Branch: refs/heads/master
Home: https://github.com/NixOS/nix
Commit: 6cc6c15a2d50d0021d7242e9806ed6d54538de17
https://github.com/NixOS/nix/commit/6cc6c15a2d50d0021d7242e9806ed6d54538de17
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-29 (Mon, 29 May 2017)
Changed paths:
M configure.ac
M release.nix
M shell.nix
M src/libstore/build.cc
M src/libstore/local.mk
Log Message:
-----------
Add a seccomp filter to prevent creating setuid/setgid binaries
This prevents builders from setting the S_ISUID or S_ISGID bits,
preventing users from using a nixbld* user to create a setuid/setgid
binary to interfere with subsequent builds under the same nixbld* uid.
This is based on aszlig's seccomp code
(47f587700d646f5b03a42f2fa57c28875a31efbe).
Reported by Linus Heckemann.
Commit: cf93397d3f1d2a8165a100482d07b7f4b7e5bf7f
https://github.com/NixOS/nix/commit/cf93397d3f1d2a8165a100482d07b7f4b7e5bf7f
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-29 (Mon, 29 May 2017)
Changed paths:
M src/libstore/build.cc
Log Message:
-----------
Fix seccomp initialisation on i686-linux
Commit: 1d9ab273bad34b004dfcfd486273d0df5fed1eca
https://github.com/NixOS/nix/commit/1d9ab273bad34b004dfcfd486273d0df5fed1eca
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-29 (Mon, 29 May 2017)
Changed paths:
M release.nix
A tests/setuid.nix
Log Message:
-----------
Add test for setuid seccomp filter
Commit: ff6becafa8efc2f7e6f2b9b889ba4adf20b8d524
https://github.com/NixOS/nix/commit/ff6becafa8efc2f7e6f2b9b889ba4adf20b8d524
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-30 (Tue, 30 May 2017)
Changed paths:
M src/libstore/build.cc
Log Message:
-----------
Require seccomp only in multi-user setups
Commit: d798349ede3d6eb6e92a2e4f95f6b2179407ceb9
https://github.com/NixOS/nix/commit/d798349ede3d6eb6e92a2e4f95f6b2179407ceb9
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-30 (Tue, 30 May 2017)
Changed paths:
M src/libstore/local-store.cc
Log Message:
-----------
canonicalisePathMetaData(): Remove extended attributes / ACLs
EAs/ACLs are not part of the NAR canonicalisation. Worse, setting an
ACL allows a builder to create writable files in the Nix store. So get
rid of them.
Closes #185.
Commit: 2ac99a32dab0d2ea59cb9e926f6d6d5b7ef638c6
https://github.com/NixOS/nix/commit/2ac99a32dab0d2ea59cb9e926f6d6d5b7ef638c6
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-30 (Tue, 30 May 2017)
Changed paths:
M src/libstore/build.cc
Log Message:
-----------
Add a seccomp rule to disallow setxattr()
Commit: d552d387585840f68fcc7507fca83feb6f937a10
https://github.com/NixOS/nix/commit/d552d387585840f68fcc7507fca83feb6f937a10
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-30 (Tue, 30 May 2017)
Changed paths:
M src/libstore/build.cc
Log Message:
-----------
Shut up some clang warnings
Commit: fe08d17934e6abe3e8566706f53063166b881f8c
https://github.com/NixOS/nix/commit/fe08d17934e6abe3e8566706f53063166b881f8c
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-30 (Tue, 30 May 2017)
Changed paths:
M src/libstore/build.cc
Log Message:
-----------
Fix seccomp build failure on clang
Fixes
src/libstore/build.cc:2321:45: error: non-constant-expression cannot be
narrowed from type 'int' to 'scmp_datum_t' (aka 'unsigned long') in initializer
list [-Wc++11-narrowing]
Commit: 9bdb88ea6e833ad61d6833aa09560d32c9bc39df
https://github.com/NixOS/nix/commit/9bdb88ea6e833ad61d6833aa09560d32c9bc39df
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-30 (Tue, 30 May 2017)
Changed paths:
M release-common.nix
Log Message:
-----------
Only pass --with-sandbox-shell on Linux
Commit: 83eec5a997cd121158b7adb32a688dc5a63d6c9c
https://github.com/NixOS/nix/commit/83eec5a997cd121158b7adb32a688dc5a63d6c9c
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-30 (Tue, 30 May 2017)
Changed paths:
M src/resolve-system-dependencies/resolve-system-dependencies.cc
Log Message:
-----------
resolve-system-dependencies: Several fixes
This fixes
error: getting attributes of path ‘Versions/Current/CoreFoundation’: No such
file or directory
when /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation is a
symlink.
