mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 23:13:19 +00:00
38771badd3
If a package's meta has `knownVulnerabilities`, like so: stdenv.mkDerivation { name = "foobar-1.2.3"; ... meta.knownVulnerabilities = [ "CVE-0000-00000: remote code execution" "CVE-0000-00001: local privilege escalation" ]; } and a user attempts to install the package, they will be greeted with a warning indicating that maybe they don't want to install it: error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate. Known issues: - CVE-0000-00000: remote code execution - CVE-0000-00001: local privilege escalation You can install it anyway by whitelisting this package, using the following methods: a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to `nixpkgs.config.permittedInsecurePackages` in the configuration.nix, like so: { nixpkgs.config.permittedInsecurePackages = [ "foobar-1.2.3" ]; } b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add ‘foobar-1.2.3’ to `permittedInsecurePackages` in ~/.config/nixpkgs/config.nix, like so: { permittedInsecurePackages = [ "foobar-1.2.3" ]; } Adding either of these configurations will permit this specific version to be installed. A third option also exists: NIXPKGS_ALLOW_INSECURE=1 nix-build ... though I specifically avoided having a global file-based toggle to disable this check. This way, users don't disable it once in order to get a single package, and then don't realize future packages are insecure.
427 lines
17 KiB
Nix
427 lines
17 KiB
Nix
let lib = import ../../../lib; in lib.makeOverridable (
|
||
|
||
{ system, name ? "stdenv", preHook ? "", initialPath, cc, shell
|
||
, allowedRequisites ? null, extraAttrs ? {}, overrides ? (self: super: {}), config
|
||
|
||
, # The `fetchurl' to use for downloading curl and its dependencies
|
||
# (see all-packages.nix).
|
||
fetchurlBoot
|
||
|
||
, setupScript ? ./setup.sh
|
||
|
||
, extraBuildInputs ? []
|
||
, __stdenvImpureHostDeps ? []
|
||
, __extraImpureHostDeps ? []
|
||
, stdenvSandboxProfile ? ""
|
||
, extraSandboxProfile ? ""
|
||
}:
|
||
|
||
let
|
||
|
||
allowUnfree = config.allowUnfree or false || builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
|
||
|
||
whitelist = config.whitelistedLicenses or [];
|
||
blacklist = config.blacklistedLicenses or [];
|
||
|
||
ifDarwin = attrs: if system == "x86_64-darwin" then attrs else {};
|
||
|
||
onlyLicenses = list:
|
||
lib.lists.all (license:
|
||
let l = lib.licenses.${license.shortName or "BROKEN"} or false; in
|
||
if license == l then true else
|
||
throw ''‘${showLicense license}’ is not an attribute of lib.licenses''
|
||
) list;
|
||
|
||
mutuallyExclusive = a: b:
|
||
(builtins.length a) == 0 ||
|
||
(!(builtins.elem (builtins.head a) b) &&
|
||
mutuallyExclusive (builtins.tail a) b);
|
||
|
||
areLicenseListsValid =
|
||
if mutuallyExclusive whitelist blacklist then
|
||
assert onlyLicenses whitelist; assert onlyLicenses blacklist; true
|
||
else
|
||
throw "whitelistedLicenses and blacklistedLicenses are not mutually exclusive.";
|
||
|
||
hasLicense = attrs:
|
||
attrs ? meta.license;
|
||
|
||
hasWhitelistedLicense = assert areLicenseListsValid; attrs:
|
||
hasLicense attrs && builtins.elem attrs.meta.license whitelist;
|
||
|
||
hasBlacklistedLicense = assert areLicenseListsValid; attrs:
|
||
hasLicense attrs && builtins.elem attrs.meta.license blacklist;
|
||
|
||
allowBroken = config.allowBroken or false || builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1";
|
||
|
||
isUnfree = licenses: lib.lists.any (l:
|
||
!l.free or true || l == "unfree" || l == "unfree-redistributable") licenses;
|
||
|
||
# Alow granular checks to allow only some unfree packages
|
||
# Example:
|
||
# {pkgs, ...}:
|
||
# {
|
||
# allowUnfree = false;
|
||
# allowUnfreePredicate = (x: pkgs.lib.hasPrefix "flashplayer-" x.name);
|
||
# }
|
||
allowUnfreePredicate = config.allowUnfreePredicate or (x: false);
