Commit Graph

44 Commits

Author SHA1 Message Date
K900
7014f86947 buildFHSEnv: don't set LD_LIBRARY_PATH
It's a bad hack that was originally put into place for Steam, which doesn't need it anymore,
and it confuses native binaries that run from Steam.
2024-10-08 14:00:17 +03:00
github-actions[bot]
13400dc754
Merge master into staging-next 2024-10-05 06:04:21 +00:00
Philip Taron
05fef7752c
buildFHSEnvBubblewrap: extraPreBwrapCmds after variable initialisation (#344404) 2024-10-04 18:25:49 -07:00
github-actions[bot]
a3340e0fbf
Merge master into staging-next 2024-09-26 06:04:51 +00:00
Artturin
f7ef27a982 {buildFHSEnvBubblewrap,buildFHSEnvChroot}: add nativeBuildInputs
`makeWrapper` is often used in these with `source "${makeWrapper}/nix-support/setup-hook"`
which causes `error: makeWrapper/makeShellWrapper must be in nativeBuildInputs` on cross.
2024-09-25 22:43:00 +03:00
benaryorg
9bc6d23111
buildFHSEnvBubblewrap: extraPreBwrapCmds after variable initialisation
Prior to this commit it was not possible to modify e.g. the list of ignored directories at all, however given that `buildFHSEnvBubblewrap` effectively uses a sandboxing tool (*bwrap*) I feel like this is a missed opportunity.
The code in nixpkgs already covers all the knobs that are required to get *Nix* itself to run inside bubblewrap, so why not allow users to make that additional modification?
While additional `ro_mounts` and such can be *added* to the bubblewrap invocation, the already mounted directories cannot be removed, and even if shadowed by e.g. a tmpfs mount, this would still allow something inside the sandbox to potentially unmount the tmpfs and access the data.

So what this change does is moving the snippet where custom code can be injected down by four lines so that users can actually modify those variables e.g. using `ignored+=( /home /srv /mnt /boot )`.
The only cases in which this would break is:

- someone using those variable names in `extraPreBwrapCmds` already and relying on them being overwritten; I would consider that chance slim, and the fix would be easy enough
- someone using a construct like `false && \` to disable the `ignored` initialisation and effectively working around this limitation; again the chances are slim (even though I know I'd be affected), and the fix would be easy enough (as this change makes the workaround needless anyway so it's an improvement)

Signed-off-by: benaryorg <binary@benary.org>
2024-09-25 09:32:41 +00:00
Artturin
f0e657f3b1 Merge branch 'master' into staging-next 2024-09-25 06:05:01 +03:00
Artturin
e0464e4788 treewide: replace stdenv.is with stdenv.hostPlatform.is
In preparation for the deprecation of `stdenv.isX`.

These shorthands are not conducive to cross-compilation because they
hide the platforms.

Darwin might get cross-compilation for which the continued usage of `stdenv.isDarwin` will get in the way

One example of why this is bad and especially affects compiler packages
https://www.github.com/NixOS/nixpkgs/pull/343059

There are too many files to go through manually but a treewide should
get users thinking when they see a `hostPlatform.isX` in a place where it
doesn't make sense.

```
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv.is" "stdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv'.is" "stdenv'.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "clangStdenv.is" "clangStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "gccStdenv.is" "gccStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenvNoCC.is" "stdenvNoCC.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "inherit (stdenv) is" "inherit (stdenv.hostPlatform) is"
fd --type f "\.nix" | xargs sd --fixed-strings "buildStdenv.is" "buildStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "effectiveStdenv.is" "effectiveStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "originalStdenv.is" "originalStdenv.hostPlatform.is"
```
2024-09-25 00:04:37 +03:00
K900
db0914534a buildFHSEnv: force overwriting ld-linux.so.2
That can be a problem if we already have it in the inputs.
2024-09-12 15:27:46 +03:00
Artturin
65bf97a942
buildFHSEnv: use relative symlinks (#330712) 2024-08-29 20:57:43 +03:00
Sandro Jäckel
cd11c4bba3
buildFHSEnv: replace all chroot occurences with generic names
Co-authored-by: Atemu <git@atemu.net>
2024-07-28 22:39:35 +02:00
Sandro Jäckel
3bc32efbc8
buildFHSEnv: use relative symlinks
If we would add more commands below which I did for debugging purposes,
the symlinks wouldn't be valid.
2024-07-28 21:18:39 +02:00
Martino Fontana
a196f7741c buildFHSEnv: export GST_PLUGIN_SYSTEM_PATH_1_0
GStreamer searches for plugins relative to its binary's location.

However, since bd97973ce0, it uses its *real* binary location, breaking the FHS.

