Commit Graph

20 Commits

Author SHA1 Message Date
K900
5eb4128d60 buildFHSEnv: propagate host /etc if nested
This fixes use cases like launching Lutris/Heroic from Steam.
2023-12-16 10:04:09 +03:00
Jeff Huffman
195248b6c1 buildFHSEnv, steam: isolate steam's /tmp from host
Works around steam's misbehavior: https://github.com/ValveSoftware/steam-for-linux/issues/9121
2023-12-13 23:33:05 -08:00
Jeff Huffman
452b8162ec buildFHSEnv: use symlinks instead of bind mounts for files from host /etc
Closes #247065
2023-12-13 23:33:05 -08:00
Arthur Gautier
233ca3d9ac buildFHSenv: fixup /etc permissions
when bubblewraps tries to link all the required files in etc from the
host to the fhs environment, it will re-create the /etc directory.
It will do so with `0700` permissions. This causes permissions issues
with non-root programs when they need to access configuration in the
environment /etc.

By mounting /etc as a tmpfs early, bwrap will make the directory `0755`
as expected.
2023-11-12 17:02:53 -08:00
Luna Nova
a9600ce894
build-fhsenv-bubblewrap: remove /usr/lib and /usr/lib32 from LD_LIBRARY_PATH
See https://github.com/NixOS/nixpkgs/issues/262775
2023-10-24 07:13:33 -07:00
Bjørn Forsman
55e30da2eb buildFHSEnvBubblewrap: preserve pname, version
It's useful to have access to these attributes from packages built with
buildFHSEnvBubblewrap, and it reduces the difference between FHS and
non-FHS packages.

'name' is already handled by runCommandLocal.
2023-10-06 19:37:39 +02:00
Weijia Wang
f4098e348c
Merge pull request #257122 from bjornfor/fix-buildfhsenv-pname
buildFHSEnvBubblewrap: allow being passed 'pname'
2023-10-01 13:55:09 +02:00
Bjørn Forsman
70b5588b4e buildFHSEnvBubblewrap: allow being passed 'pname'
`buildFHSEnvBubblewrap { pname = ...; }` currently results in eval error
because args.name doesn't exist then. Fix it by only using args.name if
it exists.
2023-09-24 19:57:21 +02:00
Alyssa Ross
00a28d0ed9
buildFHSEnv: add base paths to passthru
It's useful to be able to introspect all packages which are available
in the fhsenv.  I've renamed basePkgs and baseMultiPkgs to be
consistent with the naming scheme used for the bits that were
previously public — names ending in "Pkgs" are for functions, and
names ending in "Paths" are the results of those functions.
2023-09-24 08:43:20 +00:00
rnhmjoj
c945723356
buildFHSEnv: disable security features by default
The implicit contract of buildFHSUserEnv was that it allows to run
software built for a typical GNU/Linux distribution (not NixOS) without
patching it (patchelf, autoPatchelfHook, etc.). Note that this does not
inherently imply running untrusted programs.

buildFHSUserEnv was implemented by using chroot and assembling a
standard-compliant FHS environment in the new root. As expected, this
did not provide any kind of isolation between the system and the
programs.

However, when it was later reimplemented using bubblewrap
(PR #225748), which *is* a security tool, several isolation features
involving detaches Linux namespaces were turned on by default.
This decision has introduced a number of breakages that are very
difficult to debug and trace back to this change.
For example: `unshareIPC` breaks software audio mixing in programs using
ALSA (dmix) and `unsharePID` breaks gdb,

Since:

  1. the security features were enable without any clear threat model;
  2. `buildFHSEnvBubblewrap` is supposed to be a drop-in replacement of
     `buildFHSEnvChrootenv` (see the release notes for NixOS 23.05);
  3. the change is breaking in several common cases (security does not
     come for free);
  4. the contract was not changed, or at least communicated in a clear
     way to the users;

all security features should be turned off by default.