|
||
|
||
# Check whether unfree packages are allowed and if not, whether the
|
||
# package has an unfree license and is not explicitely allowed by the
|
||
# `allowUNfreePredicate` function.
|
||
hasDeniedUnfreeLicense = attrs:
|
||
!allowUnfree &&
|
||
hasLicense attrs &&
|
||
isUnfree (lib.lists.toList attrs.meta.license) &&
|
||
!allowUnfreePredicate attrs;
|
||
|
||
allowInsecureDefaultPredicate = x: builtins.elem x.name (config.permittedInsecurePackages or []);
|
||
allowInsecurePredicate = x: (config.allowUnfreePredicate or allowInsecureDefaultPredicate) x;
|
||
|
||
hasAllowedInsecure = attrs:
|
||
(attrs.meta.knownVulnerabilities or []) == [] ||
|
||
allowInsecurePredicate attrs ||
|
||
builtins.getEnv "NIXPKGS_ALLOW_INSECURE" == "1";
|
||
|
||
showLicense = license: license.shortName or "unknown";
|
||
|
||
defaultNativeBuildInputs = extraBuildInputs ++
|
||
[ ../../build-support/setup-hooks/move-docs.sh
|
||
../../build-support/setup-hooks/compress-man-pages.sh
|
||
../../build-support/setup-hooks/strip.sh
|
||
../../build-support/setup-hooks/patch-shebangs.sh
|
||
../../build-support/setup-hooks/multiple-outputs.sh
|
||
../../build-support/setup-hooks/move-sbin.sh
|
||
../../build-support/setup-hooks/move-lib64.sh
|
||
../../build-support/setup-hooks/set-source-date-epoch-to-latest.sh
|
||
cc
|
||
];
|
||
|
||
# `mkDerivation` wraps the builtin `derivation` function to
|
||
# produce derivations that use this stdenv and its shell.
|
||
#
|
||
# See also:
|
||
#
|
||
# * https://nixos.org/nixpkgs/manual/#sec-using-stdenv
|
||
# Details on how to use this mkDerivation function
|
||
#
|
||
# * https://nixos.org/nix/manual/#ssec-derivation
|
||
# Explanation about derivations in general
|
||
mkDerivation =
|
||
{ buildInputs ? []
|
||
, nativeBuildInputs ? []
|
||
, propagatedBuildInputs ? []
|
||
, propagatedNativeBuildInputs ? []
|
||
, crossConfig ? null
|
||
, meta ? {}
|
||
, passthru ? {}
|
||
, pos ? null # position used in error messages and for meta.position
|
||
, separateDebugInfo ? false
|
||
, outputs ? [ "out" ]
|
||
, __impureHostDeps ? []
|
||
, __propagatedImpureHostDeps ? []
|
||
, sandboxProfile ? ""
|
||
, propagatedSandboxProfile ? ""
|
||
, ... } @ attrs:
|
||
let # Rename argumemnts to avoid cycles
|
||
buildInputs__ = buildInputs;
|
||
nativeBuildInputs__ = nativeBuildInputs;
|
||
propagatedBuildInputs__ = propagatedBuildInputs;
|
||
propagatedNativeBuildInputs__ = propagatedNativeBuildInputs;
|
||
in let
|
||
getNativeDrv = drv: drv.nativeDrv or drv;
|
||
getCrossDrv = drv: drv.crossDrv or drv;
|
||
nativeBuildInputs = map getNativeDrv nativeBuildInputs__;
|
||
buildInputs = map getCrossDrv buildInputs__;
|
||
propagatedBuildInputs = map getCrossDrv propagatedBuildInputs__;
|
||
propagatedNativeBuildInputs = map getNativeDrv propagatedNativeBuildInputs__;
|
||
in let
|
||
pos' =
|
||
if pos != null then
|
||
pos
|
||
else if attrs.meta.description or null != null then
|
||
builtins.unsafeGetAttrPos "description" attrs.meta
|
||
else
|
||
builtins.unsafeGetAttrPos "name" attrs;
|
||
pos'' = if pos' != null then "‘" + pos'.file + ":" + toString pos'.line + "’" else "«unknown-file»";
|
||
|
||
|
||
remediation = {
|
||
unfree = remediate_whitelist "Unfree";
|
||
broken = remediate_whitelist "Broken";
|
||
blacklisted = x: "";
|
||
insecure = remediate_insecure;
|
||
};
|
||
remediate_whitelist = allow_attr: attrs:
|
||
''
|
||
a) For `nixos-rebuild` you can set
|
||
{ nixpkgs.config.allow${allow_attr} = true; }
|
||
in configuration.nix to override this.
