Normal file
View File

@ -0,0 +1,137 @@
{
lib,
_7zz,
alsa-lib,
systemd,
autoPatchelfHook,
blas,
dpkg,
fetchurl,
gtk3,
libglvnd,
libxkbcommon,
makeShellWrapper,
mesa,
musl,
nss,
patchelf,
stdenv,
xorg,
}:
let
pname = "positron-bin";
version = "2024.11.0-116";
in
stdenv.mkDerivation {
inherit version pname;
src =
if stdenv.isDarwin then
fetchurl {
url = "https://github.com/posit-dev/positron/releases/download/${version}/Positron-${version}.dmg";
hash = "sha256-5Ym42InDgFLGdZk0LYV1H0eC5WzmsYToG1KLdiGgTto=";
}
else
fetchurl {
url = "https://github.com/posit-dev/positron/releases/download/${version}/Positron-${version}.deb";
hash = "sha256-pE25XVYFW8WwyQ7zmox2mmXy6ZCSaXk2gSnPimg7xtU=";
};
buildInputs =
[ makeShellWrapper ]
++ lib.optionals stdenv.hostPlatform.isLinux [
alsa-lib
dpkg
gtk3
libglvnd
libxkbcommon
mesa
musl
nss
stdenv.cc.cc
xorg.libX11
xorg.libXcomposite
xorg.libXdamage
xorg.libxkbfile
]
++ lib.optionals stdenv.hostPlatform.isDarwin [
blas
patchelf
];
nativeBuildInputs =
lib.optionals stdenv.hostPlatform.isLinux [
autoPatchelfHook
]
++ lib.optionals stdenv.hostPlatform.isDarwin [
_7zz
];
runtimeDependencies = lib.optionals stdenv.hostPlatform.isLinux [
# Needed to fix the "Zygote could not fork" error.
(lib.getLib systemd)
];
unpackPhase = ''
runHook preUnpack
${lib.optionalString stdenv.hostPlatform.isLinux ''dpkg-deb --fsys-tarfile "$src" | tar -x --no-same-owner''}
runHook postUnpack
'';
installPhase =
if stdenv.hostPlatform.isDarwin then
''
runHook preInstall
mkdir -p "$out/Applications" "$out/bin"
cp -r . "$out/Applications/Positron.app"
# Positron will use the system version of BLAS if we don't provide the nix version.
wrapProgram "$out/Applications/Positron.app/Contents/Resources/app/bin/code" \
--prefix DYLD_INSERT_LIBRARIES : "${lib.makeLibraryPath [ blas ]}/libblas.dylib"
ln -s "$out/Applications/Positron.app/Contents/Resources/app/bin/code" "$out/bin/positron"
runHook postInstall
''
else
''
runHook preInstall
mkdir -p "$out/share"
cp -r usr/share/pixmaps "$out/share/pixmaps"
cp -r usr/share/positron "$out/share/positron"
mkdir -p "$out/share/applications"
install -m 444 -D usr/share/applications/positron.desktop "$out/share/applications/positron.desktop"
substituteInPlace "$out/share/applications/positron.desktop" \
--replace-fail \
"Icon=com.visualstudio.code.oss" \
"Icon=$out/share/pixmaps/com.visualstudio.code.oss.png" \
--replace-fail \
"Exec=/usr/share/positron/positron %F" \
"Exec=$out/share/positron/.positron-wrapped %F" \
--replace-fail \
"/usr/share/positron/positron --new-window %F" \
"$out/share/positron/.positron-wrapped --new-window %F"
# Fix libGL.so not found errors.
wrapProgram "$out/share/positron/positron" \
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ libglvnd ]}"
mkdir -p "$out/bin"
ln -s "$out/share/positron/positron" "$out/bin/positron"
runHook postInstall
'';
passthru.updateScript = ./update.sh;
meta = with lib; {
description = "Positron, a next-generation data science IDE";
homepage = "https://github.com/posit-dev/positron";
license = licenses.elastic20;
maintainers = with maintainers; [
b-rodrigues
detroyejr
];
mainProgram = "positron";
platforms = [ "x86_64-linux" ] ++ platforms.darwin;
};
}

54
pkgs/by-name/po/positron-bin/update.sh Executable file
View File

@ -0,0 +1,54 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p curl jq git
nixpkgs="$(git rev-parse --show-toplevel)"
positron_nix="$nixpkgs/pkgs/by-name/po/positron-bin/package.nix"
current_version=$(grep -oP "version = \"\K.*\d" $positron_nix)
new_version=$(curl -sSfL \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/repos/posit-dev/positron/releases?per_page=1" \
| jq -r '.[0].name')
if [[ "$new_version" == "$current_version" ]]; then
echo 'Positron is already up to date'
exit 0;
fi
# Update Darwin hash.
current_hash=$(nix store prefetch-file --json --hash-type sha256 \
"https://github.com/posit-dev/positron/releases/download/${current_version}/Positron-${current_version}.dmg" \
| jq -r .hash)
new_hash=$(nix store prefetch-file --json --hash-type sha256 \
"https://github.com/posit-dev/positron/releases/download/${new_version}/Positron-${new_version}.dmg" \
| jq -r .hash)
sed -i "s|$current_hash|$new_hash|g" $positron_nix
# Update Linux hash.
current_hash=$(nix store prefetch-file --json --hash-type sha256 \
"https://github.com/posit-dev/positron/releases/download/${current_version}/Positron-${current_version}.deb" \
| jq -r .hash)
new_hash=$(nix store prefetch-file --json --hash-type sha256 \
"https://github.com/posit-dev/positron/releases/download/${new_version}/Positron-${new_version}.deb" \
| jq -r .hash)
sed -i "s|$current_hash|$new_hash|g" $positron_nix
# Update version
sed -i "s|$current_version|$new_version|g" $positron_nix
# Attempt to build.
export NIXPKGS_ALLOW_UNFREE=1
if ! nix-build -A positron-bin "$nixpkgs"; then
echo "The updated positron-bin failed to build."
exit 1
fi
# Commit changes
git add "$positron_nix"
git commit -m "positron-bin: ${current_version} -> ${new_version}"

6
pkgs/by-name/si/simple64-netplay-server/package.nix
View File

@ -6,16 +6,16 @@
buildGoModule rec {
pname = "simple64-netplay-server";
version = "2024.06.1";
version = "2024.10.1";
src = fetchFromGitHub {
owner = "simple64";
repo = "simple64-netplay-server";
rev = "refs/tags/v${version}";
hash = "sha256-WTEtTzRkXuIusfK6Nbj1aLwXcXyaXQi+j3SsDrvtLKo=";
hash = "sha256-p9hHVf1LD95w280ScUkxHKmBJLJ9eiH3WEYV+kaALgQ=";
};
vendorHash = "sha256-zfLSti368rBHj17HKDZKtOQQrhVGVa2CaieaDGHcZOk=";
vendorHash = "sha256-HeYA/nR0NuP/fPMJXGGuN2eP6vB4yj1yWFfFDyp34QE=";
meta = {
description = "Dedicated server for simple64 netplay";

47
pkgs/by-name/sy/syncstorage-rs/Cargo.lock generated
View File

@ -2458,8 +2458,7 @@ checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b"
[[package]]
name = "sentry"
version = "0.34.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5484316556650182f03b43d4c746ce0e3e48074a21e2f51244b648b6542e1066"
source = "git+https://github.com/getsentry/sentry-rust?rev=1b65b5c#1b65b5c99af975496880e7325218479e0037d097"
dependencies = [
"curl",
"httpdate",
@ -2473,8 +2472,7 @@ dependencies = [
[[package]]
name = "sentry-backtrace"
version = "0.34.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "40aa225bb41e2ec9d7c90886834367f560efc1af028f1c5478a6cce6a59c463a"
source = "git+https://github.com/getsentry/sentry-rust?rev=1b65b5c#1b65b5c99af975496880e7325218479e0037d097"
dependencies = [
"backtrace",
"once_cell",
@ -2485,8 +2483,7 @@ dependencies = [
[[package]]
name = "sentry-contexts"
version = "0.34.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a8dd746da3d16cb8c39751619cefd4fcdbd6df9610f3310fd646b55f6e39910"
source = "git+https://github.com/getsentry/sentry-rust?rev=1b65b5c#1b65b5c99af975496880e7325218479e0037d097"
dependencies = [
"hostname",
"libc",
@ -2499,8 +2496,7 @@ dependencies = [
[[package]]
name = "sentry-core"
version = "0.34.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "161283cfe8e99c8f6f236a402b9ccf726b201f365988b5bb637ebca0abbd4a30"
source = "git+https://github.com/getsentry/sentry-rust?rev=1b65b5c#1b65b5c99af975496880e7325218479e0037d097"
dependencies = [
"once_cell",
"rand",
@ -2512,8 +2508,7 @@ dependencies = [
[[package]]
name = "sentry-debug-images"
version = "0.34.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8fc6b25e945fcaa5e97c43faee0267eebda9f18d4b09a251775d8fef1086238a"
source = "git+https://github.com/getsentry/sentry-rust?rev=1b65b5c#1b65b5c99af975496880e7325218479e0037d097"
dependencies = [
"findshlibs",
"once_cell",
@ -2523,8 +2518,7 @@ dependencies = [
[[package]]
name = "sentry-tracing"
version = "0.34.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cd3c5faf2103cd01eeda779ea439b68c4ee15adcdb16600836e97feafab362ec"
source = "git+https://github.com/getsentry/sentry-rust?rev=1b65b5c#1b65b5c99af975496880e7325218479e0037d097"
dependencies = [
"sentry-backtrace",
"sentry-core",
@ -2535,8 +2529,7 @@ dependencies = [
[[package]]
name = "sentry-types"
version = "0.34.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d68cdf6bc41b8ff3ae2a9c4671e97426dcdd154cc1d4b6b72813f285d6b163f"
source = "git+https://github.com/getsentry/sentry-rust?rev=1b65b5c#1b65b5c99af975496880e7325218479e0037d097"
dependencies = [
"debugid",
"hex",
@ -2827,7 +2820,7 @@ checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394"
[[package]]
name = "syncserver"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"actix-cors",
"actix-http",
@ -2882,7 +2875,7 @@ dependencies = [
[[package]]
name = "syncserver-common"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"actix-web",
"backtrace",
@ -2902,7 +2895,7 @@ dependencies = [
[[package]]
name = "syncserver-db-common"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"backtrace",
"deadpool",
@ -2916,7 +2909,7 @@ dependencies = [
[[package]]
name = "syncserver-settings"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"config 0.11.0",
"num_cpus",
@ -2930,7 +2923,7 @@ dependencies = [
[[package]]
name = "syncstorage-db"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"async-trait",
"cadence",
@ -2953,7 +2946,7 @@ dependencies = [
[[package]]
name = "syncstorage-db-common"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"async-trait",
"backtrace",
@ -2972,7 +2965,7 @@ dependencies = [
[[package]]
name = "syncstorage-mysql"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"async-trait",
"backtrace",
@ -2995,7 +2988,7 @@ dependencies = [
[[package]]
name = "syncstorage-settings"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"rand",
"serde 1.0.203",
@ -3005,7 +2998,7 @@ dependencies = [
[[package]]
name = "syncstorage-spanner"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"async-trait",
"backtrace",
@ -3149,7 +3142,7 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
[[package]]
name = "tokenserver-auth"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"async-trait",
"base64 0.22.1",
@ -3176,7 +3169,7 @@ dependencies = [
[[package]]
name = "tokenserver-common"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"actix-web",
"backtrace",
@ -3191,7 +3184,7 @@ dependencies = [
[[package]]
name = "tokenserver-db"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"async-trait",
"backtrace",
@ -3216,7 +3209,7 @@ dependencies = [
[[package]]
name = "tokenserver-settings"
version = "0.17.9"
version = "0.17.12"
dependencies = [
"jsonwebtoken",
"serde 1.0.203",

8
pkgs/by-name/sy/syncstorage-rs/package.nix
View File

@ -6,6 +6,7 @@
, libmysqlclient
, makeBinaryWrapper
, lib
, nix-update-script
}:
let
@ -20,13 +21,13 @@ in
rustPlatform.buildRustPackage rec {
pname = "syncstorage-rs";
version = "0.17.9";
version = "0.17.12";
src = fetchFromGitHub {
owner = "mozilla-services";
repo = pname;
rev = "refs/tags/${version}";
hash = "sha256-ezTwAAtt0/jKfA6FtvzuQVFYOODMcD4RFiU3x0Umifk=";
hash = "sha256-hvKbKbRa5zk+80xmKWeMRjshaS6uybFzb5KdBY19Sl8=";
};
nativeBuildInputs = [
@ -49,12 +50,15 @@ rustPlatform.buildRustPackage rec {
lockFile = ./Cargo.lock;
outputHashes = {
"deadpool-0.7.0" = "sha256-yQwn45EuzmPBwuT+iLJ/LLWAkBkW2vF+GLswdbpFVAY=";
"sentry-0.34.0" = "sha256-BdWz6EIEm2YU3DG3ODkuXCVCMV6srdyx2gXkOxINjHc=";
};
};
# almost all tests need a DB to test against
doCheck = false;
passthru.updateScript = nix-update-script {};
meta = {
description = "Mozilla Sync Storage built with Rust";
homepage = "https://github.com/mozilla-services/syncstorage-rs";

1
pkgs/development/interpreters/lua-5/interpreter.nix
View File

@ -169,6 +169,7 @@ stdenv.mkDerivation (finalAttrs:
management with incremental garbage collection, making it ideal
for configuration, scripting, and rapid prototyping.
'';
mainProgram = "lua";
license = lib.licenses.mit;
platforms = lib.platforms.unix;
};

39
pkgs/development/python-modules/automower-ble/default.nix Normal file
View File

@ -0,0 +1,39 @@
{
lib,
bleak,
buildPythonPackage,
fetchFromGitHub,
setuptools,
pytestCheckHook,
pythonOlder,
}:
buildPythonPackage rec {
pname = "automower-ble";
version = "0.2.0";
pyproject = true;
disabled = pythonOlder "3.10";
src = fetchFromGitHub {
owner = "alistair23";
repo = "AutoMower-BLE";
rev = "refs/tags/${version}";
hash = "sha256-BWfRXz78e1Xq0fNOGJ2IFnjNqfH3oD5VIGMxyCPtEUw=";
};
build-system = [ setuptools ];
dependencies = [ bleak ];
nativeCheckInputs = [ pytestCheckHook ];
pythonImportsCheck = [ "automower_ble" ];
meta = {
description = "Module to connect to Husqvarna Automower Connect";
homepage = "https://github.com/alistair23/AutoMower-BLE";
license = lib.licenses.gpl3Only;
maintainers = with lib.maintainers; [ fab ];
};
}

4
pkgs/development/python-modules/aw-client/default.nix
View File

@ -16,7 +16,7 @@
buildPythonPackage rec {
pname = "aw-client";
version = "0.5.13";
version = "0.5.14";
format = "pyproject";
@ -25,7 +25,7 @@ buildPythonPackage rec {
owner = "ActivityWatch";
repo = "aw-client";
rev = "v${version}";
sha256 = "sha256-A9f1Wj4F6qRvCVj3iRQvsnILewJK1L5tfI2MnAXZ4nY=";
sha256 = "sha256-HTyhQz/RaNdCtJIV6YHEd6Yhu9VRJ8E9XdN7NcoO8ao=";
};
disabled = pythonOlder "3.8";

24
pkgs/development/python-modules/ftfy/default.nix
View File

@ -1,11 +1,11 @@
{
lib,
buildPythonPackage,
fetchPypi,
fetchFromGitHub,
pythonOlder,
# build-system
poetry-core,
hatchling,
# dependencies
wcwidth,
@ -17,17 +17,19 @@
buildPythonPackage rec {
pname = "ftfy";
version = "6.2.3";
version = "6.3.1";
pyproject = true;
disabled = pythonOlder "3.7";
disabled = pythonOlder "3.9";
src = fetchPypi {
inherit pname version;
hash = "sha256-ebUFmI8p1XelipBpr+dVU6AqRuQt5gkcBmDNxngSutw=";
src = fetchFromGitHub {
owner = "rspeer";
repo = "python-ftfy";
rev = "refs/tags/v${version}";
hash = "sha256-TmwDJeUDcF+uOB2X5tMmnf9liCI9rP6dYJVmJoaqszo=";
};
build-system = [ poetry-core ];
build-system = [ hatchling ];
dependencies = [ wcwidth ];
@ -42,12 +44,8 @@ buildPythonPackage rec {
export PATH=$out/bin:$PATH
'';
disabledTestPaths = [
# Calls poetry and fails to match output exactly
"tests/test_cli.py"
];
meta = with lib; {
changelog = "https://github.com/rspeer/python-ftfy/blob/${src.rev}/CHANGELOG.md";
description = "Given Unicode text, make its representation consistent and possibly less broken";
mainProgram = "ftfy";
homepage = "https://github.com/LuminosoInsight/python-ftfy";

67
pkgs/development/python-modules/go2rtc-client/default.nix Normal file
View File

@ -0,0 +1,67 @@
{
lib,
aiohttp,
aioresponses,
awesomeversion,
buildPythonPackage,
fetchFromGitHub,
hatchling,
mashumaro,
orjson,
pytest-asyncio,
pytest-cov-stub,
pytestCheckHook,
pythonOlder,
syrupy,
webrtc-models,
}:
buildPythonPackage rec {
pname = "go2rtc-client";
version = "0.0.1b2";
pyproject = true;
disabled = pythonOlder "3.12";
src = fetchFromGitHub {
owner = "home-assistant-libs";
repo = "python-go2rtc-client";
rev = "refs/tags/${version}";
hash = "sha256-q1NDHauYy8C3tlIpt6J0iMj0TNtBv2j9aU/IE5CgBjg=";
};
postPatch = ''
substituteInPlace pyproject.toml \
--replace-fail 'version = "0.0.0"' 'version = "${version}"'
'';
pythonRelaxDeps = [ "orjson" ];
build-system = [ hatchling ];
dependencies = [
aiohttp
awesomeversion
mashumaro
orjson
webrtc-models
];
nativeCheckInputs = [
aioresponses
pytest-asyncio
pytest-cov-stub
pytestCheckHook
syrupy
];
pythonImportsCheck = [ "go2rtc_client" ];
meta = {
description = "Module for interacting with go2rtc";
homepage = "https://github.com/home-assistant-libs/python-go2rtc-client";
changelog = "https://github.com/home-assistant-libs/python-go2rtc-client/releases/tag/${version}";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [ ];
};
}