Also fixes a segfault when encounting a file that is not a MACH binary (such
as /dev/null, which is included in __impureHostDeps in Nixpkgs).
Possibly fixes #786.
Commit: 53a16441878ebd4a5ac6ef8a95a649bfd521da3d
https://github.com/NixOS/nix/commit/53a16441878ebd4a5ac6ef8a95a649bfd521da3d
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-30 (Tue, 30 May 2017)
Changed paths:
M src/libstore/build.cc
Log Message:
-----------
Darwin sandbox: Disallow creating setuid/setgid binaries
Suggested by Daiderd Jordan.
Commit: acc889c82179e96537ebe1494ec13b9536d579ca
https://github.com/NixOS/nix/commit/acc889c82179e96537ebe1494ec13b9536d579ca
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-30 (Tue, 30 May 2017)
Changed paths:
M .gitignore
M src/libstore/build.cc
M src/libstore/local-store.cc
M src/libstore/local.mk
A src/libstore/sandbox-defaults.sb
R src/libstore/sandbox-defaults.sb.in
Log Message:
-----------
Darwin sandbox: Use sandbox-defaults.sb
Issue #759.
Also, remove nix.conf from the sandbox since I don't really see a
legitimate reason for builders to access the Nix configuration.
Commit: 683a499ebbb3d5e8803feeab9097930a9ce91d3f
https://github.com/NixOS/nix/commit/683a499ebbb3d5e8803feeab9097930a9ce91d3f
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-30 (Tue, 30 May 2017)
Changed paths:
M src/resolve-system-dependencies/resolve-system-dependencies.cc
Log Message:
-----------
resolve-system-dependencies: Fix another segfault
runResolver() was barfing on directories like
/System/Library/Frameworks/Security.framework/Versions/Current/PlugIns. It
should probably do something sophisticated for frameworks, but let's
ignore them for now.
Commit: c740c3ce500af2b7eb34651b5eeec01288d79dca
https://github.com/NixOS/nix/commit/c740c3ce500af2b7eb34651b5eeec01288d79dca
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-31 (Wed, 31 May 2017)
Changed paths:
M src/libstore/build.cc
Log Message:
-----------
OS X sandbox: Store .sb file in $TMPDIR rather than the Nix store
The filename used was not unique and owned by the build user, so
builds could fail with
error: while setting up the build environment: cannot unlink
‘/nix/store/99i210ihnsjacajaw8r33fmgjvzpg6nr-bison-3.0.4.drv.sb’: Permission
denied
Commit: 44f3f8048fdc2564f25389ec2c613880763bbd03
https://github.com/NixOS/nix/commit/44f3f8048fdc2564f25389ec2c613880763bbd03
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-31 (Wed, 31 May 2017)
Changed paths:
M src/libstore/build.cc
Log Message:
-----------
OS X sandbox: Don't use a deterministic $TMPDIR
This doesn't work because the OS X sandbox cannot bind-mount
path to a different location.
Commit: c368e079ca27195aa7dbed1e834479ab17ccae73
https://github.com/NixOS/nix/commit/c368e079ca27195aa7dbed1e834479ab17ccae73
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-31 (Wed, 31 May 2017)
Changed paths:
M src/resolve-system-dependencies/resolve-system-dependencies.cc
Log Message:
-----------
resolve-system-dependencies: Simplify
Commit: 5ea8161b552ad79b7caf9b68b3c7d6daab203266
https://github.com/NixOS/nix/commit/5ea8161b552ad79b7caf9b68b3c7d6daab203266
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-31 (Wed, 31 May 2017)
Changed paths:
M src/resolve-system-dependencies/resolve-system-dependencies.cc
Log Message:
-----------
resolve-system-dependencies: Misc fixes
This fixes
Could not find any mach64 blobs in file ‘/usr/lib/libSystem.B.dylib’,
continuing...
Commit: c96e8cd097ce0d181467fddd92acad4341ca566a
https://github.com/NixOS/nix/commit/c96e8cd097ce0d181467fddd92acad4341ca566a
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-05-31 (Wed, 31 May 2017)
Changed paths:
M .gitignore
M src/libstore/build.cc
M src/libstore/local.mk
M src/libstore/sandbox-defaults.sb
A src/libstore/sandbox-network.sb
Log Message:
-----------
OS X sandbox: Improve builtin sandbox profile
Also, add rules to allow fixed-output derivations to access the
network.
These rules are sufficient to build stdenvDarwin without any
__sandboxProfile magic.
Compare: https://github.com/NixOS/nix/compare/6e01ecd112dc...c96e8cd097ce_______________________________________________
nix-commits mailing list
nix-comm...@lists.science.uu.nl
https://mailman.science.uu.nl/mailman/listinfo/nix-commits
