Commit Graph

28 Commits

Author SHA1 Message Date
Jonathan Ringer
1af1228c47 buildFHSUserEnv: append graphics share to XDG_DATA_DIR 2022-03-24 12:53:39 -07:00
David McFarland
d5bf6bac5c buildFHSUserEnv{Chroot,Bubblewrap}: fix handling of glib schema
An error would occur if share/glib-2.0/schema was a symlink.
2022-03-20 20:38:53 -03:00
Artturi
b54e7571e2
Merge pull request #161739 from Artturin/gsettingsfhsenv 2022-03-15 00:03:56 +02:00
Artturin
3e7e6ab84a buildFHSUserEnv{Chroot,Bubblewrap}: link gsettings-schemas to the FHS location
We shouldn't need to use wrapGAppsHook in expressions
that use this builder.
2022-03-03 01:22:09 +02:00
Daniel Fullmer
0a8007498f bash: use default PATH in FHS environments
If bash is executed within an environment where PATH is not set, it uses
the DEFAULT_PATH_VALUE compiled into bash to set PATH. In nixpkgs we set
this to /no-such-path by default. This makes sense in a nixpkgs/NixOS
environment since paths like /bin or /usr/bin should not be used.
However, when bash is used inside an FHS environment, this produces
results that differ from distributions which follow the FHS standard.

Before this change:
$ steam-run env -i /bin/bash -c 'echo $PATH'
/no-such-path

After this change:
$ steam-run env -i /bin/bash -c 'echo $PATH'
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
2022-02-27 15:59:39 -08:00
Artturi
d9e8a587e1
Merge pull request #128126 from wentasah/chrootenv-opt 2021-11-19 04:40:34 +02:00
Jörg Thalheim
c145ac7eab build-fhs-userenv: fix defaults on aarch64 2021-07-30 11:23:37 +02:00
Michal Sojka
b681ad3254 buildFHSUserEnv: Allow having custom /opt in the FHS environment
buildFHSUserEnv is meant primarily for running 3rd-party software
which is difficult to patch for NixOS. Such software is often built to
run from /opt. Currently, running such a software from FHS environment
is difficult for two reasons:

1. If the 3rd-party software is put into the Nix store via a simple
   derivation (with e.g. installPhase = "dpkg-deb -x $src $out"), the
   content of /opt directory of that derivation does not appear in the
   FHSEnv even if the derivation is specified in targetPkgs. This is
   why we change env.nix.

2. If using buildFHSUserEnvChroot and the host system has the /opt
   directory, it always gets bind-mounted to the FHSEnv even if some
   targetPkgs contain /opt (NB buildFHSUserEnvBubblewrap does not have
   this problem). If that directory is not accessible for non-root
   users (which is what docker's containerd does with /opt :-(), the
   user running the FHSEnv cannot use it.

   With the change in chrootenv.c, /opt is not bind-mounted to the
   container, but instead created as user-modifiable symlink to
   /host/opt (see the init attribute in
   build-fhs-userenv/default.nix). If needed, the user can remove this
   symlink and create an empty /opt directory which is under his/her
   control.
2021-06-27 08:33:51 +02:00
Maciej Krüger
e41249e466
buildFHSUserEnv: symlink /etc/nix
this fixes experimental-features option not being available in fhs
and breaking the flakes feature
2021-02-26 20:13:28 +01:00
André Silva
fe49d856b0
build-fhs-userenv: bind /etc/profiles 2021-01-26 00:41:50 +00:00
John Ericson
1ac5398589 *-wrapper; Switch from infixSalt to suffixSalt
I hate the thing too even though I made it, and rather just get rid of
it. But we can't do that yet. In the meantime, this brings us more
inline with autoconf and will make it slightly easier for me to write a
pkg-config wrapper, which we need.
2020-05-12 00:44:44 -04:00
Anders Kaseorg
3cd8ce3bce treewide: Fix unsafe concatenation of $LD_LIBRARY_PATH
Naive concatenation of $LD_LIBRARY_PATH can result in an empty
colon-delimited segment; this tells glibc to load libraries from the
current directory, which is definitely wrong, and may be a security
vulnerability if the current directory is untrusted.  (See #67234, for
example.)  Fix this throughout the tree.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2020-01-15 09:47:03 +01:00
Nikolay Amiantov
668f8a12f7 buildFHSUserEnv: extend PATH and LD_LIBRARY_PATH
This allows one to run applications from PATH and override libraries for
applications inside chrootenv. Useful for development environments.
2019-05-25 11:37:01 +03:00
Pascal Bach
977d1d8413 nixos/fhsUserenv: make all locales available 2019-04-02 22:45:50 +02:00
volth
c706233f2e
buildFHSEnv: allowSubstitutes = false
trivial builder
2019-02-08 00:27:40 +00:00
John Ericson
2c2f1e37d4 reewide: Purge all uses stdenv.system and top-level system
It is deprecated and will be removed after 18.09.
2018-08-30 17:20:32 -04:00
Nikolay Amiantov
9db2a3e638 buildFHSEnv: export TZDIR
This is needed since NixOS keeps tzdata in non-standard /etc/zoneinfo path.
2018-03-11 02:14:49 +03:00
Nikolay Amiantov
94f0ef6628 buildFHSEnv: fix compiler search paths
Fixes OpenWrt compilation.
2018-03-10 23:57:12 +03:00
Nikolay Amiantov
2a036ca1a5 buildFHSEnv: fix NIX_* compiler flags
This is needed now after #27672.
2017-10-17 00:39:39 +03:00
Nikolay Amiantov
54bbf91479 buildFHSEnv: add ACLOCAL_PATH
Fixes #24620.
2017-04-12 14:43:08 +03:00
Parnell Springmeyer
4aa0923009
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00
Parnell Springmeyer
e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer
bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Nikolay Amiantov
7a73ecc18e buildFHSEnv: link /etc/zoneinfo
This is needed because now /etc/localtime symlink points there.
2016-10-11 16:56:11 +03:00
Parnell Springmeyer
98c058a1ee Adapting everything for the merged permissions wrappers work. 2016-09-01 19:21:06 -05:00
Nikolay Amiantov
3e90b00c10 buildFHSEnv: link 'bin' output 2016-06-07 04:06:35 +03:00
Nikolay Amiantov
8d9e5d297d buildFHSEnv: don't link GCC compiler part 2016-06-07 04:06:35 +03:00
Nikolay Amiantov
74107a7867 buildFHSEnv: refactor and simplify, drop buildFHSChrootEnv
This takes another approach at binding FHS directory structure. We
now bind-mount all the root filesystem to directory "/host" in the target tree.
From that we symlink all the directories into the tree if they do not already
exist in FHS structure.

This probably makes `CHROOTENV_EXTRA_BINDS` unnecessary -- its main usecase was
to add bound directories from the host to the sandbox, and we not just symlink
all of them. I plan to get some feedback on its usage and maybe deprecate it.

This also drops old `buildFHSChrootEnv` infrastructure. The main problem with it
is it's very difficult to unmount a recursive-bound directory when mount is not
sandboxed. This problem is a bug even without these changes -- if
you have for example `/home/alice` mounted to somewhere, you wouldn't see
it in `buildFHSChrootEnv` now. With the new directory structure, it's
impossible to use regular bind at all. After some tackling with this I realized
that the fix would be brittle and dangerous (if you don't unmount everything
clearly and proceed to removing the temporary directory, bye-bye fs!). It also
probably doesn't worth it because I haven't heard that someone actually uses it
for a long time, and `buildFHSUserEnv` should cover most cases while being much
more maintainable and safe for the end-user.
2016-06-07 04:06:35 +03:00