4
pkgs/development/python-modules/jupyterlab-git/default.nix
View File

@ -21,7 +21,7 @@
buildPythonPackage rec {
pname = "jupyterlab-git";
version = "0.50.1";
version = "0.50.2";
pyproject = true;
disabled = pythonOlder "3.8";
@ -29,7 +29,7 @@ buildPythonPackage rec {
src = fetchPypi {
pname = "jupyterlab_git";
inherit version;
hash = "sha256-v08Go/vCsquE6l1SMmqg4LjM9OmjNX+jGKEZVg4cak0=";
hash = "sha256-zu/chWMsr0maBItDRFnQO15iFmWAHp23GXvUhvXTNDM=";
};
nativeBuildInputs = [

8
pkgs/development/python-modules/pyexploitdb/default.nix
View File

@ -10,7 +10,7 @@
buildPythonPackage rec {
pname = "pyexploitdb";
version = "0.2.41";
version = "0.2.53";
pyproject = true;
disabled = pythonOlder "3.7";
@ -18,7 +18,7 @@ buildPythonPackage rec {
src = fetchPypi {
pname = "pyExploitDb";
inherit version;
hash = "sha256-QwMD7V1BSmFBZ7mazo7TnuZijm8MC/M/oKMV4nh1v5A=";
hash = "sha256-NebM8nhIo4Hgf7iwSV2utcrqR1kLh+cpmqV1Gc9r8cw=";
};
build-system = [ setuptools ];
@ -35,8 +35,8 @@ buildPythonPackage rec {
meta = with lib; {
description = "Library to fetch the most recent exploit-database";
homepage = "https://github.com/GoVanguard/pyExploitDb";
changelog = "https://github.com/GoVanguard/pyExploitDb/blob/master/ChangeLog.md";
homepage = "https://github.com/Hackman238/pyExploitDb/pyExploitDb";
changelog = "https://github.com/Hackman238/pyExploitDb/pyExploitDb/blob/master/ChangeLog.md";
license = licenses.gpl3Plus;
maintainers = with maintainers; [ fab ];
};

4
pkgs/development/python-modules/sagemaker-core/default.nix
View File

@ -25,14 +25,14 @@
buildPythonPackage rec {
pname = "sagemaker-core";
version = "1.0.10";
version = "1.0.11";
pyproject = true;
src = fetchFromGitHub {
owner = "aws";
repo = "sagemaker-core";
rev = "refs/tags/v${version}";
hash = "sha256-UloQJ5B10XXPbwsktVZzjcW7BLW8wCAw3wGmAkSl6wc=";
hash = "sha256-6r8roHMJ4s/+mGiPeMVZ9wagdXNJQ3+tUFZ/7T+NQBc=";
};
build-system = [

33
pkgs/development/python-modules/sphinx-lv2-theme/default.nix Normal file
View File

@ -0,0 +1,33 @@
{
buildPythonPackage,
lib,
fetchFromGitLab,
setuptools,
sphinx,
}:
buildPythonPackage rec {
pname = "sphinx-lv2-theme";
version = "1.4.2";
pyproject = true;
src = fetchFromGitLab {
owner = "LV2";
repo = "sphinx_lv2_theme";
rev = "v${version}";
hash = "sha256-x3h2hOQIyzOmnh58WMHjuOARdML1sDiVAf7m0YghhJ4=";
};
build-system = [ setuptools ];
dependencies = [ sphinx ];
pythonImportsCheck = [ "sphinx_lv2_theme" ];
meta = {
description = "Sphinx theme in the style of the LV2 plugin";
homepage = "https://gitlab.com/lv2/sphinx_lv2_theme";
license = lib.licenses.isc;
maintainers = with lib.maintainers; [ samueltardieu ];
};
}

9
pkgs/development/python-modules/thinqconnect/default.nix
View File

@ -10,8 +10,8 @@
}:
buildPythonPackage rec {
pname = "pythinqconnect";
version = "0.9.7-unstable-2024-09-09";
pname = "thinqconnect";
version = "0.9.9";
pyproject = true;
disabled = pythonOlder "3.10";
@ -19,9 +19,8 @@ buildPythonPackage rec {
src = fetchFromGitHub {
owner = "thinq-connect";
repo = "pythinqconnect";
# https://github.com/thinq-connect/pythinqconnect/issues/1
rev = "39d535a2a5d1067a110eea37ae92002d0793b7e9";
hash = "sha256-+nQAUqg5rB2eJgPBJJR8NsQ1O2Wb4UsbBQVPir1jyAU=";
rev = "refs/tags/${version}";
hash = "sha256-G6fg+mXrUnSkfpeJAvDXEu57UgkYEObErEnds2PK13Y=";
};
build-system = [ setuptools ];

22
pkgs/development/python-modules/walrus/default.nix
View File

@ -1,18 +1,18 @@
{
lib,
pkgs,
buildPythonPackage,
fetchFromGitHub,
pkgs,
pythonOlder,
redis,
setuptools,
unittestCheckHook,
fetchpatch,
}:
buildPythonPackage rec {
pname = "walrus";
version = "0.9.3";
format = "setuptools";
version = "0.9.4";
pyproject = true;
disabled = pythonOlder "3.7";
@ -20,20 +20,12 @@ buildPythonPackage rec {
owner = "coleifer";
repo = "walrus";
rev = "refs/tags/${version}";
hash = "sha256-jinYMGSBAY8HTg92qU/iU5vGIrrDr5SeQG0XjsBVfcc=";
hash = "sha256-cvoRiaGGTpZWfSE6DDT6GwDmc/TC/Z/E76Qy9Zzkpsw=";
};
patches = [
# distutils has been deprecated, this wraps its import inside a try-catch
# and fallsback to a fallback import.
# Should not be necessary in future versions.
(fetchpatch {
url = "https://github.com/coleifer/walrus/commit/79e20c89aa4015017ef8a3e0b5c27ca2731dc9b2.patch";
hash = "sha256-hCpvki6SV3KYhicjjUMP4VrKMEerMjq2n1BgozXKDO8=";
})
];
build-system = [ setuptools ];
propagatedBuildInputs = [ redis ];
dependencies = [ redis ];
nativeCheckInputs = [ unittestCheckHook ];

59
pkgs/development/python-modules/webrtc-models/default.nix Normal file
View File

@ -0,0 +1,59 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
hatchling,
mashumaro,
orjson,
pytest-asyncio,
pytest-cov-stub,
pytestCheckHook,
pythonOlder,
syrupy,
}:
buildPythonPackage rec {
pname = "webrtc-models";
version = "0.1.0";
pyproject = true;
disabled = pythonOlder "3.12";
src = fetchFromGitHub {
owner = "home-assistant-libs";
repo = "python-webrtc-models";
rev = "refs/tags/${version}";
hash = "sha256-Wmz+P4FFJJZujWF0SR6HVERNNO7xSM1iCayg6tmVyso=";
};
postPatch = ''
substituteInPlace pyproject.toml \
--replace-fail 'version = "0.0.0"' 'version = "${version}"'
'';
pythonRelaxDeps = [ "orjson" ];
build-system = [ hatchling ];
dependencies = [
mashumaro
orjson
];
nativeCheckInputs = [
pytest-asyncio
pytest-cov-stub
pytestCheckHook
syrupy
];
pythonImportsCheck = [ "webrtc_models" ];
meta = {
description = "WebRTC models as Python dataclasses with mashumaro";
homepage = "https://github.com/home-assistant-libs/python-webrtc-models";
changelog = "https://github.com/home-assistant-libs/python-webrtc-models/releases/tag/${version}";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [ fab ];
};
}

12
pkgs/development/tools/build-managers/gradle/default.nix
View File

@ -195,18 +195,6 @@ rec {
defaultJava = jdk17;
};
gradle_6 = gen {
version = "6.9.4";
hash = "sha256-PiQCKFON6fGHcqV06ZoLqVnoPW7zUQFDgazZYxeBOJo=";
defaultJava = jdk11;
meta.knownVulnerabilities = [
"CVE-2021-29429: '[...]files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle[...]'"
"CVE-2021-29427: '[...]there is a vulnerability which can lead to information disclosure and/or dependency poisoning[...] In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file.'"
"CVE-2021-29428: '[...]the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory.'"
"CVE-2021-32751: '[...]start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script[...]'"
];
};
wrapGradle = {
lib, callPackage, mitm-cache, substituteAll, symlinkJoin, concatTextFile, makeSetupHook, nix-update-script
}:

6
pkgs/servers/home-assistant/custom-lovelace-modules/mushroom/default.nix
View File

@ -5,16 +5,16 @@
buildNpmPackage rec {
pname = "mushroom";
version = "4.0.7";
version = "4.0.8";
src = fetchFromGitHub {
owner = "piitaya";
repo = "lovelace-mushroom";
rev = "v${version}";
hash = "sha256-97FW4kNPaoP501xD0W/PjmykwhLbLz7yHVNZiwl/clE=";
hash = "sha256-jwL/LrnQsjwv9Wt+jmJKE7jJ3YO8K7eBkxkvAvCbg7g=";
};
npmDepsHash = "sha256-Gpt17teEbBMHU8teiH66fjZmgq+6v/XovTVxNfHFTg4=";
npmDepsHash = "sha256-fzmVRmX1lBy+t7gRCUfw2ONYyKDUs6IkSnAstiYJ7qg=";
installPhase = ''
runHook preInstall

41
pkgs/servers/monitoring/nagios-plugins/openbsd_snmp3_check/default.nix Normal file
View File

@ -0,0 +1,41 @@
{
fetchFromGitHub,
lib,
nix-update-script,
openbsd_snmp3_check,
python3Packages,
testers,
}:
python3Packages.buildPythonApplication rec {
pname = "openbsd_snmp3_check";
version = "0.55";
pyproject = false;
src = fetchFromGitHub {
owner = "alexander-naumov";
repo = "openbsd_snmp3_check";
rev = "v${version}";
hash = "sha256-qDYANMvQU72f9wz8os7S1PfBH08AAqhtWLHVuSmkub4=";
};
postInstall = ''
install -Dm755 openbsd_snmp3.py $out/bin/openbsd_snmp3.py
'';
passthru = {
updateScript = nix-update-script { };
tests.version = testers.testVersion {
package = openbsd_snmp3_check;
};
};
meta = with lib; {
changelog = "https://github.com/alexander-naumov/openbsd_snmp3_check/releases/tag/v${version}";
description = "SNMP v3 check for OpenBSD systems state monitoring";
homepage = "https://github.com/alexander-naumov/openbsd_snmp3_check";
license = with licenses; [ bsd3 ];
platforms = platforms.unix;
maintainers = with maintainers; [ jwillikers ];
mainProgram = "openbsd_snmp3.py";
};
}

1
pkgs/servers/monitoring/nagios-plugins/plugins.nix
View File

@ -13,4 +13,5 @@
inherit (callPackage ./labs_consol_de { }) check_mssql_health check_nwc_health check_ups_health;
manubulon-snmp-plugins = callPackage ./manubulon-snmp-plugins { };
openbsd_snmp3_check = callPackage ./openbsd_snmp3_check { };
}

40
pkgs/servers/monitoring/prometheus/tor-exporter.nix
View File

@ -1,40 +0,0 @@
{ lib, fetchFromGitHub, python3Packages, nixosTests }:
python3Packages.buildPythonApplication rec {
pname = "tor-exporter";
version = "0.4";
# Just a single .py file to use as the application's main entry point.
format = "other";
src = fetchFromGitHub {
rev = "v${version}";
owner = "atx";
repo = "prometheus-tor_exporter";
sha256 = "1gzf42z0cgdqijbi9cwpjkqzkvnabaxkkfa5ac5h27r3pxx3q4n0";
};
propagatedBuildInputs = with python3Packages; [ prometheus-client stem retrying ];
installPhase = ''
mkdir -p $out/share/
cp prometheus-tor-exporter.py $out/share/
'';
fixupPhase = ''
makeWrapper "${python3Packages.python.interpreter}" "$out/bin/prometheus-tor-exporter" \
--set PYTHONPATH "$PYTHONPATH" \
--add-flags "$out/share/prometheus-tor-exporter.py"
'';
passthru.tests = { inherit (nixosTests.prometheus-exporters) tor; };
meta = with lib; {
description = "Prometheus exporter that exposes metrics from a Tor daemon";
mainProgram = "prometheus-tor-exporter";
homepage = "https://github.com/atx/prometheus-tor_exporter";
license = licenses.mit;
maintainers = with maintainers; [ Scrumplex ];
platforms = platforms.unix;
};
}

8
pkgs/servers/teleport/15/default.nix
View File

@ -1,9 +1,9 @@
{ wasm-bindgen-cli, ... }@args:
import ../generic.nix (args // {
version = "15.4.11";
hash = "sha256-vmJ76aRAsbSGXZ2HcuryOlUYrUOPMP6MaI8OjxxyiZ4=";
vendorHash = "sha256-oJo8Ga6TAUz1xSYiRckzq8zZvgIZFCeEwZbiyyVOdkI=";
yarnHash = "sha256-5ppgBa5CyQ49FSFhdWDbTcCTdt0vsXAzNTeyG4r7crg=";
version = "15.4.21";
hash = "sha256-n5dAJ5ilq5nHo3neQzCUFnDRwLhArwleMSho4/g0MT4=";
vendorHash = "sha256-bW8ztNeSzxUNtbuBtxIya9TeGfktC+/fz9iXB0GL0Mg=";
yarnHash = "sha256-ZaLLrcwAeq6TQ1SaA2few4s0HqktOZEpxCTcNGloGfk=";
cargoLock = {
lockFile = ./Cargo.lock;
outputHashes = {

6
pkgs/servers/teleport/16/default.nix
View File

@ -1,9 +1,9 @@
{ wasm-bindgen-cli, ... }@args:
import ../generic.nix (args // {
version = "16.2.0";
hash = "sha256-3LLoO7SNJfEfDEU7JnAhmAOIdRO+TkgiJKjT8sqzelo=";
version = "16.4.6";
hash = "sha256-TdOCFs6YeqINM8aPryrjYPaXEjc/gIqu7kzVYDnMsjg=";
vendorHash = "sha256-iyYfht0aB9Vv2hsaqrieFHXbDhlotKQYfLn4JFqpve8=";
pnpmHash = "sha256-lcev7VwTcuCuced8uZzLoobREWtNRDFRFdfmabJPLtc=";
pnpmHash = "sha256-NF45Wp4itYud01VzxC8bRHZ3xZ1T1du1QmZTDMS5nOk=";
cargoLock = {
lockFile = ./Cargo.lock;
outputHashes = {

2
pkgs/servers/teleport/generic.nix
View File

@ -150,7 +150,7 @@ buildGoModule rec {
patches = extPatches ++ [
./0001-fix-add-nix-path-to-exec-env.patch
./rdpclient.patch
(if lib.versionAtLeast version "16" then ./tsh_16.patch else ./tsh.patch)
./tsh.patch
];
# Reduce closure size for client machines

2
pkgs/servers/teleport/tsh.patch
View File

@ -11,7 +11,7 @@ index 5de21c69d0..3995c19e3c 100644
if err != nil {
return trace.Wrap(err)
}
+ cf.executablePath = path.Dir(tempBinaryPath) + "/tsh"
+ cf.executablePath = filepath.Dir(tempBinaryPath) + "/tsh"
// configs
setEnvFlags(&cf)

17
pkgs/servers/teleport/tsh_16.patch
View File

@ -1,17 +0,0 @@
diff --git a/tool/tsh/common/tsh.go b/tool/tsh/common/tsh.go
index 5de21c69d0..3995c19e3c 100644
--- a/tool/tsh/common/tsh.go
+++ b/tool/tsh/common/tsh.go
@@ -1084,10 +1084,11 @@ func Run(ctx context.Context, args []string, opts ...CliOption) error {
var err error
- cf.executablePath, err = os.Executable()
+ tempBinaryPath, err := os.Executable()
if err != nil {
return trace.Wrap(err)
}
+ cf.executablePath = filepath.Dir(tempBinaryPath) + "/tsh"
// configs
setEnvFlags(&cf)

4
pkgs/servers/web-apps/nifi/default.nix
View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "nifi";
version = "1.27.0";
version = "1.28.0";
src = fetchzip {
url = "mirror://apache/nifi/${version}/nifi-${version}-bin.zip";
hash = "sha256-D3o7MLn8vdDqzk6/AJ7Lmq6Yx2swy8CwOyDTlxFSVME=";
hash = "sha256-EQqosdwNdaSUIcP3QlvzJZhDNu1JbHg08FlnZo6ogmQ=";
};
nativeBuildInputs = [ makeWrapper ];

4
pkgs/tools/misc/panoply/default.nix
View File

@ -8,11 +8,11 @@
stdenvNoCC.mkDerivation rec {
pname = "panoply";
version = "5.5.3";
version = "5.5.4";
src = fetchurl {
url = "https://www.giss.nasa.gov/tools/panoply/download/PanoplyJ-${version}.tgz";
hash = "sha256-TCuCLWMVp7t0JpHA6TbwUdURj/aBggzLa9I7llRY0TU=";
hash = "sha256-rC2vQcaanK2nNSDtiXNhyBiV0SN3QqtwU8WNBc7D/Nw=";
};
nativeBuildInputs = [ makeWrapper ];