|
||
|
||
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
|
||
{ allow${allow_attr} = true; }
|
||
to ~/.config/nixpkgs/config.nix.
|
||
'';
|
||
|
||
remediate_insecure = attrs:
|
||
''
|
||
|
||
Known issues:
|
||
|
||
'' + (lib.fold (issue: default: "${default} - ${issue}\n") "" attrs.meta.knownVulnerabilities) + ''
|
||
|
||
You can install it anyway by whitelisting this package, using the
|
||
following methods:
|
||
|
||
a) for `nixos-rebuild` you can add ‘${attrs.name or "«name-missing»"}’ to
|
||
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
|
||
like so:
|
||
|
||
{
|
||
nixpkgs.config.permittedInsecurePackages = [
|
||
"${attrs.name or "«name-missing»"}"
|
||
];
|
||
}
|
||
|
||
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
|
||
‘${attrs.name or "«name-missing»"}’ to `permittedInsecurePackages` in
|
||
~/.config/nixpkgs/config.nix, like so:
|
||
|
||
{
|
||
permittedInsecurePackages = [
|
||
"${attrs.name or "«name-missing»"}"
|
||
];
|
||
}
|
||
|
||
'';
|
||
|
||
|
||
throwEvalHelp = { reason , errormsg ? "" }:
|
||
throw (''
|
||
Package ‘${attrs.name or "«name-missing»"}’ in ${pos''} ${errormsg}, refusing to evaluate.
|
||
|
||
'' + ((builtins.getAttr reason remediation) attrs));
|
||
|
||
# Check if a derivation is valid, that is whether it passes checks for
|
||
# e.g brokenness or license.
|
||
#
|
||
# Return { valid: Bool } and additionally
|
||
# { reason: String; errormsg: String } if it is not valid, where
|
||
# reason is one of "unfree", "blacklisted" or "broken".
|
||
checkValidity = attrs:
|
||
if hasDeniedUnfreeLicense attrs && !(hasWhitelistedLicense attrs) then
|
||
{ valid = false; reason = "unfree"; errormsg = "has an unfree license (‘${showLicense attrs.meta.license}’)"; }
|
||
else if hasBlacklistedLicense attrs then
|
||
{ valid = false; reason = "blacklisted"; errormsg = "has a blacklisted license (‘${showLicense attrs.meta.license}’)"; }
|
||
else if !allowBroken && attrs.meta.broken or false then
|
||
{ valid = false; reason = "broken"; errormsg = "is marked as broken"; }
|
||
else if !allowBroken && attrs.meta.platforms or null != null && !lib.lists.elem result.system attrs.meta.platforms then
|
||
{ valid = false; reason = "broken"; errormsg = "is not supported on ‘${result.system}’"; }
|
||
else if !(hasAllowedInsecure attrs) then
|
||
{ valid = false; reason = "insecure"; errormsg = "is marked as insecure"; }
|
||
else { valid = true; };
|
||
|
||
outputs' =
|
||
outputs ++
|
||
(if separateDebugInfo then assert result.isLinux; [ "debug" ] else []);
|
||
|
||
buildInputs' = lib.chooseDevOutputs buildInputs ++
|
||
(if separateDebugInfo then [ ../../build-support/setup-hooks/separate-debug-info.sh ] else []);
|
||
|
||
nativeBuildInputs' = lib.chooseDevOutputs nativeBuildInputs;
|
||
propagatedBuildInputs' = lib.chooseDevOutputs propagatedBuildInputs;
|
||
propagatedNativeBuildInputs' = lib.chooseDevOutputs propagatedNativeBuildInputs;
|
||
|
||
in
|
||
|
||
# Throw an error if trying to evaluate an non-valid derivation
|
||
assert let v = checkValidity attrs;
|
||
in if !v.valid
|
||
then throwEvalHelp (removeAttrs v ["valid"])
|
||
else true;
|
||
|
||
lib.addPassthru (derivation (
|
||
(removeAttrs attrs
|
||
["meta" "passthru" "crossAttrs" "pos"
|
||
"__impureHostDeps" "__propagatedImpureHostDeps"