Fixes #311004 (tested on Heroic and Lutris too).
2024-06-20 13:30:28 -05:00
Thomas Watson
dd99084843 buildFHSEnvBubblewrap: allow more varied $DISPLAY syntax
The $DISPLAY variable has a format of [host]:num[.screen]. Previously,
the number would only be extracted properly if it had the form :num.
Allow all forms but correctly discard the unused parts.
2024-05-16 10:14:07 -05:00
Peder Bergebakken Sundt
eb02e003b0 buildFHSEnvBubblewrap/buildFHSEnv: permit pname+version instead of name 2024-04-24 15:26:52 +02:00
Peder Bergebakken Sundt
bbb1f25bfb buildFHSEnvBubblewrap: do not infer pname from name 2024-04-24 15:26:52 +02:00
Thomas Watson
9bcd91ba09 build-fhsenv-bubblewrap: reference 32-bit binaries only if multiArch
Fixes issues using bubblewrap'd fhsenvs in scenarios where i686 is not
supported (such as Rosetta 2 emulation in a Linux VM on Apple Silicon).
2024-04-07 10:44:53 -05:00
annalee
7541ec60b6
Merge remote-tracking branch 'upstream/master' into staging-next 2024-03-25 18:04:41 +00:00
Philip Taron
a14127aa64 Avoid top-level with ...; in pkgs/build-support/build-fhsenv-bubblewrap/default.nix 2024-03-19 22:31:19 +01:00
hellwolf
09b82b349a
build-fhsenv-bubblewrap: fix fhsenv etc entries
* added more comments.
* symlink fhsenv etc entries when necessary.
2024-03-10 19:23:45 +02:00
Sandro
f9bc4e1718
Merge pull request #277494 from trofi/buildFHSEnv-fix-eval 2024-02-22 21:00:19 +01:00
Sergei Trofimovich
8ffff1e699 buildFHSEnv: don't export multiPaths attribute
`multiPaths` is defined via invalid operation on `null` value for
non-multilib environments. Noticed on `notesnook` evan failure as:

    nix-repl> notesnook.fhsenv.multiPaths
              253|   passthru = {
              254|     inherit args baseTargetPaths targetPaths baseMultiPaths multiPaths ldconfig;
                 |            ^
              255|   };
           error: attempt to call something which is not a function but null

The change makes `multiPaths` a private variable.
2024-01-23 20:24:17 +00:00
Jeff Huffman
a6671578ff
buildFHSEnv: bind dbus session bus into place when privateTmp enabled (#278917) 2024-01-09 18:29:53 +01:00
Jeff Huffman
aa070a5d9a
buildFHSEnv: fix privateTmp for sddm 2023-12-21 12:11:35 -05:00
K900
5eb4128d60 buildFHSEnv: propagate host /etc if nested
This fixes use cases like launching Lutris/Heroic from Steam.
2023-12-16 10:04:09 +03:00
Jeff Huffman
195248b6c1 buildFHSEnv, steam: isolate steam's /tmp from host
Works around steam's misbehavior: https://github.com/ValveSoftware/steam-for-linux/issues/9121
2023-12-13 23:33:05 -08:00
Jeff Huffman
452b8162ec buildFHSEnv: use symlinks instead of bind mounts for files from host /etc
Closes #247065
2023-12-13 23:33:05 -08:00
Arthur Gautier
233ca3d9ac buildFHSenv: fixup /etc permissions
when bubblewraps tries to link all the required files in etc from the
host to the fhs environment, it will re-create the /etc directory.
It will do so with `0700` permissions. This causes permissions issues
with non-root programs when they need to access configuration in the
environment /etc.

By mounting /etc as a tmpfs early, bwrap will make the directory `0755`
as expected.
2023-11-12 17:02:53 -08:00
Luna Nova
a9600ce894
build-fhsenv-bubblewrap: remove /usr/lib and /usr/lib32 from LD_LIBRARY_PATH
See https://github.com/NixOS/nixpkgs/issues/262775
2023-10-24 07:13:33 -07:00
Bjørn Forsman
55e30da2eb buildFHSEnvBubblewrap: preserve pname, version
It's useful to have access to these attributes from packages built with
buildFHSEnvBubblewrap, and it reduces the difference between FHS and
non-FHS packages.

'name' is already handled by runCommandLocal.
2023-10-06 19:37:39 +02:00
Weijia Wang
f4098e348c
Merge pull request #257122 from bjornfor/fix-buildfhsenv-pname
buildFHSEnvBubblewrap: allow being passed 'pname'
2023-10-01 13:55:09 +02:00
Bjørn Forsman
70b5588b4e buildFHSEnvBubblewrap: allow being passed 'pname'
`buildFHSEnvBubblewrap { pname = ...; }` currently results in eval error
because args.name doesn't exist then. Fix it by only using args.name if
it exists.
2023-09-24 19:57:21 +02:00
Alyssa Ross
00a28d0ed9
buildFHSEnv: add base paths to passthru
It's useful to be able to introspect all packages which are available
in the fhsenv.  I've renamed basePkgs and baseMultiPkgs to be
consistent with the naming scheme used for the bits that were
previously public — names ending in "Pkgs" are for functions, and
names ending in "Paths" are the results of those functions.
2023-09-24 08:43:20 +00:00
rnhmjoj
c945723356
buildFHSEnv: disable security features by default
The implicit contract of buildFHSUserEnv was that it allows to run
software built for a typical GNU/Linux distribution (not NixOS) without
patching it (patchelf, autoPatchelfHook, etc.). Note that this does not
inherently imply running untrusted programs.

buildFHSUserEnv was implemented by using chroot and assembling a
standard-compliant FHS environment in the new root. As expected, this
did not provide any kind of isolation between the system and the
programs.