4
pkgs/tools/package-management/nix/common.nix
View File

@ -16,6 +16,7 @@ let
atLeast210 = lib.versionAtLeast version "2.10pre";
atLeast213 = lib.versionAtLeast version "2.13pre";
atLeast214 = lib.versionAtLeast version "2.14pre";
atLeast218 = lib.versionAtLeast version "2.18pre";
atLeast219 = lib.versionAtLeast version "2.19pre";
atLeast220 = lib.versionAtLeast version "2.20pre";
atLeast221 = lib.versionAtLeast version "2.21pre";
@ -42,6 +43,7 @@ in
, callPackage
, coreutils
, curl
, darwin
, docbook_xsl_ns
, docbook5
, editline
@ -158,6 +160,8 @@ self = stdenv.mkDerivation {
libseccomp
] ++ lib.optionals withAWS [
aws-sdk-cpp
] ++ lib.optional (atLeast218 && stdenv.hostPlatform.isDarwin) [
darwin.apple_sdk.libs.sandbox
];

51
pkgs/tools/package-management/nix/default.nix
View File

@ -178,42 +178,85 @@ in lib.makeExtensible (self: ({
version = "2.18.8";
hash = "sha256-0rHRifdjzzxMh/im8pRx6XoY62irDTDUes+Pn0CR65I=";
self_attribute_name = "nix_2_18";
patches = [
./patches/2_18/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
./patches/2_18/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
./patches/2_18/0003-local-derivation-goal-Refactor.patch
./patches/2_18/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
];
};
nix_2_19 = common {
version = "2.19.6";
hash = "sha256-XT5xiwOLgXf+TdyOjbJVOl992wu9mBO25WXHoyli/Tk=";
self_attribute_name = "nix_2_19";
patches = [
./patches/2_19/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
./patches/2_19/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
./patches/2_19/0003-local-derivation-goal-Refactor.patch
./patches/2_19/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
];
};
nix_2_20 = common {
version = "2.20.8";
hash = "sha256-M2tkMtjKi8LDdNLsKi3IvD8oY/i3rtarjMpvhybS3WY=";
self_attribute_name = "nix_2_20";
patches = [
./patches/2_20/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
./patches/2_20/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
./patches/2_20/0003-local-derivation-goal-Refactor.patch
./patches/2_20/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
];
};
nix_2_21 = common {
version = "2.21.4";
hash = "sha256-c6nVZ0pSrfhFX3eVKqayS+ioqyAGp3zG9ZPO5rkXFRQ=";
self_attribute_name = "nix_2_21";
patches = [
./patches/2_21/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
./patches/2_21/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
./patches/2_21/0003-local-derivation-goal-Refactor.patch
./patches/2_21/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
];
};
nix_2_22 = common {
version = "2.22.3";
hash = "sha256-l04csH5rTWsK7eXPWVxJBUVRPMZXllFoSkYFTq/i8WU=";
self_attribute_name = "nix_2_22";
patches = [
./patches/2_22/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
./patches/2_22/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
./patches/2_22/0003-local-derivation-goal-Refactor.patch
./patches/2_22/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
];
};
nix_2_23 = common {
version = "2.23.3";
hash = "sha256-lAoLGVIhRFrfgv7wcyduEkyc83QKrtsfsq4of+WrBeg=";
self_attribute_name = "nix_2_23";
patches = [
./patches/2_23/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
./patches/2_23/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch
./patches/2_23/0003-local-derivation-goal-Refactor.patch
./patches/2_23/0004-local-derivation-goal-Move-builder-preparation-to-no.patch
];
};
nix_2_24 = (common {
version = "2.24.9";
hash = "sha256-OwJByTdCz1t91ysBqynK+ifszkoIGEXUn6HE2t82+c8=";
self_attribute_name = "nix_2_24";
patches = [
./patches/2_24/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
./patches/2_24/0002-packaging-Add-darwin-lsandbox-in-meson.patch
./patches/2_24/0003-local-derivation-goal-Print-sandbox-error-detail-on-.patch
./patches/2_24/0004-local-derivation-goal-Refactor.patch
./patches/2_24/0005-local-derivation-goal-Move-builder-preparation-to-no.patch
];
}).override (lib.optionalAttrs (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isx86_64) {
# Fix the following error with the default x86_64-darwin SDK:
#
@ -234,6 +277,14 @@ in lib.makeExtensible (self: ({
rev = "ca3fc1693b309ab6b8b0c09408a08d0055bf0363";
hash = "sha256-Hp7dkx7zfB9a4l5QusXUob0b1T2qdZ23LFo5dcp3xrU=";
};
patches = [
./patches/git/0001-Fix-meson-build-on-darwin.patch
./patches/git/0002-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch
./patches/git/0003-packaging-Add-darwin-lsandbox-in-meson.patch
./patches/git/0004-local-derivation-goal-Print-sandbox-error-detail-on-.patch
./patches/git/0005-local-derivation-goal-Refactor.patch
./patches/git/0006-local-derivation-goal-Move-builder-preparation-to-no.patch
];
self_attribute_name = "git";
}).override (lib.optionalAttrs (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isx86_64) {
# Fix the following error with the default x86_64-darwin SDK:

315
pkgs/tools/package-management/nix/patches/2_18/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch Normal file
View File

@ -0,0 +1,315 @@
From 3c4bc6929eb13cf648c54931a28797bb1c289052 Mon Sep 17 00:00:00 2001
From: Puck Meerburg <puck@puckipedia.com>
Date: Fri, 1 Mar 2024 11:42:24 -0500
Subject: [PATCH 1/4] fix: Run all derivation builders inside the sandbox on
macOS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
configure.ac | 6 +-
flake.nix | 1 +
src/libstore/build/local-derivation-goal.cc | 221 ++++++++++----------
3 files changed, 114 insertions(+), 114 deletions(-)
diff --git a/configure.ac b/configure.ac
index 4e50d0913..44852ad79 100644
--- a/configure.ac
+++ b/configure.ac
@@ -58,13 +58,17 @@ AC_CHECK_TOOL([AR], [ar])
AC_SYS_LARGEFILE
-# Solaris-specific stuff.
+# OS-specific stuff.
AC_STRUCT_DIRENT_D_TYPE
case "$host_os" in
solaris*)
# Solaris requires -lsocket -lnsl for network functions
LDFLAGS="-lsocket -lnsl $LDFLAGS"
;;
+ darwin*)
+ # Need to link to libsandbox.
+ LDFLAGS="-lsandbox $LDFLAGS"
+ ;;
esac
diff --git a/flake.nix b/flake.nix
index 6c9bef4d8..66ac1bfd8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -173,6 +173,7 @@
boost
lowdown-nix
]
+ ++ lib.optionals stdenv.isDarwin [darwin.apple_sdk.libs.sandbox]
++ lib.optionals stdenv.isLinux [(libseccomp.overrideAttrs (_: rec {
version = "2.5.5";
src = fetchurl {
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 4d690beaf..fb83cfdc7 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -53,6 +53,10 @@
#if __APPLE__
#include <spawn.h>
#include <sys/sysctl.h>
+#include <sandbox.h>
+
+/* This definition is undocumented but depended upon by all major browsers. */
+extern "C" int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
#endif
#include <pwd.h>
@@ -2034,141 +2038,132 @@ void LocalDerivationGoal::runChild()
std::string builder = "invalid";
- if (drv->isBuiltin()) {
- ;
- }
#if __APPLE__
- else {
- /* This has to appear before import statements. */
- std::string sandboxProfile = "(version 1)\n";
-
- if (useChroot) {
-
- /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
- PathSet ancestry;
-
- /* We build the ancestry before adding all inputPaths to the store because we know they'll
- all have the same parents (the store), and there might be lots of inputs. This isn't
- particularly efficient... I doubt it'll be a bottleneck in practice */
- for (auto & i : dirsInChroot) {
- Path cur = i.first;
- while (cur.compare("/") != 0) {
- cur = dirOf(cur);
- ancestry.insert(cur);
- }
- }
+ /* This has to appear before import statements. */
+ std::string sandboxProfile = "(version 1)\n";
- /* And we want the store in there regardless of how empty dirsInChroot. We include the innermost
- path component this time, since it's typically /nix/store and we care about that. */
- Path cur = worker.store.storeDir;
+ if (useChroot) {
+
+ /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
+ PathSet ancestry;
+
+ /* We build the ancestry before adding all inputPaths to the store because we know they'll
+ all have the same parents (the store), and there might be lots of inputs. This isn't
+ particularly efficient... I doubt it'll be a bottleneck in practice */
+ for (auto & i : dirsInChroot) {
+ Path cur = i.first;
while (cur.compare("/") != 0) {
- ancestry.insert(cur);
cur = dirOf(cur);
+ ancestry.insert(cur);
}
+ }
- /* Add all our input paths to the chroot */
- for (auto & i : inputPaths) {
- auto p = worker.store.printStorePath(i);
- dirsInChroot[p] = p;
- }
-
- /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
- if (settings.darwinLogSandboxViolations) {
- sandboxProfile += "(deny default)\n";
- } else {
- sandboxProfile += "(deny default (with no-log))\n";
- }
+ /* And we want the store in there regardless of how empty dirsInChroot. We include the innermost
+ path component this time, since it's typically /nix/store and we care about that. */
+ Path cur = worker.store.storeDir;
+ while (cur.compare("/") != 0) {
+ ancestry.insert(cur);
+ cur = dirOf(cur);
+ }
- sandboxProfile +=
- #include "sandbox-defaults.sb"
- ;
+ /* Add all our input paths to the chroot */
+ for (auto & i : inputPaths) {
+ auto p = worker.store.printStorePath(i);
+ dirsInChroot[p] = p;
+ }
- if (!derivationType->isSandboxed())
- sandboxProfile +=
- #include "sandbox-network.sb"
- ;
-
- /* Add the output paths we'll use at build-time to the chroot */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & [_, path] : scratchOutputs)
- sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
-
- sandboxProfile += ")\n";
-
- /* Our inputs (transitive dependencies and any impurities computed above)
-
- without file-write* allowed, access() incorrectly returns EPERM
- */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & i : dirsInChroot) {
- if (i.first != i.second.source)
- throw Error(
- "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
- i.first, i.second.source);
-
- std::string path = i.first;
- struct stat st;
- if (lstat(path.c_str(), &st)) {
- if (i.second.optional && errno == ENOENT)
- continue;
- throw SysError("getting attributes of path '%s", path);
- }
- if (S_ISDIR(st.st_mode))
- sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
- else
- sandboxProfile += fmt("\t(literal \"%s\")\n", path);
- }
- sandboxProfile += ")\n";
+ /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
+ if (settings.darwinLogSandboxViolations) {
+ sandboxProfile += "(deny default)\n";
+ } else {
+ sandboxProfile += "(deny default (with no-log))\n";
+ }
- /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
- sandboxProfile += "(allow file-read*\n";
- for (auto & i : ancestry) {
- sandboxProfile += fmt("\t(literal \"%s\")\n", i);
- }
- sandboxProfile += ")\n";
+ sandboxProfile +=
+ #include "sandbox-defaults.sb"
+ ;
- sandboxProfile += additionalSandboxProfile;
- } else
+ if (!derivationType->isSandboxed())
sandboxProfile +=
- #include "sandbox-minimal.sb"
+ #include "sandbox-network.sb"
;
- debug("Generated sandbox profile:");
- debug(sandboxProfile);
+ /* Add the output paths we'll use at build-time to the chroot */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & [_, path] : scratchOutputs)
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
- Path sandboxFile = tmpDir + "/.sandbox.sb";
+ sandboxProfile += ")\n";
- writeFile(sandboxFile, sandboxProfile);
+ /* Our inputs (transitive dependencies and any impurities computed above)
- bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+ without file-write* allowed, access() incorrectly returns EPERM
+ */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & i : dirsInChroot) {
+ if (i.first != i.second.source)
+ throw Error(
+ "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
+ i.first, i.second.source);
- /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
- to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
- Path globalTmpDir = canonPath(defaultTempDir(), true);
+ std::string path = i.first;
+ struct stat st;
+ if (lstat(path.c_str(), &st)) {
+ if (i.second.optional && errno == ENOENT)
+ continue;
+ throw SysError("getting attributes of path '%s", path);
+ }
+ if (S_ISDIR(st.st_mode))
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
+ else
+ sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+ }
+ sandboxProfile += ")\n";
- /* They don't like trailing slashes on subpath directives */
- while (!globalTmpDir.empty() && globalTmpDir.back() == '/')
- globalTmpDir.pop_back();
+ /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
+ sandboxProfile += "(allow file-read*\n";
+ for (auto & i : ancestry) {
+ sandboxProfile += fmt("\t(literal \"%s\")\n", i);
+ }
+ sandboxProfile += ")\n";
- if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
- builder = "/usr/bin/sandbox-exec";
- args.push_back("sandbox-exec");
- args.push_back("-f");
- args.push_back(sandboxFile);
- args.push_back("-D");
- args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
- if (allowLocalNetworking) {
- args.push_back("-D");
- args.push_back(std::string("_ALLOW_LOCAL_NETWORKING=1"));
- }
- args.push_back(drv->builder);
- } else {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
+ sandboxProfile += additionalSandboxProfile;
+ } else
+ sandboxProfile +=
+ #include "sandbox-minimal.sb"
+ ;
+
+ debug("Generated sandbox profile:");
+ debug(sandboxProfile);
+
+ bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+
+ /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
+ to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
+ Path globalTmpDir = canonPath(defaultTempDir(), true);
+
+ /* They don't like trailing slashes on subpath directives */
+ while (!globalTmpDir.empty() && globalTmpDir.back() == '/')
+ globalTmpDir.pop_back();
+
+ if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
+ Strings sandboxArgs;
+ sandboxArgs.push_back("_GLOBAL_TMP_DIR");
+ sandboxArgs.push_back(globalTmpDir);
+ if (allowLocalNetworking) {
+ sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
+ sandboxArgs.push_back("1");
+ }
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
+ writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ _exit(1);
}
}
+
+ builder = drv->builder;
+ args.push_back(std::string(baseNameOf(drv->builder)));
#else
- else {
+ if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
--
2.46.1

34
pkgs/tools/package-management/nix/patches/2_18/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch Normal file
View File

@ -0,0 +1,34 @@
From 4ac099d6ab4b6851aeb8b7a1e37f5794716d5138 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:44:12 +0200
Subject: [PATCH 2/4] local-derivation-goal: Print sandbox error detail on
darwin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index fb83cfdc7..d41d1c1e5 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2154,8 +2154,9 @@ void LocalDerivationGoal::runChild()
sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
sandboxArgs.push_back("1");
}
- if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
- writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ char * sandbox_errbuf = nullptr;
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), &sandbox_errbuf)) {
+ writeFull(STDERR_FILENO, fmt("failed to configure sandbox: %s\n", sandbox_errbuf ? sandbox_errbuf : "(null)"));
_exit(1);
}
}
--
2.46.1

41
pkgs/tools/package-management/nix/patches/2_18/0003-local-derivation-goal-Refactor.patch Normal file
View File

@ -0,0 +1,41 @@
From 6fe3a5e26def808b99856099d74aa3017ecf6d9d Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:50:27 +0200
Subject: [PATCH 3/4] local-derivation-goal: Refactor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This works because the `builder` and `args` variables are only used
in the non-builtin code path.
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index d41d1c1e5..faecc403b 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2160,15 +2160,12 @@ void LocalDerivationGoal::runChild()
_exit(1);
}
}
+#endif
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
-#else
if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
-#endif
for (auto & i : drv->args)
args.push_back(rewriteStrings(i, inputRewrites));
--
2.46.1

75
pkgs/tools/package-management/nix/patches/2_18/0004-local-derivation-goal-Move-builder-preparation-to-no.patch Normal file
View File

@ -0,0 +1,75 @@
From d219faa93badcfc8134c81ba0d2b821775eb947c Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:57:00 +0200
Subject: [PATCH 4/4] local-derivation-goal: Move builder preparation to
non-builtin code path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 25 +++++++++------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index faecc403b..23d5d5e3f 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2033,11 +2033,6 @@ void LocalDerivationGoal::runChild()
throw SysError("setuid failed");
}
- /* Fill in the arguments. */
- Strings args;
-
- std::string builder = "invalid";
-
#if __APPLE__
/* This has to appear before import statements. */
std::string sandboxProfile = "(version 1)\n";
@@ -2162,14 +2157,6 @@ void LocalDerivationGoal::runChild()
}
#endif
- if (!drv->isBuiltin()) {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
- }
-
- for (auto & i : drv->args)
- args.push_back(rewriteStrings(i, inputRewrites));
-
/* Indicate that we managed to set up the build environment. */
writeFull(STDERR_FILENO, std::string("\2\n"));
@@ -2199,6 +2186,14 @@ void LocalDerivationGoal::runChild()
}
}
+ // Now builder is not builtin
+
+ Strings args;
+ args.push_back(std::string(baseNameOf(drv->builder)));
+
+ for (auto & i : drv->args)
+ args.push_back(rewriteStrings(i, inputRewrites));
+
#if __APPLE__
posix_spawnattr_t attrp;
@@ -2220,9 +2215,9 @@ void LocalDerivationGoal::runChild()
posix_spawnattr_setbinpref_np(&attrp, 1, &cpu, NULL);
}
- posix_spawn(NULL, builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ posix_spawn(NULL, drv->builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#else
- execve(builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ execve(drv->builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#endif
throw SysError("executing '%1%'", drv->builder);
--
2.46.1

312
pkgs/tools/package-management/nix/patches/2_19/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch Normal file
View File