|
||
"sandboxProfile" "propagatedSandboxProfile"])
|
||
// (let
|
||
computedSandboxProfile =
|
||
lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs' ++ nativeBuildInputs');
|
||
computedPropagatedSandboxProfile =
|
||
lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs' ++ propagatedNativeBuildInputs');
|
||
computedImpureHostDeps =
|
||
lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs' ++ nativeBuildInputs'));
|
||
computedPropagatedImpureHostDeps =
|
||
lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs' ++ propagatedNativeBuildInputs'));
|
||
in
|
||
{
|
||
builder = attrs.realBuilder or shell;
|
||
args = attrs.args or ["-e" (attrs.builder or ./default-builder.sh)];
|
||
stdenv = result;
|
||
system = result.system;
|
||
userHook = config.stdenv.userHook or null;
|
||
__ignoreNulls = true;
|
||
|
||
# Inputs built by the cross compiler.
|
||
buildInputs = if crossConfig != null then buildInputs' else [];
|
||
propagatedBuildInputs = if crossConfig != null then propagatedBuildInputs' else [];
|
||
# Inputs built by the usual native compiler.
|
||
nativeBuildInputs = nativeBuildInputs'
|
||
++ lib.optionals (crossConfig == null) buildInputs'
|
||
++ lib.optional
|
||
(result.isCygwin
|
||
|| (crossConfig != null && lib.hasSuffix "mingw32" crossConfig))
|
||
../../build-support/setup-hooks/win-dll-link.sh
|
||
;
|
||
propagatedNativeBuildInputs = propagatedNativeBuildInputs' ++
|
||
(if crossConfig == null then propagatedBuildInputs' else []);
|
||
} // ifDarwin {
|
||
# TODO: remove lib.unique once nix has a list canonicalization primitive
|
||
__sandboxProfile =
|
||
let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ];
|
||
final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles));
|
||
in final;
|
||
__propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]);
|
||
__impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [
|
||
"/dev/zero"
|
||
"/dev/random"
|
||
"/dev/urandom"
|
||
"/bin/sh"
|
||
];
|
||
__propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps;
|
||
} // (if outputs' != [ "out" ] then {
|
||
outputs = outputs';
|
||
} else { })))) (
|
||
{
|
||
overrideAttrs = f: mkDerivation (attrs // (f attrs));
|
||
# The meta attribute is passed in the resulting attribute set,
|
||
# but it's not part of the actual derivation, i.e., it's not
|
||
# passed to the builder and is not a dependency. But since we
|
||
# include it in the result, it *is* available to nix-env for queries.
|
||
meta = { }
|
||
# If the packager hasn't specified `outputsToInstall`, choose a default,
|
||
# which is the name of `p.bin or p.out or p`;
|
||
# if he has specified it, it will be overridden below in `// meta`.
|
||
# Note: This default probably shouldn't be globally configurable.
|
||
# Services and users should specify outputs explicitly,
|
||
# unless they are comfortable with this default.
|
||
// { outputsToInstall =
|
||
let
|
||
outs = outputs'; # the value passed to derivation primitive
|
||
hasOutput = out: builtins.elem out outs;
|
||
in [( lib.findFirst hasOutput null (["bin" "out"] ++ outs) )];
|
||
}
|
||
// meta
|
||
# Fill `meta.position` to identify the source location of the package.
|
||
// lib.optionalAttrs (pos' != null)
|
||
{ position = pos'.file + ":" + toString pos'.line; }
|
||
;
|
||
inherit passthru;