However, when it was later reimplemented using bubblewrap
(PR #225748), which *is* a security tool, several isolation features
involving detaches Linux namespaces were turned on by default.
This decision has introduced a number of breakages that are very
difficult to debug and trace back to this change.
For example: `unshareIPC` breaks software audio mixing in programs using
ALSA (dmix) and `unsharePID` breaks gdb,

Since:

  1. the security features were enable without any clear threat model;
  2. `buildFHSEnvBubblewrap` is supposed to be a drop-in replacement of
     `buildFHSEnvChrootenv` (see the release notes for NixOS 23.05);
  3. the change is breaking in several common cases (security does not
     come for free);
  4. the contract was not changed, or at least communicated in a clear
     way to the users;

all security features should be turned off by default.

P.S. It would be useful to create a variant of buildFHSEnv that does
provide some isolation. This could unshare some namespaces and mount
only limited parts of the filesystem.
Note that buildFHSEnv mounts every directory in / under the new root, so
again, very little is gained by unsharing alone.
2023-09-08 09:15:50 +02:00
Sergei Trofimovich
2da0307220 buildFHSEnv: fix NIX_LDFLAGS propagation to ld wrapper
Before the change the following command did not work:

    $ nix develop -i --impure --expr 'with import <nixpkgs> { system = "i686-linux"; }; (buildFHSUserEnv { name = "t"; targetPkgs = ps: with ps; [ libmpc stdenv.cc ]; }).env'
    $ ld -lmpc -o a
    ld: cannot find -lmpc: No such file or directory

It is expected to work as `NIX_LDFLAGS` does contain valid values:

    $ echo $NIX_LDFLAGS
    -L/usr/lib -L/usr/lib32

Note that for `gcc` it does work:

    $ printf "int main(){}" |  gcc -x c - -lmpc -o a

It happens because `HOST` role is enabled for `cc`:

    $ echo $NIX_CC_WRAPPER_TARGET_HOST_i686_unknown_linux_gnu
    1

But not for `BINTOOLS`:

    $ echo $NIX_BINTOOLS_WRAPPER_TARGET_HOST_i686_unknown_linux_gnu
    <empty>

The change adds BINTOOLS role and fixes linking:

    $ nix develop -i --impure --expr 'with import ~/nm { system = "i686-linux"; }; (buildFHSUserEnv { name = "t"; targetPkgs = ps: with ps; [ libmpc stdenv.cc ]; }).env'
    $ printf "int main(){}" |  gcc -x c - -lmpc -o a
    $ ld -lmpc -o a
    ld: warning: cannot find entry symbol _start; not setting start address
2023-08-21 07:50:37 +01:00
Atemu
67ac4b83ec buildFHSEnv: disable multiArch by default
Most FHSEnv-wrapped packages in Nixpkgs wrap a x86_64-linux binary; making
multiArch unnecessary bloat closure size. Saves about 1G in anki-bin.

This makes multiArch FHSEnvs the exception rather than the rule.
2023-07-07 21:33:04 +02:00
Atemu
62b2adc753 buildFHSEnv: add multiArch flag
The intention is to allow the user control over whether 32bit deps are supposed
to be included in the fhsenv
2023-07-01 13:41:14 +02:00
Atemu
167264179b buildFHSEnv: cleanup 2023-07-01 13:41:09 +02:00
Atemu
d5f0da152a Revert "Merge pull request #230693 from Atemu/fix/fhsenv-escape-runScript-path"
This reverts commit 840f2e0ac5, reversing
changes made to d3ed0402e5.

This breaks appimage which puts args into the runScript and we don't provide a
good way to pass thru additional args.

The actual bug was in nix-alien which should escape paths; providing a valid
runScript is the responsibility of the caller.
2023-05-22 11:34:04 -03:00
Atemu
840f2e0ac5
Merge pull request #230693 from Atemu/fix/fhsenv-escape-runScript-path
buildFHSEnvBubblewrap: escape runScript path
2023-05-18 18:02:04 +02:00
Atemu
cd96817b29 buildFHSEnvBubblewrap: escape runScript path
Fixes https://github.com/NixOS/nixpkgs/issues/230651

Co-authored-by: Weijia Wang <9713184+wegank@users.noreply.github.com>
2023-05-11 08:28:05 +02:00
lelgenio
8aafc553ae buildFHSEnv: use default values as fallback for XDG_DATA_DIRS 2023-05-08 18:56:51 -03:00
Weijia Wang
3c6e26b2ee buildFHSEnv: restrict pkgsi686Linux to x86_64-linux 2023-04-22 15:31:27 +03:00
Atemu
f63a12f296 tree-wide: buildFHSUserEnv -> buildFHSEnv 2023-04-16 10:15:13 +02:00