@ -0,0 +1,312 @@
From 172734f47a8062285cec0055133efcc45df03e54 Mon Sep 17 00:00:00 2001
From: Puck Meerburg <puck@puckipedia.com>
Date: Fri, 1 Mar 2024 11:42:24 -0500
Subject: [PATCH 1/4] fix: Run all derivation builders inside the sandbox on
macOS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
configure.ac | 6 +-
flake.nix | 1 +
src/libstore/build/local-derivation-goal.cc | 217 ++++++++++----------
3 files changed, 112 insertions(+), 112 deletions(-)
diff --git a/configure.ac b/configure.ac
index 281ba2c32..6d73804e2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -58,13 +58,17 @@ AC_CHECK_TOOL([AR], [ar])
AC_SYS_LARGEFILE
-# Solaris-specific stuff.
+# OS-specific stuff.
AC_STRUCT_DIRENT_D_TYPE
case "$host_os" in
solaris*)
# Solaris requires -lsocket -lnsl for network functions
LDFLAGS="-lsocket -lnsl $LDFLAGS"
;;
+ darwin*)
+ # Need to link to libsandbox.
+ LDFLAGS="-lsandbox $LDFLAGS"
+ ;;
esac
diff --git a/flake.nix b/flake.nix
index 6deb09f22..98f9cc25f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -202,6 +202,7 @@
libsodium
]
++ lib.optionals stdenv.isLinux [libseccomp]
+ ++ lib.optionals stdenv.isDarwin [darwin.apple_sdk.libs.sandbox]
++ lib.optional stdenv.hostPlatform.isx86_64 libcpuid;
checkDeps = [
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index b6c7666e5..effd9c613 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -55,6 +55,10 @@
#if __APPLE__
#include <spawn.h>
#include <sys/sysctl.h>
+#include <sandbox.h>
+
+/* This definition is undocumented but depended upon by all major browsers. */
+extern "C" int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
#endif
#include <pwd.h>
@@ -2031,140 +2035,131 @@ void LocalDerivationGoal::runChild()
std::string builder = "invalid";
- if (drv->isBuiltin()) {
- ;
- }
#if __APPLE__
- else {
- /* This has to appear before import statements. */
- std::string sandboxProfile = "(version 1)\n";
-
- if (useChroot) {
-
- /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
- PathSet ancestry;
-
- /* We build the ancestry before adding all inputPaths to the store because we know they'll
- all have the same parents (the store), and there might be lots of inputs. This isn't
- particularly efficient... I doubt it'll be a bottleneck in practice */
- for (auto & i : pathsInChroot) {
- Path cur = i.first;
- while (cur.compare("/") != 0) {
- cur = dirOf(cur);
- ancestry.insert(cur);
- }
- }
+ /* This has to appear before import statements. */
+ std::string sandboxProfile = "(version 1)\n";
- /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
- path component this time, since it's typically /nix/store and we care about that. */
- Path cur = worker.store.storeDir;
+ if (useChroot) {
+
+ /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
+ PathSet ancestry;
+
+ /* We build the ancestry before adding all inputPaths to the store because we know they'll
+ all have the same parents (the store), and there might be lots of inputs. This isn't
+ particularly efficient... I doubt it'll be a bottleneck in practice */
+ for (auto & i : pathsInChroot) {
+ Path cur = i.first;
while (cur.compare("/") != 0) {
- ancestry.insert(cur);
cur = dirOf(cur);
+ ancestry.insert(cur);
}
+ }
- /* Add all our input paths to the chroot */
- for (auto & i : inputPaths) {
- auto p = worker.store.printStorePath(i);
- pathsInChroot[p] = p;
- }
+ /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
+ path component this time, since it's typically /nix/store and we care about that. */
+ Path cur = worker.store.storeDir;
+ while (cur.compare("/") != 0) {
+ ancestry.insert(cur);
+ cur = dirOf(cur);
+ }
- /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
- if (settings.darwinLogSandboxViolations) {
- sandboxProfile += "(deny default)\n";
- } else {
- sandboxProfile += "(deny default (with no-log))\n";
- }
+ /* Add all our input paths to the chroot */
+ for (auto & i : inputPaths) {
+ auto p = worker.store.printStorePath(i);
+ pathsInChroot[p] = p;
+ }
+
+ /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
+ if (settings.darwinLogSandboxViolations) {
+ sandboxProfile += "(deny default)\n";
+ } else {
+ sandboxProfile += "(deny default (with no-log))\n";
+ }
+ sandboxProfile +=
+ #include "sandbox-defaults.sb"
+ ;
+
+ if (!derivationType->isSandboxed())
sandboxProfile +=
- #include "sandbox-defaults.sb"
+ #include "sandbox-network.sb"
;
- if (!derivationType->isSandboxed())
- sandboxProfile +=
- #include "sandbox-network.sb"
- ;
-
- /* Add the output paths we'll use at build-time to the chroot */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & [_, path] : scratchOutputs)
- sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
-
- sandboxProfile += ")\n";
-
- /* Our inputs (transitive dependencies and any impurities computed above)
-
- without file-write* allowed, access() incorrectly returns EPERM
- */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & i : pathsInChroot) {
- if (i.first != i.second.source)
- throw Error(
- "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
- i.first, i.second.source);
-
- std::string path = i.first;
- struct stat st;
- if (lstat(path.c_str(), &st)) {
- if (i.second.optional && errno == ENOENT)
- continue;
- throw SysError("getting attributes of path '%s", path);
- }
- if (S_ISDIR(st.st_mode))
- sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
- else
- sandboxProfile += fmt("\t(literal \"%s\")\n", path);
- }
- sandboxProfile += ")\n";
+ /* Add the output paths we'll use at build-time to the chroot */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & [_, path] : scratchOutputs)
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
- /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
- sandboxProfile += "(allow file-read*\n";
- for (auto & i : ancestry) {
- sandboxProfile += fmt("\t(literal \"%s\")\n", i);
- }
- sandboxProfile += ")\n";
+ sandboxProfile += ")\n";
- sandboxProfile += additionalSandboxProfile;
- } else
- sandboxProfile +=
- #include "sandbox-minimal.sb"
- ;
+ /* Our inputs (transitive dependencies and any impurities computed above)
+
+ without file-write* allowed, access() incorrectly returns EPERM
+ */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & i : pathsInChroot) {
+ if (i.first != i.second.source)
+ throw Error(
+ "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
+ i.first, i.second.source);
+
+ std::string path = i.first;
+ struct stat st;
+ if (lstat(path.c_str(), &st)) {
+ if (i.second.optional && errno == ENOENT)
+ continue;
+ throw SysError("getting attributes of path '%s", path);
+ }
+ if (S_ISDIR(st.st_mode))
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
+ else
+ sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+ }
+ sandboxProfile += ")\n";
- debug("Generated sandbox profile:");
- debug(sandboxProfile);
+ /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
+ sandboxProfile += "(allow file-read*\n";
+ for (auto & i : ancestry) {
+ sandboxProfile += fmt("\t(literal \"%s\")\n", i);
+ }
+ sandboxProfile += ")\n";
- Path sandboxFile = tmpDir + "/.sandbox.sb";
+ sandboxProfile += additionalSandboxProfile;
+ } else
+ sandboxProfile +=
+ #include "sandbox-minimal.sb"
+ ;
- writeFile(sandboxFile, sandboxProfile);
+ debug("Generated sandbox profile:");
+ debug(sandboxProfile);
- bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+ bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
- /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
- to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
- Path globalTmpDir = canonPath(getEnvNonEmpty("TMPDIR").value_or("/tmp"), true);
+ /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
+ to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
+ Path globalTmpDir = canonPath(getEnvNonEmpty("TMPDIR").value_or("/tmp"), true);
- /* They don't like trailing slashes on subpath directives */
- if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
+ /* They don't like trailing slashes on subpath directives */
+ if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
- if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
- builder = "/usr/bin/sandbox-exec";
- args.push_back("sandbox-exec");
- args.push_back("-f");
- args.push_back(sandboxFile);
- args.push_back("-D");
- args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
- if (allowLocalNetworking) {
- args.push_back("-D");
- args.push_back(std::string("_ALLOW_LOCAL_NETWORKING=1"));
- }
- args.push_back(drv->builder);
- } else {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
+ if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
+ Strings sandboxArgs;
+ sandboxArgs.push_back("_GLOBAL_TMP_DIR");
+ sandboxArgs.push_back(globalTmpDir);
+ if (allowLocalNetworking) {
+ sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
+ sandboxArgs.push_back("1");
+ }
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
+ writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ _exit(1);
}
}
+
+ builder = drv->builder;
+ args.push_back(std::string(baseNameOf(drv->builder)));
#else
- else {
+ if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
--
2.46.1

34
pkgs/tools/package-management/nix/patches/2_19/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch Normal file
View File

@ -0,0 +1,34 @@
From 4a5018019e969537fdba36314fe5c19fe91828af Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:44:12 +0200
Subject: [PATCH 2/4] local-derivation-goal: Print sandbox error detail on
darwin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index effd9c613..a67347b59 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2150,8 +2150,9 @@ void LocalDerivationGoal::runChild()
sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
sandboxArgs.push_back("1");
}
- if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
- writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ char * sandbox_errbuf = nullptr;
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), &sandbox_errbuf)) {
+ writeFull(STDERR_FILENO, fmt("failed to configure sandbox: %s\n", sandbox_errbuf ? sandbox_errbuf : "(null)"));
_exit(1);
}
}
--
2.46.1

41
pkgs/tools/package-management/nix/patches/2_19/0003-local-derivation-goal-Refactor.patch Normal file
View File

@ -0,0 +1,41 @@
From f9e5b3b52323fdcac4e21bfec4d03bd66ea6a503 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:50:27 +0200
Subject: [PATCH 3/4] local-derivation-goal: Refactor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This works because the `builder` and `args` variables are only used
in the non-builtin code path.
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index a67347b59..eeb2635ee 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2156,15 +2156,12 @@ void LocalDerivationGoal::runChild()
_exit(1);
}
}
+#endif
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
-#else
if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
-#endif
for (auto & i : drv->args)
args.push_back(rewriteStrings(i, inputRewrites));
--
2.46.1

75
pkgs/tools/package-management/nix/patches/2_19/0004-local-derivation-goal-Move-builder-preparation-to-no.patch Normal file
View File

@ -0,0 +1,75 @@
From 126a1fd3385175ac94ae4000a9798e0cafb3c168 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:57:00 +0200
Subject: [PATCH 4/4] local-derivation-goal: Move builder preparation to
non-builtin code path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 25 +++++++++------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index eeb2635ee..e29330f0e 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2030,11 +2030,6 @@ void LocalDerivationGoal::runChild()
throw SysError("setuid failed");
}
- /* Fill in the arguments. */
- Strings args;
-
- std::string builder = "invalid";
-
#if __APPLE__
/* This has to appear before import statements. */
std::string sandboxProfile = "(version 1)\n";
@@ -2158,14 +2153,6 @@ void LocalDerivationGoal::runChild()
}
#endif
- if (!drv->isBuiltin()) {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
- }
-
- for (auto & i : drv->args)
- args.push_back(rewriteStrings(i, inputRewrites));
-
/* Indicate that we managed to set up the build environment. */
writeFull(STDERR_FILENO, std::string("\2\n"));
@@ -2195,6 +2182,14 @@ void LocalDerivationGoal::runChild()
}
}
+ // Now builder is not builtin
+
+ Strings args;
+ args.push_back(std::string(baseNameOf(drv->builder)));
+
+ for (auto & i : drv->args)
+ args.push_back(rewriteStrings(i, inputRewrites));
+
#if __APPLE__
posix_spawnattr_t attrp;
@@ -2216,9 +2211,9 @@ void LocalDerivationGoal::runChild()
posix_spawnattr_setbinpref_np(&attrp, 1, &cpu, NULL);
}
- posix_spawn(NULL, builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ posix_spawn(NULL, drv->builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#else
- execve(builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ execve(drv->builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#endif
throw SysError("executing '%1%'", drv->builder);
--
2.46.1

320
pkgs/tools/package-management/nix/patches/2_20/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch Normal file
View File

@ -0,0 +1,320 @@
From aa54b01af503644a393e4e4055c4ce2a23ce9139 Mon Sep 17 00:00:00 2001
From: Puck Meerburg <puck@puckipedia.com>
Date: Fri, 1 Mar 2024 11:42:24 -0500
Subject: [PATCH 1/4] fix: Run all derivation builders inside the sandbox on
macOS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
configure.ac | 6 +-
package.nix | 2 +
src/libstore/build/local-derivation-goal.cc | 217 ++++++++++----------
3 files changed, 113 insertions(+), 112 deletions(-)
diff --git a/configure.ac b/configure.ac
index 8c29c1e62..8c524fd93 100644
--- a/configure.ac
+++ b/configure.ac
@@ -58,13 +58,17 @@ AC_CHECK_TOOL([AR], [ar])
AC_SYS_LARGEFILE
-# Solaris-specific stuff.
+# OS-specific stuff.
AC_STRUCT_DIRENT_D_TYPE
case "$host_os" in
solaris*)
# Solaris requires -lsocket -lnsl for network functions
LDFLAGS="-lsocket -lnsl $LDFLAGS"
;;
+ darwin*)
+ # Need to link to libsandbox.
+ LDFLAGS="-lsandbox $LDFLAGS"
+ ;;
esac
diff --git a/package.nix b/package.nix
index d1d14d10e..40283ffcf 100644
--- a/package.nix
+++ b/package.nix
@@ -24,6 +24,7 @@
, libgit2
, libseccomp
, libsodium
+, darwin
, lowdown
, mdbook
, mdbook-linkcheck
@@ -233,6 +234,7 @@ in {
gtest
rapidcheck
] ++ lib.optional stdenv.isLinux libseccomp
+ ++ lib.optional stdenv.hostPlatform.isDarwin darwin.apple_sdk.libs.sandbox
++ lib.optional stdenv.hostPlatform.isx86_64 libcpuid
# There have been issues building these dependencies
++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform && (stdenv.isLinux || stdenv.isDarwin))
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index b8228bc11..9ab676429 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -57,6 +57,10 @@
#if __APPLE__
#include <spawn.h>
#include <sys/sysctl.h>
+#include <sandbox.h>
+
+/* This definition is undocumented but depended upon by all major browsers. */
+extern "C" int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
#endif
#include <pwd.h>
@@ -2023,140 +2027,131 @@ void LocalDerivationGoal::runChild()
std::string builder = "invalid";
- if (drv->isBuiltin()) {
- ;
- }
#if __APPLE__
- else {
- /* This has to appear before import statements. */
- std::string sandboxProfile = "(version 1)\n";
-
- if (useChroot) {
-
- /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
- PathSet ancestry;
-
- /* We build the ancestry before adding all inputPaths to the store because we know they'll
- all have the same parents (the store), and there might be lots of inputs. This isn't
- particularly efficient... I doubt it'll be a bottleneck in practice */
- for (auto & i : pathsInChroot) {
- Path cur = i.first;
- while (cur.compare("/") != 0) {
- cur = dirOf(cur);
- ancestry.insert(cur);
- }
- }
+ /* This has to appear before import statements. */
+ std::string sandboxProfile = "(version 1)\n";
- /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
- path component this time, since it's typically /nix/store and we care about that. */
- Path cur = worker.store.storeDir;
+ if (useChroot) {
+
+ /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
+ PathSet ancestry;
+
+ /* We build the ancestry before adding all inputPaths to the store because we know they'll
+ all have the same parents (the store), and there might be lots of inputs. This isn't
+ particularly efficient... I doubt it'll be a bottleneck in practice */
+ for (auto & i : pathsInChroot) {
+ Path cur = i.first;
while (cur.compare("/") != 0) {
- ancestry.insert(cur);
cur = dirOf(cur);
+ ancestry.insert(cur);
}
+ }
- /* Add all our input paths to the chroot */
- for (auto & i : inputPaths) {
- auto p = worker.store.printStorePath(i);
- pathsInChroot[p] = p;
- }
+ /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
+ path component this time, since it's typically /nix/store and we care about that. */
+ Path cur = worker.store.storeDir;
+ while (cur.compare("/") != 0) {
+ ancestry.insert(cur);
+ cur = dirOf(cur);
+ }
- /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
- if (settings.darwinLogSandboxViolations) {
- sandboxProfile += "(deny default)\n";
- } else {
- sandboxProfile += "(deny default (with no-log))\n";
- }
+ /* Add all our input paths to the chroot */
+ for (auto & i : inputPaths) {
+ auto p = worker.store.printStorePath(i);
+ pathsInChroot[p] = p;
+ }
+
+ /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
+ if (settings.darwinLogSandboxViolations) {
+ sandboxProfile += "(deny default)\n";
+ } else {
+ sandboxProfile += "(deny default (with no-log))\n";
+ }
+ sandboxProfile +=
+ #include "sandbox-defaults.sb"
+ ;
+
+ if (!derivationType->isSandboxed())
sandboxProfile +=
- #include "sandbox-defaults.sb"
+ #include "sandbox-network.sb"
;
- if (!derivationType->isSandboxed())
- sandboxProfile +=
- #include "sandbox-network.sb"
- ;
-
- /* Add the output paths we'll use at build-time to the chroot */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & [_, path] : scratchOutputs)
- sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
-
- sandboxProfile += ")\n";
-
- /* Our inputs (transitive dependencies and any impurities computed above)
-
- without file-write* allowed, access() incorrectly returns EPERM
- */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & i : pathsInChroot) {
- if (i.first != i.second.source)
- throw Error(
- "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
- i.first, i.second.source);
-
- std::string path = i.first;
- struct stat st;
- if (lstat(path.c_str(), &st)) {
- if (i.second.optional && errno == ENOENT)
- continue;
- throw SysError("getting attributes of path '%s", path);
- }
- if (S_ISDIR(st.st_mode))
- sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
- else
- sandboxProfile += fmt("\t(literal \"%s\")\n", path);
- }
- sandboxProfile += ")\n";
+ /* Add the output paths we'll use at build-time to the chroot */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & [_, path] : scratchOutputs)
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
- /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
- sandboxProfile += "(allow file-read*\n";
- for (auto & i : ancestry) {
- sandboxProfile += fmt("\t(literal \"%s\")\n", i);
- }
- sandboxProfile += ")\n";
+ sandboxProfile += ")\n";
- sandboxProfile += additionalSandboxProfile;
- } else
- sandboxProfile +=
- #include "sandbox-minimal.sb"
- ;
+ /* Our inputs (transitive dependencies and any impurities computed above)
+
+ without file-write* allowed, access() incorrectly returns EPERM
+ */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & i : pathsInChroot) {
+ if (i.first != i.second.source)
+ throw Error(
+ "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
+ i.first, i.second.source);
+
+ std::string path = i.first;
+ struct stat st;
+ if (lstat(path.c_str(), &st)) {
+ if (i.second.optional && errno == ENOENT)
+ continue;
+ throw SysError("getting attributes of path '%s", path);
+ }
+ if (S_ISDIR(st.st_mode))
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
+ else
+ sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+ }
+ sandboxProfile += ")\n";
- debug("Generated sandbox profile:");
- debug(sandboxProfile);
+ /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
+ sandboxProfile += "(allow file-read*\n";
+ for (auto & i : ancestry) {
+ sandboxProfile += fmt("\t(literal \"%s\")\n", i);
+ }
+ sandboxProfile += ")\n";
- Path sandboxFile = tmpDir + "/.sandbox.sb";
+ sandboxProfile += additionalSandboxProfile;
+ } else
+ sandboxProfile +=
+ #include "sandbox-minimal.sb"
+ ;
- writeFile(sandboxFile, sandboxProfile);
+ debug("Generated sandbox profile:");
+ debug(sandboxProfile);
- bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+ bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
- /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
- to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
- Path globalTmpDir = canonPath(getEnvNonEmpty("TMPDIR").value_or("/tmp"), true);
+ /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
+ to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
+ Path globalTmpDir = canonPath(getEnvNonEmpty("TMPDIR").value_or("/tmp"), true);
- /* They don't like trailing slashes on subpath directives */
- if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
+ /* They don't like trailing slashes on subpath directives */
+ if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
- if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
- builder = "/usr/bin/sandbox-exec";
- args.push_back("sandbox-exec");
- args.push_back("-f");
- args.push_back(sandboxFile);
- args.push_back("-D");
- args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
- if (allowLocalNetworking) {
- args.push_back("-D");
- args.push_back(std::string("_ALLOW_LOCAL_NETWORKING=1"));
- }
- args.push_back(drv->builder);
- } else {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
+ if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
+ Strings sandboxArgs;
+ sandboxArgs.push_back("_GLOBAL_TMP_DIR");
+ sandboxArgs.push_back(globalTmpDir);
+ if (allowLocalNetworking) {
+ sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
+ sandboxArgs.push_back("1");
+ }
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
+ writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ _exit(1);
}
}
+
+ builder = drv->builder;
+ args.push_back(std::string(baseNameOf(drv->builder)));
#else
- else {
+ if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
--
2.46.1