P.S. It would be useful to create a variant of buildFHSEnv that does
provide some isolation. This could unshare some namespaces and mount
only limited parts of the filesystem.
Note that buildFHSEnv mounts every directory in / under the new root, so
again, very little is gained by unsharing alone.
2023-09-08 09:15:50 +02:00
Sergei Trofimovich
2da0307220 buildFHSEnv: fix NIX_LDFLAGS propagation to ld wrapper
Before the change the following command did not work:

    $ nix develop -i --impure --expr 'with import <nixpkgs> { system = "i686-linux"; }; (buildFHSUserEnv { name = "t"; targetPkgs = ps: with ps; [ libmpc stdenv.cc ]; }).env'
    $ ld -lmpc -o a
    ld: cannot find -lmpc: No such file or directory

It is expected to work as `NIX_LDFLAGS` does contain valid values:

    $ echo $NIX_LDFLAGS
    -L/usr/lib -L/usr/lib32

Note that for `gcc` it does work:

    $ printf "int main(){}" |  gcc -x c - -lmpc -o a

It happens because `HOST` role is enabled for `cc`:

    $ echo $NIX_CC_WRAPPER_TARGET_HOST_i686_unknown_linux_gnu
    1

But not for `BINTOOLS`:

    $ echo $NIX_BINTOOLS_WRAPPER_TARGET_HOST_i686_unknown_linux_gnu
    <empty>

The change adds BINTOOLS role and fixes linking:

    $ nix develop -i --impure --expr 'with import ~/nm { system = "i686-linux"; }; (buildFHSUserEnv { name = "t"; targetPkgs = ps: with ps; [ libmpc stdenv.cc ]; }).env'
    $ printf "int main(){}" |  gcc -x c - -lmpc -o a
    $ ld -lmpc -o a
    ld: warning: cannot find entry symbol _start; not setting start address
2023-08-21 07:50:37 +01:00
Atemu
67ac4b83ec buildFHSEnv: disable multiArch by default
Most FHSEnv-wrapped packages in Nixpkgs wrap a x86_64-linux binary; making
multiArch unnecessary bloat closure size. Saves about 1G in anki-bin.

This makes multiArch FHSEnvs the exception rather than the rule.
2023-07-07 21:33:04 +02:00
Atemu
62b2adc753 buildFHSEnv: add multiArch flag
The intention is to allow the user control over whether 32bit deps are supposed
to be included in the fhsenv
2023-07-01 13:41:14 +02:00
Atemu
167264179b buildFHSEnv: cleanup 2023-07-01 13:41:09 +02:00
Atemu
d5f0da152a Revert "Merge pull request #230693 from Atemu/fix/fhsenv-escape-runScript-path"
This reverts commit 840f2e0ac5, reversing
changes made to d3ed0402e5.

This breaks appimage which puts args into the runScript and we don't provide a
good way to pass thru additional args.

The actual bug was in nix-alien which should escape paths; providing a valid
runScript is the responsibility of the caller.
2023-05-22 11:34:04 -03:00
Atemu
840f2e0ac5
Merge pull request #230693 from Atemu/fix/fhsenv-escape-runScript-path
buildFHSEnvBubblewrap: escape runScript path
2023-05-18 18:02:04 +02:00
Atemu
cd96817b29 buildFHSEnvBubblewrap: escape runScript path
Fixes https://github.com/NixOS/nixpkgs/issues/230651

Co-authored-by: Weijia Wang <9713184+wegank@users.noreply.github.com>
2023-05-11 08:28:05 +02:00
lelgenio
8aafc553ae buildFHSEnv: use default values as fallback for XDG_DATA_DIRS 2023-05-08 18:56:51 -03:00
Weijia Wang
3c6e26b2ee buildFHSEnv: restrict pkgsi686Linux to x86_64-linux 2023-04-22 15:31:27 +03:00
Atemu
f63a12f296 tree-wide: buildFHSUserEnv -> buildFHSEnv 2023-04-16 10:15:13 +02:00