|
||
} //
|
||
# Pass through extra attributes that are not inputs, but
|
||
# should be made available to Nix expressions using the
|
||
# derivation (e.g., in assertions).
|
||
passthru);
|
||
|
||
# The stdenv that we are producing.
|
||
result =
|
||
derivation (
|
||
(if isNull allowedRequisites then {} else { allowedRequisites = allowedRequisites ++ defaultNativeBuildInputs; }) //
|
||
{
|
||
inherit system name;
|
||
|
||
builder = shell;
|
||
|
||
args = ["-e" ./builder.sh];
|
||
|
||
setup = setupScript;
|
||
|
||
inherit preHook initialPath shell defaultNativeBuildInputs;
|
||
}
|
||
// ifDarwin {
|
||
__sandboxProfile = stdenvSandboxProfile;
|
||
__impureHostDeps = __stdenvImpureHostDeps;
|
||
})
|
||
|
||
// rec {
|
||
|
||
meta = {
|
||
description = "The default build environment for Unix packages in Nixpkgs";
|
||
platforms = lib.platforms.all;
|
||
};
|
||
|
||
# Utility flags to test the type of platform.
|
||
isDarwin = system == "x86_64-darwin";
|
||
isLinux = system == "i686-linux"
|
||
|| system == "x86_64-linux"
|
||
|| system == "powerpc-linux"
|
||
|| system == "armv5tel-linux"
|
||
|| system == "armv6l-linux"
|
||
|| system == "armv7l-linux"
|
||
|| system == "aarch64-linux"
|
||
|| system == "mips64el-linux";
|
||
isGNU = system == "i686-gnu"; # GNU/Hurd
|
||
isGlibc = isGNU # useful for `stdenvNative'
|
||
|| isLinux
|
||
|| system == "x86_64-kfreebsd-gnu";
|
||
isSunOS = system == "i686-solaris"
|
||
|| system == "x86_64-solaris";
|
||
isCygwin = system == "i686-cygwin"
|
||
|| system == "x86_64-cygwin";
|
||
isFreeBSD = system == "i686-freebsd"
|
||
|| system == "x86_64-freebsd";
|
||
isOpenBSD = system == "i686-openbsd"
|
||
|| system == "x86_64-openbsd";
|
||
isi686 = system == "i686-linux"
|
||
|| system == "i686-gnu"
|
||
|| system == "i686-freebsd"
|
||
|| system == "i686-openbsd"
|
||
|| system == "i686-cygwin"
|
||
|| system == "i386-sunos";
|
||
isx86_64 = system == "x86_64-linux"
|
||
|| system == "x86_64-darwin"
|
||
|| system == "x86_64-freebsd"
|
||
|| system == "x86_64-openbsd"
|
||
|| system == "x86_64-cygwin"
|
||
|| system == "x86_64-solaris";
|
||
is64bit = system == "x86_64-linux"
|
||
|| system == "x86_64-darwin"
|
||
|| system == "x86_64-freebsd"
|
||
|| system == "x86_64-openbsd"
|
||
|| system == "x86_64-cygwin"
|
||
|| system == "x86_64-solaris"
|
||
|| system == "aarch64-linux"
|
||
|| system == "mips64el-linux";
|
||
isMips = system == "mips-linux"
|
||
|| system == "mips64el-linux";
|
||
isArm = system == "armv5tel-linux"
|
||
|| system == "armv6l-linux"
|
||
|| system == "armv7l-linux";
|
||
isAarch64 = system == "aarch64-linux";
|
||
isBigEndian = system == "powerpc-linux";
|
||
|
||
# Whether we should run paxctl to pax-mark binaries.
|
||
needsPax = isLinux;
|
||
|
||
inherit mkDerivation;
|
||
|
||
# For convenience, bring in the library functions in lib/ so
|
||
# packages don't have to do that themselves.
|
||
inherit lib;
|
||
|
||
inherit fetchurlBoot;
|
||
|
||
inherit overrides;
|
||
|
||
inherit cc;
|
||
}
|
||
|
||
# Propagate any extra attributes. For instance, we use this to
|
||
# "lift" packages like curl from the final stdenv for Linux to
|
||
# all-packages.nix for that platform (meaning that it has a line
|
||
# like curl = if stdenv ? curl then stdenv.curl else ...).
|
||
// extraAttrs;
|
||
|
||
in result)
|