34
pkgs/tools/package-management/nix/patches/2_20/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch Normal file
View File

@ -0,0 +1,34 @@
From b78e489f79165457b59faa2270fd89769d0fc17d Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:44:12 +0200
Subject: [PATCH 2/4] local-derivation-goal: Print sandbox error detail on
darwin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 9ab676429..8476e038e 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2142,8 +2142,9 @@ void LocalDerivationGoal::runChild()
sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
sandboxArgs.push_back("1");
}
- if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
- writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ char * sandbox_errbuf = nullptr;
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), &sandbox_errbuf)) {
+ writeFull(STDERR_FILENO, fmt("failed to configure sandbox: %s\n", sandbox_errbuf ? sandbox_errbuf : "(null)"));
_exit(1);
}
}
--
2.46.1

41
pkgs/tools/package-management/nix/patches/2_20/0003-local-derivation-goal-Refactor.patch Normal file
View File

@ -0,0 +1,41 @@
From db6bcf3f7714929d5a21b655c5f8ccd2ddbdf7f2 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:50:27 +0200
Subject: [PATCH 3/4] local-derivation-goal: Refactor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This works because the `builder` and `args` variables are only used
in the non-builtin code path.
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 8476e038e..12b67df69 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2148,15 +2148,12 @@ void LocalDerivationGoal::runChild()
_exit(1);
}
}
+#endif
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
-#else
if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
-#endif
for (auto & i : drv->args)
args.push_back(rewriteStrings(i, inputRewrites));
--
2.46.1

75
pkgs/tools/package-management/nix/patches/2_20/0004-local-derivation-goal-Move-builder-preparation-to-no.patch Normal file
View File

@ -0,0 +1,75 @@
From 55be7deee1471e77e3ad408c5e23842df0d5bc28 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:57:00 +0200
Subject: [PATCH 4/4] local-derivation-goal: Move builder preparation to
non-builtin code path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 25 +++++++++------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 12b67df69..ada86dbb8 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2022,11 +2022,6 @@ void LocalDerivationGoal::runChild()
throw SysError("setuid failed");
}
- /* Fill in the arguments. */
- Strings args;
-
- std::string builder = "invalid";
-
#if __APPLE__
/* This has to appear before import statements. */
std::string sandboxProfile = "(version 1)\n";
@@ -2150,14 +2145,6 @@ void LocalDerivationGoal::runChild()
}
#endif
- if (!drv->isBuiltin()) {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
- }
-
- for (auto & i : drv->args)
- args.push_back(rewriteStrings(i, inputRewrites));
-
/* Indicate that we managed to set up the build environment. */
writeFull(STDERR_FILENO, std::string("\2\n"));
@@ -2187,6 +2174,14 @@ void LocalDerivationGoal::runChild()
}
}
+ // Now builder is not builtin
+
+ Strings args;
+ args.push_back(std::string(baseNameOf(drv->builder)));
+
+ for (auto & i : drv->args)
+ args.push_back(rewriteStrings(i, inputRewrites));
+
#if __APPLE__
posix_spawnattr_t attrp;
@@ -2208,9 +2203,9 @@ void LocalDerivationGoal::runChild()
posix_spawnattr_setbinpref_np(&attrp, 1, &cpu, NULL);
}
- posix_spawn(NULL, builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ posix_spawn(NULL, drv->builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#else
- execve(builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ execve(drv->builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#endif
throw SysError("executing '%1%'", drv->builder);
--
2.46.1

320
pkgs/tools/package-management/nix/patches/2_21/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch Normal file
View File

@ -0,0 +1,320 @@
From ae8a38d29cc0fbd6394acd72fdaaa62b3798f698 Mon Sep 17 00:00:00 2001
From: Puck Meerburg <puck@puckipedia.com>
Date: Fri, 1 Mar 2024 11:42:24 -0500
Subject: [PATCH 1/4] fix: Run all derivation builders inside the sandbox on
macOS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
configure.ac | 6 +-
package.nix | 2 +
src/libstore/build/local-derivation-goal.cc | 217 ++++++++++----------
3 files changed, 113 insertions(+), 112 deletions(-)
diff --git a/configure.ac b/configure.ac
index 676b145a5..f6fa35c81 100644
--- a/configure.ac
+++ b/configure.ac
@@ -62,13 +62,17 @@ AC_CHECK_TOOL([AR], [ar])
AC_SYS_LARGEFILE
-# Solaris-specific stuff.
+# OS-specific stuff.
AC_STRUCT_DIRENT_D_TYPE
case "$host_os" in
solaris*)
# Solaris requires -lsocket -lnsl for network functions
LDFLAGS="-lsocket -lnsl $LDFLAGS"
;;
+ darwin*)
+ # Need to link to libsandbox.
+ LDFLAGS="-lsandbox $LDFLAGS"
+ ;;
esac
diff --git a/package.nix b/package.nix
index 7d9a39771..de2e1aff1 100644
--- a/package.nix
+++ b/package.nix
@@ -25,6 +25,7 @@
, libseccomp
, libsodium
, man
+, darwin
, lowdown
, mdbook
, mdbook-linkcheck
@@ -239,6 +240,7 @@ in {
gtest
rapidcheck
] ++ lib.optional stdenv.isLinux libseccomp
+ ++ lib.optional stdenv.hostPlatform.isDarwin darwin.apple_sdk.libs.sandbox
++ lib.optional stdenv.hostPlatform.isx86_64 libcpuid
# There have been issues building these dependencies
++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform && (stdenv.isLinux || stdenv.isDarwin))
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 710304b67..c73b30b80 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -58,6 +58,10 @@
#if __APPLE__
#include <spawn.h>
#include <sys/sysctl.h>
+#include <sandbox.h>
+
+/* This definition is undocumented but depended upon by all major browsers. */
+extern "C" int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
#endif
#include <pwd.h>
@@ -2018,140 +2022,131 @@ void LocalDerivationGoal::runChild()
std::string builder = "invalid";
- if (drv->isBuiltin()) {
- ;
- }
#if __APPLE__
- else {
- /* This has to appear before import statements. */
- std::string sandboxProfile = "(version 1)\n";
-
- if (useChroot) {
-
- /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
- PathSet ancestry;
-
- /* We build the ancestry before adding all inputPaths to the store because we know they'll
- all have the same parents (the store), and there might be lots of inputs. This isn't
- particularly efficient... I doubt it'll be a bottleneck in practice */
- for (auto & i : pathsInChroot) {
- Path cur = i.first;
- while (cur.compare("/") != 0) {
- cur = dirOf(cur);
- ancestry.insert(cur);
- }
- }
+ /* This has to appear before import statements. */
+ std::string sandboxProfile = "(version 1)\n";
- /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
- path component this time, since it's typically /nix/store and we care about that. */
- Path cur = worker.store.storeDir;
+ if (useChroot) {
+
+ /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
+ PathSet ancestry;
+
+ /* We build the ancestry before adding all inputPaths to the store because we know they'll
+ all have the same parents (the store), and there might be lots of inputs. This isn't
+ particularly efficient... I doubt it'll be a bottleneck in practice */
+ for (auto & i : pathsInChroot) {
+ Path cur = i.first;
while (cur.compare("/") != 0) {
- ancestry.insert(cur);
cur = dirOf(cur);
+ ancestry.insert(cur);
}
+ }
- /* Add all our input paths to the chroot */
- for (auto & i : inputPaths) {
- auto p = worker.store.printStorePath(i);
- pathsInChroot[p] = p;
- }
+ /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
+ path component this time, since it's typically /nix/store and we care about that. */
+ Path cur = worker.store.storeDir;
+ while (cur.compare("/") != 0) {
+ ancestry.insert(cur);
+ cur = dirOf(cur);
+ }
- /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
- if (settings.darwinLogSandboxViolations) {
- sandboxProfile += "(deny default)\n";
- } else {
- sandboxProfile += "(deny default (with no-log))\n";
- }
+ /* Add all our input paths to the chroot */
+ for (auto & i : inputPaths) {
+ auto p = worker.store.printStorePath(i);
+ pathsInChroot[p] = p;
+ }
+
+ /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
+ if (settings.darwinLogSandboxViolations) {
+ sandboxProfile += "(deny default)\n";
+ } else {
+ sandboxProfile += "(deny default (with no-log))\n";
+ }
+ sandboxProfile +=
+ #include "sandbox-defaults.sb"
+ ;
+
+ if (!derivationType->isSandboxed())
sandboxProfile +=
- #include "sandbox-defaults.sb"
+ #include "sandbox-network.sb"
;
- if (!derivationType->isSandboxed())
- sandboxProfile +=
- #include "sandbox-network.sb"
- ;
-
- /* Add the output paths we'll use at build-time to the chroot */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & [_, path] : scratchOutputs)
- sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
-
- sandboxProfile += ")\n";
-
- /* Our inputs (transitive dependencies and any impurities computed above)
-
- without file-write* allowed, access() incorrectly returns EPERM
- */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & i : pathsInChroot) {
- if (i.first != i.second.source)
- throw Error(
- "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
- i.first, i.second.source);
-
- std::string path = i.first;
- struct stat st;
- if (lstat(path.c_str(), &st)) {
- if (i.second.optional && errno == ENOENT)
- continue;
- throw SysError("getting attributes of path '%s", path);
- }
- if (S_ISDIR(st.st_mode))
- sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
- else
- sandboxProfile += fmt("\t(literal \"%s\")\n", path);
- }
- sandboxProfile += ")\n";
+ /* Add the output paths we'll use at build-time to the chroot */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & [_, path] : scratchOutputs)
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
- /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
- sandboxProfile += "(allow file-read*\n";
- for (auto & i : ancestry) {
- sandboxProfile += fmt("\t(literal \"%s\")\n", i);
- }
- sandboxProfile += ")\n";
+ sandboxProfile += ")\n";
- sandboxProfile += additionalSandboxProfile;
- } else
- sandboxProfile +=
- #include "sandbox-minimal.sb"
- ;
+ /* Our inputs (transitive dependencies and any impurities computed above)
+
+ without file-write* allowed, access() incorrectly returns EPERM
+ */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & i : pathsInChroot) {
+ if (i.first != i.second.source)
+ throw Error(
+ "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
+ i.first, i.second.source);
+
+ std::string path = i.first;
+ struct stat st;
+ if (lstat(path.c_str(), &st)) {
+ if (i.second.optional && errno == ENOENT)
+ continue;
+ throw SysError("getting attributes of path '%s", path);
+ }
+ if (S_ISDIR(st.st_mode))
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
+ else
+ sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+ }
+ sandboxProfile += ")\n";
- debug("Generated sandbox profile:");
- debug(sandboxProfile);
+ /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
+ sandboxProfile += "(allow file-read*\n";
+ for (auto & i : ancestry) {
+ sandboxProfile += fmt("\t(literal \"%s\")\n", i);
+ }
+ sandboxProfile += ")\n";
- Path sandboxFile = tmpDir + "/.sandbox.sb";
+ sandboxProfile += additionalSandboxProfile;
+ } else
+ sandboxProfile +=
+ #include "sandbox-minimal.sb"
+ ;
- writeFile(sandboxFile, sandboxProfile);
+ debug("Generated sandbox profile:");
+ debug(sandboxProfile);
- bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+ bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
- /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
- to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
- Path globalTmpDir = canonPath(getEnvNonEmpty("TMPDIR").value_or("/tmp"), true);
+ /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
+ to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
+ Path globalTmpDir = canonPath(getEnvNonEmpty("TMPDIR").value_or("/tmp"), true);
- /* They don't like trailing slashes on subpath directives */
- if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
+ /* They don't like trailing slashes on subpath directives */
+ if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
- if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
- builder = "/usr/bin/sandbox-exec";
- args.push_back("sandbox-exec");
- args.push_back("-f");
- args.push_back(sandboxFile);
- args.push_back("-D");
- args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
- if (allowLocalNetworking) {
- args.push_back("-D");
- args.push_back(std::string("_ALLOW_LOCAL_NETWORKING=1"));
- }
- args.push_back(drv->builder);
- } else {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
+ if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
+ Strings sandboxArgs;
+ sandboxArgs.push_back("_GLOBAL_TMP_DIR");
+ sandboxArgs.push_back(globalTmpDir);
+ if (allowLocalNetworking) {
+ sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
+ sandboxArgs.push_back("1");
+ }
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
+ writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ _exit(1);
}
}
+
+ builder = drv->builder;
+ args.push_back(std::string(baseNameOf(drv->builder)));
#else
- else {
+ if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
--
2.46.1

34
pkgs/tools/package-management/nix/patches/2_21/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch Normal file
View File

@ -0,0 +1,34 @@
From b429e96583e2d005c77df8c82261022397f20648 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:44:12 +0200
Subject: [PATCH 2/4] local-derivation-goal: Print sandbox error detail on
darwin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index c73b30b80..e6f4c397d 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2137,8 +2137,9 @@ void LocalDerivationGoal::runChild()
sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
sandboxArgs.push_back("1");
}
- if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
- writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ char * sandbox_errbuf = nullptr;
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), &sandbox_errbuf)) {
+ writeFull(STDERR_FILENO, fmt("failed to configure sandbox: %s\n", sandbox_errbuf ? sandbox_errbuf : "(null)"));
_exit(1);
}
}
--
2.46.1

41
pkgs/tools/package-management/nix/patches/2_21/0003-local-derivation-goal-Refactor.patch Normal file
View File

@ -0,0 +1,41 @@
From 74b93c1edba00c2601e20b8acdcc78e29bd3f092 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:50:27 +0200
Subject: [PATCH 3/4] local-derivation-goal: Refactor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This works because the `builder` and `args` variables are only used
in the non-builtin code path.
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index e6f4c397d..e81818fa8 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2143,15 +2143,12 @@ void LocalDerivationGoal::runChild()
_exit(1);
}
}
+#endif
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
-#else
if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
-#endif
for (auto & i : drv->args)
args.push_back(rewriteStrings(i, inputRewrites));
--
2.46.1

75
pkgs/tools/package-management/nix/patches/2_21/0004-local-derivation-goal-Move-builder-preparation-to-no.patch Normal file
View File

@ -0,0 +1,75 @@
From c8de35f74cbce58651c3b64ba66061040f546b9f Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:57:00 +0200
Subject: [PATCH 4/4] local-derivation-goal: Move builder preparation to
non-builtin code path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/build/local-derivation-goal.cc | 25 +++++++++------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index e81818fa8..078f1a5be 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -2017,11 +2017,6 @@ void LocalDerivationGoal::runChild()
throw SysError("setuid failed");
}
- /* Fill in the arguments. */
- Strings args;
-
- std::string builder = "invalid";
-
#if __APPLE__
/* This has to appear before import statements. */
std::string sandboxProfile = "(version 1)\n";
@@ -2145,14 +2140,6 @@ void LocalDerivationGoal::runChild()
}
#endif
- if (!drv->isBuiltin()) {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
- }
-
- for (auto & i : drv->args)
- args.push_back(rewriteStrings(i, inputRewrites));
-
/* Indicate that we managed to set up the build environment. */
writeFull(STDERR_FILENO, std::string("\2\n"));
@@ -2183,6 +2170,14 @@ void LocalDerivationGoal::runChild()
}
}
+ // Now builder is not builtin
+
+ Strings args;
+ args.push_back(std::string(baseNameOf(drv->builder)));
+
+ for (auto & i : drv->args)
+ args.push_back(rewriteStrings(i, inputRewrites));
+
#if __APPLE__
posix_spawnattr_t attrp;
@@ -2204,9 +2199,9 @@ void LocalDerivationGoal::runChild()
posix_spawnattr_setbinpref_np(&attrp, 1, &cpu, NULL);
}
- posix_spawn(NULL, builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ posix_spawn(NULL, drv->builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#else
- execve(builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ execve(drv->builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#endif
throw SysError("executing '%1%'", drv->builder);
--
2.46.1

327
pkgs/tools/package-management/nix/patches/2_22/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch Normal file
View File

@ -0,0 +1,327 @@
From 8217054e3554ffd376f42fb0a65087a7af2ddfab Mon Sep 17 00:00:00 2001
From: Puck Meerburg <puck@puckipedia.com>
Date: Fri, 1 Mar 2024 11:42:24 -0500
Subject: [PATCH 1/4] fix: Run all derivation builders inside the sandbox on
macOS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
configure.ac | 6 +-
package.nix | 5 +-
.../unix/build/local-derivation-goal.cc | 223 +++++++++---------
3 files changed, 118 insertions(+), 116 deletions(-)
diff --git a/configure.ac b/configure.ac
index 8f60bf4be..5e67e04be 100644
--- a/configure.ac
+++ b/configure.ac
@@ -62,13 +62,17 @@ AC_CHECK_TOOL([AR], [ar])
AC_SYS_LARGEFILE
-# Solaris-specific stuff.
+# OS-specific stuff.
AC_STRUCT_DIRENT_D_TYPE
case "$host_os" in
solaris*)
# Solaris requires -lsocket -lnsl for network functions
LDFLAGS="-lsocket -lnsl $LDFLAGS"
;;
+ darwin*)
+ # Need to link to libsandbox.
+ LDFLAGS="-lsandbox $LDFLAGS"
+ ;;
esac
diff --git a/package.nix b/package.nix
index 59265f522..28be97400 100644
--- a/package.nix
+++ b/package.nix
@@ -27,6 +27,7 @@
, libseccomp
, libsodium
, man
+, darwin
, lowdown
, mdbook
, mdbook-linkcheck
@@ -249,7 +250,9 @@ in {
] ++ lib.optionals buildUnitTests [
gtest
rapidcheck
- ] ++ lib.optional stdenv.isLinux (libseccomp.overrideAttrs (_: rec {
+ ]
+ ++ lib.optional stdenv.hostPlatform.isDarwin darwin.apple_sdk.libs.sandbox
+ ++ lib.optional stdenv.isLinux (libseccomp.overrideAttrs (_: rec {
version = "2.5.5";
src = fetchurl {
url = "https://github.com/seccomp/libseccomp/releases/download/v${version}/libseccomp-${version}.tar.gz";
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index b8ccdf834..449d4b07c 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -58,6 +58,10 @@
#if __APPLE__
#include <spawn.h>
#include <sys/sysctl.h>
+#include <sandbox.h>
+
+/* This definition is undocumented but depended upon by all major browsers. */
+extern "C" int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
#endif
#include <pwd.h>
@@ -2026,141 +2030,132 @@ void LocalDerivationGoal::runChild()
std::string builder = "invalid";
- if (drv->isBuiltin()) {
- ;
- }
#if __APPLE__
- else {
- /* This has to appear before import statements. */
- std::string sandboxProfile = "(version 1)\n";
-
- if (useChroot) {
-
- /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
- PathSet ancestry;
-
- /* We build the ancestry before adding all inputPaths to the store because we know they'll
- all have the same parents (the store), and there might be lots of inputs. This isn't
- particularly efficient... I doubt it'll be a bottleneck in practice */
- for (auto & i : pathsInChroot) {
- Path cur = i.first;
- while (cur.compare("/") != 0) {
- cur = dirOf(cur);
- ancestry.insert(cur);
- }
- }
+ /* This has to appear before import statements. */
+ std::string sandboxProfile = "(version 1)\n";
+
+ if (useChroot) {
- /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
- path component this time, since it's typically /nix/store and we care about that. */
- Path cur = worker.store.storeDir;
+ /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
+ PathSet ancestry;
+
+ /* We build the ancestry before adding all inputPaths to the store because we know they'll
+ all have the same parents (the store), and there might be lots of inputs. This isn't
+ particularly efficient... I doubt it'll be a bottleneck in practice */
+ for (auto & i : pathsInChroot) {
+ Path cur = i.first;
while (cur.compare("/") != 0) {
- ancestry.insert(cur);
cur = dirOf(cur);
+ ancestry.insert(cur);
}
+ }
- /* Add all our input paths to the chroot */
- for (auto & i : inputPaths) {
- auto p = worker.store.printStorePath(i);
- pathsInChroot[p] = p;
- }
-
- /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
- if (settings.darwinLogSandboxViolations) {
- sandboxProfile += "(deny default)\n";
- } else {
- sandboxProfile += "(deny default (with no-log))\n";
- }
+ /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
+ path component this time, since it's typically /nix/store and we care about that. */
+ Path cur = worker.store.storeDir;
+ while (cur.compare("/") != 0) {
+ ancestry.insert(cur);
+ cur = dirOf(cur);
+ }
- sandboxProfile +=
- #include "sandbox-defaults.sb"
- ;
+ /* Add all our input paths to the chroot */
+ for (auto & i : inputPaths) {
+ auto p = worker.store.printStorePath(i);
+ pathsInChroot[p] = p;
+ }
- if (!derivationType->isSandboxed())
- sandboxProfile +=
- #include "sandbox-network.sb"
- ;
-
- /* Add the output paths we'll use at build-time to the chroot */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & [_, path] : scratchOutputs)
- sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
-
- sandboxProfile += ")\n";
-
- /* Our inputs (transitive dependencies and any impurities computed above)
-
- without file-write* allowed, access() incorrectly returns EPERM
- */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & i : pathsInChroot) {
- if (i.first != i.second.source)
- throw Error(
- "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
- i.first, i.second.source);
-
- std::string path = i.first;
- auto optSt = maybeLstat(path.c_str());
- if (!optSt) {
- if (i.second.optional)
- continue;
- throw SysError("getting attributes of required path '%s", path);
- }
- if (S_ISDIR(optSt->st_mode))
- sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
- else
- sandboxProfile += fmt("\t(literal \"%s\")\n", path);
- }
- sandboxProfile += ")\n";
+ /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
+ if (settings.darwinLogSandboxViolations) {
+ sandboxProfile += "(deny default)\n";
+ } else {
+ sandboxProfile += "(deny default (with no-log))\n";
+ }
- /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
- sandboxProfile += "(allow file-read*\n";
- for (auto & i : ancestry) {
- sandboxProfile += fmt("\t(literal \"%s\")\n", i);
- }
- sandboxProfile += ")\n";
+ sandboxProfile +=
+ #include "sandbox-defaults.sb"
+ ;
- sandboxProfile += additionalSandboxProfile;
- } else
+ if (!derivationType->isSandboxed())
sandboxProfile +=
- #include "sandbox-minimal.sb"
+ #include "sandbox-network.sb"
;
- debug("Generated sandbox profile:");
- debug(sandboxProfile);
-
- Path sandboxFile = tmpDir + "/.sandbox.sb";
+ /* Add the output paths we'll use at build-time to the chroot */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & [_, path] : scratchOutputs)
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
- writeFile(sandboxFile, sandboxProfile);
+ sandboxProfile += ")\n";
- bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+ /* Our inputs (transitive dependencies and any impurities computed above)
- /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
- to find temporary directories, so we want to open up a broader place for them to put their files, if needed. */
- Path globalTmpDir = canonPath(defaultTempDir(), true);
+ without file-write* allowed, access() incorrectly returns EPERM
+ */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & i : pathsInChroot) {
+ if (i.first != i.second.source)
+ throw Error(
+ "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
+ i.first, i.second.source);
+
+ std::string path = i.first;
+ auto optSt = maybeLstat(path.c_str());
+ if (!optSt) {
+ if (i.second.optional)
+ continue;
+ throw SysError("getting attributes of required path '%s", path);
+ }
+ if (S_ISDIR(optSt->st_mode))
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
+ else
+ sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+ }
+ sandboxProfile += ")\n";
- /* They don't like trailing slashes on subpath directives */
- while (!globalTmpDir.empty() && globalTmpDir.back() == '/')
- globalTmpDir.pop_back();
+ /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
+ sandboxProfile += "(allow file-read*\n";
+ for (auto & i : ancestry) {
+ sandboxProfile += fmt("\t(literal \"%s\")\n", i);
+ }
+ sandboxProfile += ")\n";
- if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
- builder = "/usr/bin/sandbox-exec";
- args.push_back("sandbox-exec");
- args.push_back("-f");
- args.push_back(sandboxFile);
- args.push_back("-D");
- args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
- if (allowLocalNetworking) {
- args.push_back("-D");
- args.push_back(std::string("_ALLOW_LOCAL_NETWORKING=1"));
- }
- args.push_back(drv->builder);
- } else {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
+ sandboxProfile += additionalSandboxProfile;
+ } else
+ sandboxProfile +=
+ #include "sandbox-minimal.sb"
+ ;
+
+ debug("Generated sandbox profile:");
+ debug(sandboxProfile);
+
+ bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+
+ /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
+ to find temporary directories, so we want to open up a broader place for them to put their files, if needed. */
+ Path globalTmpDir = canonPath(defaultTempDir(), true);
+
+ /* They don't like trailing slashes on subpath directives */
+ while (!globalTmpDir.empty() && globalTmpDir.back() == '/')
+ globalTmpDir.pop_back();
+
+ if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
+ Strings sandboxArgs;
+ sandboxArgs.push_back("_GLOBAL_TMP_DIR");
+ sandboxArgs.push_back(globalTmpDir);
+ if (allowLocalNetworking) {
+ sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
+ sandboxArgs.push_back("1");
+ }
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
+ writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ _exit(1);
}
}
+
+ builder = drv->builder;
+ args.push_back(std::string(baseNameOf(drv->builder)));
#else
- else {
+ if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
--
2.46.1

34
pkgs/tools/package-management/nix/patches/2_22/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch Normal file
View File

@ -0,0 +1,34 @@
From f0677f190d0bd042c3a864508a5307b19a2c2d26 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:44:12 +0200
Subject: [PATCH 2/4] local-derivation-goal: Print sandbox error detail on
darwin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/unix/build/local-derivation-goal.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 449d4b07c..b74bd2e64 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2146,8 +2146,9 @@ void LocalDerivationGoal::runChild()
sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
sandboxArgs.push_back("1");
}
- if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
- writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ char * sandbox_errbuf = nullptr;
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), &sandbox_errbuf)) {
+ writeFull(STDERR_FILENO, fmt("failed to configure sandbox: %s\n", sandbox_errbuf ? sandbox_errbuf : "(null)"));
_exit(1);
}
}
--
2.46.1

41
pkgs/tools/package-management/nix/patches/2_22/0003-local-derivation-goal-Refactor.patch Normal file
View File

@ -0,0 +1,41 @@
From 1b39753f4d63465c709d18482945ce680b6f3f1e Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:50:27 +0200
Subject: [PATCH 3/4] local-derivation-goal: Refactor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This works because the `builder` and `args` variables are only used
in the non-builtin code path.
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/unix/build/local-derivation-goal.cc | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index b74bd2e64..9b8b3c51b 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2152,15 +2152,12 @@ void LocalDerivationGoal::runChild()
_exit(1);
}
}
+#endif
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
-#else
if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
-#endif
for (auto & i : drv->args)
args.push_back(rewriteStrings(i, inputRewrites));
--
2.46.1

75
pkgs/tools/package-management/nix/patches/2_22/0004-local-derivation-goal-Move-builder-preparation-to-no.patch Normal file
View File

@ -0,0 +1,75 @@
From 9e198a75f76ac08f835975d4b2743e156616a219 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:57:00 +0200
Subject: [PATCH 4/4] local-derivation-goal: Move builder preparation to
non-builtin code path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
.../unix/build/local-derivation-goal.cc | 25 ++++++++-----------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 9b8b3c51b..08366712c 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2025,11 +2025,6 @@ void LocalDerivationGoal::runChild()
throw SysError("setuid failed");
}
- /* Fill in the arguments. */
- Strings args;
-
- std::string builder = "invalid";
-
#if __APPLE__
/* This has to appear before import statements. */
std::string sandboxProfile = "(version 1)\n";
@@ -2154,14 +2149,6 @@ void LocalDerivationGoal::runChild()
}
#endif
- if (!drv->isBuiltin()) {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
- }
-
- for (auto & i : drv->args)
- args.push_back(rewriteStrings(i, inputRewrites));
-
/* Indicate that we managed to set up the build environment. */
writeFull(STDERR_FILENO, std::string("\2\n"));
@@ -2192,6 +2179,14 @@ void LocalDerivationGoal::runChild()
}
}
+ // Now builder is not builtin
+
+ Strings args;
+ args.push_back(std::string(baseNameOf(drv->builder)));
+
+ for (auto & i : drv->args)
+ args.push_back(rewriteStrings(i, inputRewrites));
+
#if __APPLE__
posix_spawnattr_t attrp;
@@ -2213,9 +2208,9 @@ void LocalDerivationGoal::runChild()
posix_spawnattr_setbinpref_np(&attrp, 1, &cpu, NULL);
}
- posix_spawn(NULL, builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ posix_spawn(NULL, drv->builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#else
- execve(builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ execve(drv->builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#endif
throw SysError("executing '%1%'", drv->builder);
--
2.46.1

323
pkgs/tools/package-management/nix/patches/2_23/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch Normal file
View File

@ -0,0 +1,323 @@
From 05994033d58e358ddafe51d1d04626eb76b8a192 Mon Sep 17 00:00:00 2001
From: Puck Meerburg <puck@puckipedia.com>
Date: Fri, 1 Mar 2024 11:42:24 -0500
Subject: [PATCH 1/4] fix: Run all derivation builders inside the sandbox on
macOS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
configure.ac | 6 +-
package.nix | 2 +
.../unix/build/local-derivation-goal.cc | 223 +++++++++---------
3 files changed, 116 insertions(+), 115 deletions(-)
diff --git a/configure.ac b/configure.ac
index 90a6d45d5..f98a0a5ea 100644
--- a/configure.ac
+++ b/configure.ac
@@ -62,12 +62,16 @@ AC_CHECK_TOOL([AR], [ar])
AC_SYS_LARGEFILE
-# Solaris-specific stuff.
+# OS-specific stuff.
case "$host_os" in
solaris*)
# Solaris requires -lsocket -lnsl for network functions
LDFLAGS="-lsocket -lnsl $LDFLAGS"
;;
+ darwin*)
+ # Need to link to libsandbox.
+ LDFLAGS="-lsandbox $LDFLAGS"
+ ;;
esac
diff --git a/package.nix b/package.nix
index cf1654c6a..1dfe7ab31 100644
--- a/package.nix
+++ b/package.nix
@@ -27,6 +27,7 @@
, libseccomp
, libsodium
, man
+, darwin
, lowdown
, mdbook
, mdbook-linkcheck
@@ -250,6 +251,7 @@ in {
gtest
rapidcheck
] ++ lib.optional stdenv.isLinux libseccomp
+ ++ lib.optional stdenv.hostPlatform.isDarwin darwin.apple_sdk.libs.sandbox
++ lib.optional stdenv.hostPlatform.isx86_64 libcpuid
# There have been issues building these dependencies
++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform && (stdenv.isLinux || stdenv.isDarwin))
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index ae9c715d6..878644fa5 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -58,6 +58,10 @@
#if __APPLE__
#include <spawn.h>
#include <sys/sysctl.h>
+#include <sandbox.h>
+
+/* This definition is undocumented but depended upon by all major browsers. */
+extern "C" int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
#endif
#include <pwd.h>
@@ -2017,141 +2021,132 @@ void LocalDerivationGoal::runChild()
std::string builder = "invalid";
- if (drv->isBuiltin()) {
- ;
- }
#if __APPLE__
- else {
- /* This has to appear before import statements. */
- std::string sandboxProfile = "(version 1)\n";
-
- if (useChroot) {
-
- /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
- PathSet ancestry;
-
- /* We build the ancestry before adding all inputPaths to the store because we know they'll
- all have the same parents (the store), and there might be lots of inputs. This isn't
- particularly efficient... I doubt it'll be a bottleneck in practice */
- for (auto & i : pathsInChroot) {
- Path cur = i.first;
- while (cur.compare("/") != 0) {
- cur = dirOf(cur);
- ancestry.insert(cur);
- }
- }
+ /* This has to appear before import statements. */
+ std::string sandboxProfile = "(version 1)\n";
+
+ if (useChroot) {
- /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
- path component this time, since it's typically /nix/store and we care about that. */
- Path cur = worker.store.storeDir;
+ /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
+ PathSet ancestry;
+
+ /* We build the ancestry before adding all inputPaths to the store because we know they'll
+ all have the same parents (the store), and there might be lots of inputs. This isn't
+ particularly efficient... I doubt it'll be a bottleneck in practice */
+ for (auto & i : pathsInChroot) {
+ Path cur = i.first;
while (cur.compare("/") != 0) {
- ancestry.insert(cur);
cur = dirOf(cur);
+ ancestry.insert(cur);
}
+ }
- /* Add all our input paths to the chroot */
- for (auto & i : inputPaths) {
- auto p = worker.store.printStorePath(i);
- pathsInChroot[p] = p;
- }
-
- /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
- if (settings.darwinLogSandboxViolations) {
- sandboxProfile += "(deny default)\n";
- } else {
- sandboxProfile += "(deny default (with no-log))\n";
- }
+ /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
+ path component this time, since it's typically /nix/store and we care about that. */
+ Path cur = worker.store.storeDir;
+ while (cur.compare("/") != 0) {
+ ancestry.insert(cur);
+ cur = dirOf(cur);
+ }
- sandboxProfile +=
- #include "sandbox-defaults.sb"
- ;
+ /* Add all our input paths to the chroot */
+ for (auto & i : inputPaths) {
+ auto p = worker.store.printStorePath(i);
+ pathsInChroot[p] = p;
+ }
- if (!derivationType->isSandboxed())
- sandboxProfile +=
- #include "sandbox-network.sb"
- ;
-
- /* Add the output paths we'll use at build-time to the chroot */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & [_, path] : scratchOutputs)
- sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
-
- sandboxProfile += ")\n";
-
- /* Our inputs (transitive dependencies and any impurities computed above)
-
- without file-write* allowed, access() incorrectly returns EPERM
- */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & i : pathsInChroot) {
- if (i.first != i.second.source)
- throw Error(
- "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
- i.first, i.second.source);
-
- std::string path = i.first;
- auto optSt = maybeLstat(path.c_str());
- if (!optSt) {
- if (i.second.optional)
- continue;
- throw SysError("getting attributes of required path '%s", path);
- }
- if (S_ISDIR(optSt->st_mode))
- sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
- else
- sandboxProfile += fmt("\t(literal \"%s\")\n", path);
- }
- sandboxProfile += ")\n";
+ /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
+ if (settings.darwinLogSandboxViolations) {
+ sandboxProfile += "(deny default)\n";
+ } else {
+ sandboxProfile += "(deny default (with no-log))\n";
+ }
- /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
- sandboxProfile += "(allow file-read*\n";
- for (auto & i : ancestry) {
- sandboxProfile += fmt("\t(literal \"%s\")\n", i);
- }
- sandboxProfile += ")\n";
+ sandboxProfile +=
+ #include "sandbox-defaults.sb"
+ ;
- sandboxProfile += additionalSandboxProfile;
- } else
+ if (!derivationType->isSandboxed())
sandboxProfile +=
- #include "sandbox-minimal.sb"
+ #include "sandbox-network.sb"
;
- debug("Generated sandbox profile:");
- debug(sandboxProfile);
-
- Path sandboxFile = tmpDir + "/.sandbox.sb";
+ /* Add the output paths we'll use at build-time to the chroot */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & [_, path] : scratchOutputs)
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
- writeFile(sandboxFile, sandboxProfile);
+ sandboxProfile += ")\n";
- bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+ /* Our inputs (transitive dependencies and any impurities computed above)
- /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
- to find temporary directories, so we want to open up a broader place for them to put their files, if needed. */
- Path globalTmpDir = canonPath(defaultTempDir(), true);
+ without file-write* allowed, access() incorrectly returns EPERM
+ */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & i : pathsInChroot) {
+ if (i.first != i.second.source)
+ throw Error(
+ "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
+ i.first, i.second.source);
+
+ std::string path = i.first;
+ auto optSt = maybeLstat(path.c_str());
+ if (!optSt) {
+ if (i.second.optional)
+ continue;
+ throw SysError("getting attributes of required path '%s", path);
+ }
+ if (S_ISDIR(optSt->st_mode))
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
+ else
+ sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+ }
+ sandboxProfile += ")\n";
- /* They don't like trailing slashes on subpath directives */
- while (!globalTmpDir.empty() && globalTmpDir.back() == '/')
- globalTmpDir.pop_back();
+ /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
+ sandboxProfile += "(allow file-read*\n";
+ for (auto & i : ancestry) {
+ sandboxProfile += fmt("\t(literal \"%s\")\n", i);
+ }
+ sandboxProfile += ")\n";
- if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
- builder = "/usr/bin/sandbox-exec";
- args.push_back("sandbox-exec");
- args.push_back("-f");
- args.push_back(sandboxFile);
- args.push_back("-D");
- args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
- if (allowLocalNetworking) {
- args.push_back("-D");
- args.push_back(std::string("_ALLOW_LOCAL_NETWORKING=1"));
- }
- args.push_back(drv->builder);
- } else {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
+ sandboxProfile += additionalSandboxProfile;
+ } else
+ sandboxProfile +=
+ #include "sandbox-minimal.sb"
+ ;
+
+ debug("Generated sandbox profile:");
+ debug(sandboxProfile);
+
+ bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+
+ /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
+ to find temporary directories, so we want to open up a broader place for them to put their files, if needed. */
+ Path globalTmpDir = canonPath(defaultTempDir(), true);
+
+ /* They don't like trailing slashes on subpath directives */
+ while (!globalTmpDir.empty() && globalTmpDir.back() == '/')
+ globalTmpDir.pop_back();
+
+ if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
+ Strings sandboxArgs;
+ sandboxArgs.push_back("_GLOBAL_TMP_DIR");
+ sandboxArgs.push_back(globalTmpDir);
+ if (allowLocalNetworking) {
+ sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
+ sandboxArgs.push_back("1");
+ }
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
+ writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ _exit(1);
}
}
+
+ builder = drv->builder;
+ args.push_back(std::string(baseNameOf(drv->builder)));
#else
- else {
+ if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
--
2.46.1

34
pkgs/tools/package-management/nix/patches/2_23/0002-local-derivation-goal-Print-sandbox-error-detail-on-.patch Normal file
View File

@ -0,0 +1,34 @@
From c43954ffac356b4168cbcfe2a67b4bad3f0dff5d Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:44:12 +0200
Subject: [PATCH 2/4] local-derivation-goal: Print sandbox error detail on
darwin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/unix/build/local-derivation-goal.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 878644fa5..0df1f0683 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2137,8 +2137,9 @@ void LocalDerivationGoal::runChild()
sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
sandboxArgs.push_back("1");
}
- if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
- writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ char * sandbox_errbuf = nullptr;
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), &sandbox_errbuf)) {
+ writeFull(STDERR_FILENO, fmt("failed to configure sandbox: %s\n", sandbox_errbuf ? sandbox_errbuf : "(null)"));
_exit(1);
}
}
--
2.46.1

41
pkgs/tools/package-management/nix/patches/2_23/0003-local-derivation-goal-Refactor.patch Normal file
View File

@ -0,0 +1,41 @@
From 53b4bdcb8b0f114bea978cffbea325fd73f779b5 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:50:27 +0200
Subject: [PATCH 3/4] local-derivation-goal: Refactor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This works because the `builder` and `args` variables are only used
in the non-builtin code path.
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/unix/build/local-derivation-goal.cc | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 0df1f0683..9e67283c9 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2143,15 +2143,12 @@ void LocalDerivationGoal::runChild()
_exit(1);
}
}
+#endif
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
-#else
if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
-#endif
for (auto & i : drv->args)
args.push_back(rewriteStrings(i, inputRewrites));
--
2.46.1

75
pkgs/tools/package-management/nix/patches/2_23/0004-local-derivation-goal-Move-builder-preparation-to-no.patch Normal file
View File

@ -0,0 +1,75 @@
From 67b5c7004302cbd344f63ccd306673a9adec4520 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:57:00 +0200
Subject: [PATCH 4/4] local-derivation-goal: Move builder preparation to
non-builtin code path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
.../unix/build/local-derivation-goal.cc | 25 ++++++++-----------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 9e67283c9..1f4bafb56 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2016,11 +2016,6 @@ void LocalDerivationGoal::runChild()
throw SysError("setuid failed");
}
- /* Fill in the arguments. */
- Strings args;
-
- std::string builder = "invalid";
-
#if __APPLE__
/* This has to appear before import statements. */
std::string sandboxProfile = "(version 1)\n";
@@ -2145,14 +2140,6 @@ void LocalDerivationGoal::runChild()
}
#endif
- if (!drv->isBuiltin()) {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
- }
-
- for (auto & i : drv->args)
- args.push_back(rewriteStrings(i, inputRewrites));
-
/* Indicate that we managed to set up the build environment. */
writeFull(STDERR_FILENO, std::string("\2\n"));
@@ -2183,6 +2170,14 @@ void LocalDerivationGoal::runChild()
}
}
+ // Now builder is not builtin
+
+ Strings args;
+ args.push_back(std::string(baseNameOf(drv->builder)));
+
+ for (auto & i : drv->args)
+ args.push_back(rewriteStrings(i, inputRewrites));
+
#if __APPLE__
posix_spawnattr_t attrp;
@@ -2204,9 +2199,9 @@ void LocalDerivationGoal::runChild()
posix_spawnattr_setbinpref_np(&attrp, 1, &cpu, NULL);
}
- posix_spawn(NULL, builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ posix_spawn(NULL, drv->builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#else
- execve(builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ execve(drv->builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#endif
throw SysError("executing '%1%'", drv->builder);
--
2.46.1

323
pkgs/tools/package-management/nix/patches/2_24/0001-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch Normal file
View File

@ -0,0 +1,323 @@
From 170242cf0ca3e9fadbad2004126793634d56623e Mon Sep 17 00:00:00 2001
From: Puck Meerburg <puck@puckipedia.com>
Date: Fri, 1 Mar 2024 11:42:24 -0500
Subject: [PATCH 1/5] fix: Run all derivation builders inside the sandbox on
macOS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
configure.ac | 6 +-
package.nix | 2 +
.../unix/build/local-derivation-goal.cc | 223 +++++++++---------
3 files changed, 116 insertions(+), 115 deletions(-)
diff --git a/configure.ac b/configure.ac
index 5c22ed176..dff35981b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -62,12 +62,16 @@ AC_CHECK_TOOL([AR], [ar])
AC_SYS_LARGEFILE
-# Solaris-specific stuff.
+# OS-specific stuff.
case "$host_os" in
solaris*)
# Solaris requires -lsocket -lnsl for network functions
LDFLAGS="-lsocket -lnsl $LDFLAGS"
;;
+ darwin*)
+ # Need to link to libsandbox.
+ LDFLAGS="-lsandbox $LDFLAGS"
+ ;;
esac
diff --git a/package.nix b/package.nix
index a7c8923e8..fcd1e1898 100644
--- a/package.nix
+++ b/package.nix
@@ -23,6 +23,7 @@
, libseccomp
, libsodium
, man
+, darwin
, lowdown
, mdbook
, mdbook-linkcheck
@@ -235,6 +236,7 @@ in {
gtest
rapidcheck
] ++ lib.optional stdenv.isLinux libseccomp
+ ++ lib.optional stdenv.hostPlatform.isDarwin darwin.apple_sdk.libs.sandbox
++ lib.optional stdenv.hostPlatform.isx86_64 libcpuid
# There have been issues building these dependencies
++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform && (stdenv.isLinux || stdenv.isDarwin))
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 54ca69580..7ce266122 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -58,6 +58,10 @@
#if __APPLE__
#include <spawn.h>
#include <sys/sysctl.h>
+#include <sandbox.h>
+
+/* This definition is undocumented but depended upon by all major browsers. */
+extern "C" int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
#endif
#include <pwd.h>
@@ -2039,141 +2043,132 @@ void LocalDerivationGoal::runChild()
std::string builder = "invalid";
- if (drv->isBuiltin()) {
- ;
- }
#if __APPLE__
- else {
- /* This has to appear before import statements. */
- std::string sandboxProfile = "(version 1)\n";
-
- if (useChroot) {
-
- /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
- PathSet ancestry;
-
- /* We build the ancestry before adding all inputPaths to the store because we know they'll
- all have the same parents (the store), and there might be lots of inputs. This isn't
- particularly efficient... I doubt it'll be a bottleneck in practice */
- for (auto & i : pathsInChroot) {
- Path cur = i.first;
- while (cur.compare("/") != 0) {
- cur = dirOf(cur);
- ancestry.insert(cur);
- }
- }
+ /* This has to appear before import statements. */
+ std::string sandboxProfile = "(version 1)\n";
+
+ if (useChroot) {
- /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
- path component this time, since it's typically /nix/store and we care about that. */
- Path cur = worker.store.storeDir;
+ /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
+ PathSet ancestry;
+
+ /* We build the ancestry before adding all inputPaths to the store because we know they'll
+ all have the same parents (the store), and there might be lots of inputs. This isn't
+ particularly efficient... I doubt it'll be a bottleneck in practice */
+ for (auto & i : pathsInChroot) {
+ Path cur = i.first;
while (cur.compare("/") != 0) {
- ancestry.insert(cur);
cur = dirOf(cur);
+ ancestry.insert(cur);
}
+ }
- /* Add all our input paths to the chroot */
- for (auto & i : inputPaths) {
- auto p = worker.store.printStorePath(i);
- pathsInChroot[p] = p;
- }
-
- /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
- if (settings.darwinLogSandboxViolations) {
- sandboxProfile += "(deny default)\n";
- } else {
- sandboxProfile += "(deny default (with no-log))\n";
- }
+ /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
+ path component this time, since it's typically /nix/store and we care about that. */
+ Path cur = worker.store.storeDir;
+ while (cur.compare("/") != 0) {
+ ancestry.insert(cur);
+ cur = dirOf(cur);
+ }
- sandboxProfile +=
- #include "sandbox-defaults.sb"
- ;
+ /* Add all our input paths to the chroot */
+ for (auto & i : inputPaths) {
+ auto p = worker.store.printStorePath(i);
+ pathsInChroot[p] = p;
+ }
- if (!derivationType->isSandboxed())
- sandboxProfile +=
- #include "sandbox-network.sb"
- ;
-
- /* Add the output paths we'll use at build-time to the chroot */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & [_, path] : scratchOutputs)
- sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
-
- sandboxProfile += ")\n";
-
- /* Our inputs (transitive dependencies and any impurities computed above)
-
- without file-write* allowed, access() incorrectly returns EPERM
- */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & i : pathsInChroot) {
- if (i.first != i.second.source)
- throw Error(
- "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
- i.first, i.second.source);
-
- std::string path = i.first;
- auto optSt = maybeLstat(path.c_str());
- if (!optSt) {
- if (i.second.optional)
- continue;
- throw SysError("getting attributes of required path '%s", path);
- }
- if (S_ISDIR(optSt->st_mode))
- sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
- else
- sandboxProfile += fmt("\t(literal \"%s\")\n", path);
- }
- sandboxProfile += ")\n";
+ /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
+ if (settings.darwinLogSandboxViolations) {
+ sandboxProfile += "(deny default)\n";
+ } else {
+ sandboxProfile += "(deny default (with no-log))\n";
+ }
- /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
- sandboxProfile += "(allow file-read*\n";
- for (auto & i : ancestry) {
- sandboxProfile += fmt("\t(literal \"%s\")\n", i);
- }
- sandboxProfile += ")\n";
+ sandboxProfile +=
+ #include "sandbox-defaults.sb"
+ ;
- sandboxProfile += additionalSandboxProfile;
- } else
+ if (!derivationType->isSandboxed())
sandboxProfile +=
- #include "sandbox-minimal.sb"
+ #include "sandbox-network.sb"
;
- debug("Generated sandbox profile:");
- debug(sandboxProfile);
-
- Path sandboxFile = tmpDir + "/.sandbox.sb";
+ /* Add the output paths we'll use at build-time to the chroot */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & [_, path] : scratchOutputs)
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
- writeFile(sandboxFile, sandboxProfile);
+ sandboxProfile += ")\n";
- bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+ /* Our inputs (transitive dependencies and any impurities computed above)
- /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
- to find temporary directories, so we want to open up a broader place for them to put their files, if needed. */
- Path globalTmpDir = canonPath(defaultTempDir(), true);
+ without file-write* allowed, access() incorrectly returns EPERM
+ */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & i : pathsInChroot) {
+ if (i.first != i.second.source)
+ throw Error(
+ "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
+ i.first, i.second.source);
+
+ std::string path = i.first;
+ auto optSt = maybeLstat(path.c_str());
+ if (!optSt) {
+ if (i.second.optional)
+ continue;
+ throw SysError("getting attributes of required path '%s", path);
+ }
+ if (S_ISDIR(optSt->st_mode))
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
+ else
+ sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+ }
+ sandboxProfile += ")\n";
- /* They don't like trailing slashes on subpath directives */
- while (!globalTmpDir.empty() && globalTmpDir.back() == '/')
- globalTmpDir.pop_back();
+ /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
+ sandboxProfile += "(allow file-read*\n";
+ for (auto & i : ancestry) {
+ sandboxProfile += fmt("\t(literal \"%s\")\n", i);
+ }
+ sandboxProfile += ")\n";
- if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
- builder = "/usr/bin/sandbox-exec";
- args.push_back("sandbox-exec");
- args.push_back("-f");
- args.push_back(sandboxFile);
- args.push_back("-D");
- args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
- if (allowLocalNetworking) {
- args.push_back("-D");
- args.push_back(std::string("_ALLOW_LOCAL_NETWORKING=1"));
- }
- args.push_back(drv->builder);
- } else {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
+ sandboxProfile += additionalSandboxProfile;
+ } else
+ sandboxProfile +=
+ #include "sandbox-minimal.sb"
+ ;
+
+ debug("Generated sandbox profile:");
+ debug(sandboxProfile);
+
+ bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+
+ /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
+ to find temporary directories, so we want to open up a broader place for them to put their files, if needed. */
+ Path globalTmpDir = canonPath(defaultTempDir(), true);
+
+ /* They don't like trailing slashes on subpath directives */
+ while (!globalTmpDir.empty() && globalTmpDir.back() == '/')
+ globalTmpDir.pop_back();
+
+ if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
+ Strings sandboxArgs;
+ sandboxArgs.push_back("_GLOBAL_TMP_DIR");
+ sandboxArgs.push_back(globalTmpDir);
+ if (allowLocalNetworking) {
+ sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
+ sandboxArgs.push_back("1");
+ }
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
+ writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ _exit(1);
}
}
+
+ builder = drv->builder;
+ args.push_back(std::string(baseNameOf(drv->builder)));
#else
- else {
+ if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
--
2.46.1

53
pkgs/tools/package-management/nix/patches/2_24/0002-packaging-Add-darwin-lsandbox-in-meson.patch Normal file
View File

@ -0,0 +1,53 @@
From f8a1a149c73113e01c44b73ce9e1005575d52a9a Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:23:17 +0200
Subject: [PATCH 2/5] packaging: Add darwin -lsandbox in meson
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/meson.build | 5 +++++
src/libstore/package.nix | 2 ++
2 files changed, 7 insertions(+)
diff --git a/src/libstore/meson.build b/src/libstore/meson.build
index 50b15e15d..b23c85061 100644
--- a/src/libstore/meson.build
+++ b/src/libstore/meson.build
@@ -68,6 +68,11 @@ has_acl_support = cxx.has_header('sys/xattr.h') \
and cxx.has_function('lremovexattr')
configdata.set('HAVE_ACL_SUPPORT', has_acl_support.to_int())
+if host_machine.system() == 'darwin'
+ sandbox = cxx.find_library('sandbox')
+ deps_other += [sandbox]
+endif
+
subdir('build-utils-meson/threads')
boost = dependency(
diff --git a/src/libstore/package.nix b/src/libstore/package.nix
index 4582ba0d2..d98bac16d 100644
--- a/src/libstore/package.nix
+++ b/src/libstore/package.nix
@@ -7,6 +7,7 @@
, ninja
, pkg-config
, unixtools
+, darwin
, nix-util
, boost
@@ -65,6 +66,7 @@ mkMesonDerivation (finalAttrs: {
sqlite
] ++ lib.optional stdenv.hostPlatform.isLinux libseccomp
# There have been issues building these dependencies
+ ++ lib.optional stdenv.hostPlatform.isDarwin darwin.apple_sdk.libs.sandbox
++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform && (stdenv.isLinux || stdenv.isDarwin))
aws-sdk-cpp
;
--
2.46.1

34
pkgs/tools/package-management/nix/patches/2_24/0003-local-derivation-goal-Print-sandbox-error-detail-on-.patch Normal file
View File

@ -0,0 +1,34 @@
From ae7a2ea74136363c2f6ac6e624ea95da7abfafcc Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:44:12 +0200
Subject: [PATCH 3/5] local-derivation-goal: Print sandbox error detail on
darwin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/unix/build/local-derivation-goal.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 7ce266122..706771e8e 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2159,8 +2159,9 @@ void LocalDerivationGoal::runChild()
sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
sandboxArgs.push_back("1");
}
- if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
- writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ char * sandbox_errbuf = nullptr;
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), &sandbox_errbuf)) {
+ writeFull(STDERR_FILENO, fmt("failed to configure sandbox: %s\n", sandbox_errbuf ? sandbox_errbuf : "(null)"));
_exit(1);
}
}
--
2.46.1

41
pkgs/tools/package-management/nix/patches/2_24/0004-local-derivation-goal-Refactor.patch Normal file
View File

@ -0,0 +1,41 @@
From 047ee50db2f660eb3f50fab8f7543ce95e814b7c Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:50:27 +0200
Subject: [PATCH 4/5] local-derivation-goal: Refactor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This works because the `builder` and `args` variables are only used
in the non-builtin code path.
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/unix/build/local-derivation-goal.cc | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 706771e8e..d9738a1ea 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2165,15 +2165,12 @@ void LocalDerivationGoal::runChild()
_exit(1);
}
}
+#endif
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
-#else
if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
-#endif
for (auto & i : drv->args)
args.push_back(rewriteStrings(i, inputRewrites));
--
2.46.1

75
pkgs/tools/package-management/nix/patches/2_24/0005-local-derivation-goal-Move-builder-preparation-to-no.patch Normal file
View File

@ -0,0 +1,75 @@
From 50f83e4bbd9107576399f94449ac9cb4e80d575e Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:57:00 +0200
Subject: [PATCH 5/5] local-derivation-goal: Move builder preparation to
non-builtin code path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
.../unix/build/local-derivation-goal.cc | 25 ++++++++-----------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index d9738a1ea..2a09e3dd4 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2038,11 +2038,6 @@ void LocalDerivationGoal::runChild()
throw SysError("setuid failed");
}
- /* Fill in the arguments. */
- Strings args;
-
- std::string builder = "invalid";
-
#if __APPLE__
/* This has to appear before import statements. */
std::string sandboxProfile = "(version 1)\n";
@@ -2167,14 +2162,6 @@ void LocalDerivationGoal::runChild()
}
#endif
- if (!drv->isBuiltin()) {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
- }
-
- for (auto & i : drv->args)
- args.push_back(rewriteStrings(i, inputRewrites));
-
/* Indicate that we managed to set up the build environment. */
writeFull(STDERR_FILENO, std::string("\2\n"));
@@ -2205,6 +2192,14 @@ void LocalDerivationGoal::runChild()
}
}
+ // Now builder is not builtin
+
+ Strings args;
+ args.push_back(std::string(baseNameOf(drv->builder)));
+
+ for (auto & i : drv->args)
+ args.push_back(rewriteStrings(i, inputRewrites));
+
#if __APPLE__
posix_spawnattr_t attrp;
@@ -2226,9 +2221,9 @@ void LocalDerivationGoal::runChild()
posix_spawnattr_setbinpref_np(&attrp, 1, &cpu, NULL);
}
- posix_spawn(NULL, builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ posix_spawn(NULL, drv->builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#else
- execve(builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+ execve(drv->builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
#endif
throw SysError("executing '%1%'", drv->builder);
--
2.46.1

28
pkgs/tools/package-management/nix/patches/git/0001-Fix-meson-build-on-darwin.patch Normal file
View File

@ -0,0 +1,28 @@
From 766263d53ae69d70c5915426e6e8f58abd988226 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Tue, 22 Oct 2024 15:28:04 +0200
Subject: [PATCH 1/6] Fix meson build on darwin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
std::stringbuf is defined in <sstream>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libutil/strings.cc | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libutil/strings.cc b/src/libutil/strings.cc
index d1c9f700c..c221a43c6 100644
--- a/src/libutil/strings.cc
+++ b/src/libutil/strings.cc
@@ -1,5 +1,6 @@
#include <filesystem>
#include <string>
+#include <sstream>
#include "strings-inline.hh"
#include "os-string.hh"
--
2.46.1

323
pkgs/tools/package-management/nix/patches/git/0002-fix-Run-all-derivation-builders-inside-the-sandbox-o.patch Normal file
View File

@ -0,0 +1,323 @@
From d2c880b03f58eb4fdd6d19eb3ffa4345a0477419 Mon Sep 17 00:00:00 2001
From: Puck Meerburg <puck@puckipedia.com>
Date: Fri, 1 Mar 2024 11:42:24 -0500
Subject: [PATCH 2/6] fix: Run all derivation builders inside the sandbox on
macOS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
configure.ac | 6 +-
package.nix | 2 +
.../unix/build/local-derivation-goal.cc | 223 +++++++++---------
3 files changed, 116 insertions(+), 115 deletions(-)
diff --git a/configure.ac b/configure.ac
index 198198dea..c7c9b3f4b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -62,12 +62,16 @@ AC_CHECK_TOOL([AR], [ar])
AC_SYS_LARGEFILE
-# Solaris-specific stuff.
+# OS-specific stuff.
case "$host_os" in
solaris*)
# Solaris requires -lsocket -lnsl for network functions
LDFLAGS="-lsocket -lnsl $LDFLAGS"
;;
+ darwin*)
+ # Need to link to libsandbox.
+ LDFLAGS="-lsandbox $LDFLAGS"
+ ;;
esac
diff --git a/package.nix b/package.nix
index 00621d475..77f1de58c 100644
--- a/package.nix
+++ b/package.nix
@@ -23,6 +23,7 @@
, libseccomp
, libsodium
, man
+, darwin
, lowdown
, mdbook
, mdbook-linkcheck
@@ -232,6 +233,7 @@ in {
gtest
rapidcheck
] ++ lib.optional stdenv.isLinux libseccomp
+ ++ lib.optional stdenv.hostPlatform.isDarwin darwin.apple_sdk.libs.sandbox
++ lib.optional stdenv.hostPlatform.isx86_64 libcpuid
# There have been issues building these dependencies
++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform && (stdenv.isLinux || stdenv.isDarwin))
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index b4685b3a7..067755c0d 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -58,6 +58,10 @@
#if __APPLE__
#include <spawn.h>
#include <sys/sysctl.h>
+#include <sandbox.h>
+
+/* This definition is undocumented but depended upon by all major browsers. */
+extern "C" int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
#endif
#include <pwd.h>
@@ -2088,141 +2092,132 @@ void LocalDerivationGoal::runChild()
std::string builder = "invalid";
- if (drv->isBuiltin()) {
- ;
- }
#if __APPLE__
- else {
- /* This has to appear before import statements. */
- std::string sandboxProfile = "(version 1)\n";
-
- if (useChroot) {
-
- /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
- PathSet ancestry;
-
- /* We build the ancestry before adding all inputPaths to the store because we know they'll
- all have the same parents (the store), and there might be lots of inputs. This isn't
- particularly efficient... I doubt it'll be a bottleneck in practice */
- for (auto & i : pathsInChroot) {
- Path cur = i.first;
- while (cur.compare("/") != 0) {
- cur = dirOf(cur);
- ancestry.insert(cur);
- }
- }
+ /* This has to appear before import statements. */
+ std::string sandboxProfile = "(version 1)\n";
+
+ if (useChroot) {
- /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
- path component this time, since it's typically /nix/store and we care about that. */
- Path cur = worker.store.storeDir;
+ /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
+ PathSet ancestry;
+
+ /* We build the ancestry before adding all inputPaths to the store because we know they'll
+ all have the same parents (the store), and there might be lots of inputs. This isn't
+ particularly efficient... I doubt it'll be a bottleneck in practice */
+ for (auto & i : pathsInChroot) {
+ Path cur = i.first;
while (cur.compare("/") != 0) {
- ancestry.insert(cur);
cur = dirOf(cur);
+ ancestry.insert(cur);
}
+ }
- /* Add all our input paths to the chroot */
- for (auto & i : inputPaths) {
- auto p = worker.store.printStorePath(i);
- pathsInChroot[p] = p;
- }
-
- /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
- if (settings.darwinLogSandboxViolations) {
- sandboxProfile += "(deny default)\n";
- } else {
- sandboxProfile += "(deny default (with no-log))\n";
- }
+ /* And we want the store in there regardless of how empty pathsInChroot. We include the innermost
+ path component this time, since it's typically /nix/store and we care about that. */
+ Path cur = worker.store.storeDir;
+ while (cur.compare("/") != 0) {
+ ancestry.insert(cur);
+ cur = dirOf(cur);
+ }
- sandboxProfile +=
- #include "sandbox-defaults.sb"
- ;
+ /* Add all our input paths to the chroot */
+ for (auto & i : inputPaths) {
+ auto p = worker.store.printStorePath(i);
+ pathsInChroot[p] = p;
+ }
- if (!derivationType->isSandboxed())
- sandboxProfile +=
- #include "sandbox-network.sb"
- ;
-
- /* Add the output paths we'll use at build-time to the chroot */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & [_, path] : scratchOutputs)
- sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
-
- sandboxProfile += ")\n";
-
- /* Our inputs (transitive dependencies and any impurities computed above)
-
- without file-write* allowed, access() incorrectly returns EPERM
- */
- sandboxProfile += "(allow file-read* file-write* process-exec\n";
- for (auto & i : pathsInChroot) {
- if (i.first != i.second.source)
- throw Error(
- "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
- i.first, i.second.source);
-
- std::string path = i.first;
- auto optSt = maybeLstat(path.c_str());
- if (!optSt) {
- if (i.second.optional)
- continue;
- throw SysError("getting attributes of required path '%s", path);
- }
- if (S_ISDIR(optSt->st_mode))
- sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
- else
- sandboxProfile += fmt("\t(literal \"%s\")\n", path);
- }
- sandboxProfile += ")\n";
+ /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
+ if (settings.darwinLogSandboxViolations) {
+ sandboxProfile += "(deny default)\n";
+ } else {
+ sandboxProfile += "(deny default (with no-log))\n";
+ }
- /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
- sandboxProfile += "(allow file-read*\n";
- for (auto & i : ancestry) {
- sandboxProfile += fmt("\t(literal \"%s\")\n", i);
- }
- sandboxProfile += ")\n";
+ sandboxProfile +=
+ #include "sandbox-defaults.sb"
+ ;
- sandboxProfile += additionalSandboxProfile;
- } else
+ if (!derivationType->isSandboxed())
sandboxProfile +=
- #include "sandbox-minimal.sb"
+ #include "sandbox-network.sb"
;
- debug("Generated sandbox profile:");
- debug(sandboxProfile);
-
- Path sandboxFile = tmpDir + "/.sandbox.sb";
+ /* Add the output paths we'll use at build-time to the chroot */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & [_, path] : scratchOutputs)
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", worker.store.printStorePath(path));
- writeFile(sandboxFile, sandboxProfile);
+ sandboxProfile += ")\n";
- bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+ /* Our inputs (transitive dependencies and any impurities computed above)
- /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
- to find temporary directories, so we want to open up a broader place for them to put their files, if needed. */
- Path globalTmpDir = canonPath(defaultTempDir(), true);
+ without file-write* allowed, access() incorrectly returns EPERM
+ */
+ sandboxProfile += "(allow file-read* file-write* process-exec\n";
+ for (auto & i : pathsInChroot) {
+ if (i.first != i.second.source)
+ throw Error(
+ "can't map '%1%' to '%2%': mismatched impure paths not supported on Darwin",
+ i.first, i.second.source);
+
+ std::string path = i.first;
+ auto optSt = maybeLstat(path.c_str());
+ if (!optSt) {
+ if (i.second.optional)
+ continue;
+ throw SysError("getting attributes of required path '%s", path);
+ }
+ if (S_ISDIR(optSt->st_mode))
+ sandboxProfile += fmt("\t(subpath \"%s\")\n", path);
+ else
+ sandboxProfile += fmt("\t(literal \"%s\")\n", path);
+ }
+ sandboxProfile += ")\n";
- /* They don't like trailing slashes on subpath directives */
- while (!globalTmpDir.empty() && globalTmpDir.back() == '/')
- globalTmpDir.pop_back();
+ /* Allow file-read* on full directory hierarchy to self. Allows realpath() */
+ sandboxProfile += "(allow file-read*\n";
+ for (auto & i : ancestry) {
+ sandboxProfile += fmt("\t(literal \"%s\")\n", i);
+ }
+ sandboxProfile += ")\n";
- if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
- builder = "/usr/bin/sandbox-exec";
- args.push_back("sandbox-exec");
- args.push_back("-f");
- args.push_back(sandboxFile);
- args.push_back("-D");
- args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
- if (allowLocalNetworking) {
- args.push_back("-D");
- args.push_back(std::string("_ALLOW_LOCAL_NETWORKING=1"));
- }
- args.push_back(drv->builder);
- } else {
- builder = drv->builder;
- args.push_back(std::string(baseNameOf(drv->builder)));
+ sandboxProfile += additionalSandboxProfile;
+ } else
+ sandboxProfile +=
+ #include "sandbox-minimal.sb"
+ ;
+
+ debug("Generated sandbox profile:");
+ debug(sandboxProfile);
+
+ bool allowLocalNetworking = parsedDrv->getBoolAttr("__darwinAllowLocalNetworking");
+
+ /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
+ to find temporary directories, so we want to open up a broader place for them to put their files, if needed. */
+ Path globalTmpDir = canonPath(defaultTempDir(), true);
+
+ /* They don't like trailing slashes on subpath directives */
+ while (!globalTmpDir.empty() && globalTmpDir.back() == '/')
+ globalTmpDir.pop_back();
+
+ if (getEnv("_NIX_TEST_NO_SANDBOX") != "1") {
+ Strings sandboxArgs;
+ sandboxArgs.push_back("_GLOBAL_TMP_DIR");
+ sandboxArgs.push_back(globalTmpDir);
+ if (allowLocalNetworking) {
+ sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
+ sandboxArgs.push_back("1");
+ }
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
+ writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ _exit(1);
}
}
+
+ builder = drv->builder;
+ args.push_back(std::string(baseNameOf(drv->builder)));
#else
- else {
+ if (!drv->isBuiltin()) {
builder = drv->builder;
args.push_back(std::string(baseNameOf(drv->builder)));
}
--
2.46.1

53
pkgs/tools/package-management/nix/patches/git/0003-packaging-Add-darwin-lsandbox-in-meson.patch Normal file
View File

@ -0,0 +1,53 @@
From f7335530619f9b18d6cc249a297e4dca369101a5 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:23:17 +0200
Subject: [PATCH 3/6] packaging: Add darwin -lsandbox in meson
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/meson.build | 5 +++++
src/libstore/package.nix | 2 ++
2 files changed, 7 insertions(+)
diff --git a/src/libstore/meson.build b/src/libstore/meson.build
index 6a6aabf97..c2aa5bff3 100644
--- a/src/libstore/meson.build
+++ b/src/libstore/meson.build
@@ -69,6 +69,11 @@ has_acl_support = cxx.has_header('sys/xattr.h') \
and cxx.has_function('lremovexattr')
configdata.set('HAVE_ACL_SUPPORT', has_acl_support.to_int())
+if host_machine.system() == 'darwin'
+ sandbox = cxx.find_library('sandbox')
+ deps_other += [sandbox]
+endif
+
subdir('build-utils-meson/threads')
boost = dependency(
diff --git a/src/libstore/package.nix b/src/libstore/package.nix
index 9568462b5..f04e3b95f 100644
--- a/src/libstore/package.nix
+++ b/src/libstore/package.nix
@@ -3,6 +3,7 @@
, mkMesonLibrary
, unixtools
+, darwin
, nix-util
, boost
@@ -56,6 +57,7 @@ mkMesonLibrary (finalAttrs: {
sqlite
] ++ lib.optional stdenv.hostPlatform.isLinux libseccomp
# There have been issues building these dependencies
+ ++ lib.optional stdenv.hostPlatform.isDarwin darwin.apple_sdk.libs.sandbox
++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform && (stdenv.isLinux || stdenv.isDarwin))
aws-sdk-cpp
;
--
2.46.1

34
pkgs/tools/package-management/nix/patches/git/0004-local-derivation-goal-Print-sandbox-error-detail-on-.patch Normal file
View File

@ -0,0 +1,34 @@
From 14d09e0b55898ac22d4cdeade3bf6c4174052ffd Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 3 Oct 2024 12:44:12 +0200
Subject: [PATCH 4/6] local-derivation-goal: Print sandbox error detail on
darwin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/unix/build/local-derivation-goal.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 067755c0d..f34d68403 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -2208,8 +2208,9 @@ void LocalDerivationGoal::runChild()
sandboxArgs.push_back("_ALLOW_LOCAL_NETWORKING");
sandboxArgs.push_back("1");
}
- if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), NULL)) {
- writeFull(STDERR_FILENO, "failed to configure sandbox\n");
+ char * sandbox_errbuf = nullptr;
+ if (sandbox_init_with_parameters(sandboxProfile.c_str(), 0, stringsToCharPtrs(sandboxArgs).data(), &sandbox_errbuf)) {
+ writeFull(STDERR_FILENO, fmt("failed to configure sandbox: %s\n", sandbox_errbuf ? sandbox_errbuf : "(null)"));
_exit(1);
}
}
--
2.46.1

Some files were not shown because too many files have changed in this diff Show More