mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-10 00:08:07 +02:00
Build sandbox support etc. unconditionally on Linux
Also, use "#if __APPLE__" instead of "#if SANDBOX_ENABLED" to prevent ambiguity.
This commit is contained in:
parent
7431932b29
commit
8f67325a7c
4 changed files with 24 additions and 70 deletions
19
configure.ac
19
configure.ac
|
@ -76,18 +76,7 @@ static char buf[1024];]],
|
||||||
AC_LANG_POP(C++)
|
AC_LANG_POP(C++)
|
||||||
|
|
||||||
|
|
||||||
# Check for chroot support (requires chroot() and bind mounts).
|
|
||||||
AC_CHECK_FUNCS([chroot])
|
|
||||||
AC_CHECK_FUNCS([unshare])
|
|
||||||
AC_CHECK_FUNCS([statvfs])
|
AC_CHECK_FUNCS([statvfs])
|
||||||
AC_CHECK_HEADERS([sched.h])
|
|
||||||
AC_CHECK_HEADERS([sys/param.h])
|
|
||||||
AC_CHECK_HEADERS([sys/mount.h], [], [],
|
|
||||||
[#ifdef HAVE_SYS_PARAM_H
|
|
||||||
# include <sys/param.h>
|
|
||||||
# endif
|
|
||||||
])
|
|
||||||
AC_CHECK_HEADERS([sys/syscall.h])
|
|
||||||
|
|
||||||
|
|
||||||
# Check for lutimes, optionally used for changing the mtime of
|
# Check for lutimes, optionally used for changing the mtime of
|
||||||
|
@ -95,10 +84,6 @@ AC_CHECK_HEADERS([sys/syscall.h])
|
||||||
AC_CHECK_FUNCS([lutimes])
|
AC_CHECK_FUNCS([lutimes])
|
||||||
|
|
||||||
|
|
||||||
# Check for sched_setaffinity.
|
|
||||||
AC_CHECK_FUNCS([sched_setaffinity])
|
|
||||||
|
|
||||||
|
|
||||||
# Check whether the store optimiser can optimise symlinks.
|
# Check whether the store optimiser can optimise symlinks.
|
||||||
AC_MSG_CHECKING([whether it is possible to create a link to a symlink])
|
AC_MSG_CHECKING([whether it is possible to create a link to a symlink])
|
||||||
ln -s bla tmp_link
|
ln -s bla tmp_link
|
||||||
|
@ -122,10 +107,6 @@ AC_CHECK_HEADER([err.h], [], [bsddiff_compat_include="-Icompat-include"])
|
||||||
AC_SUBST([bsddiff_compat_include])
|
AC_SUBST([bsddiff_compat_include])
|
||||||
|
|
||||||
|
|
||||||
# Check for <linux/fs.h> (for immutable file support).
|
|
||||||
AC_CHECK_HEADERS([linux/fs.h])
|
|
||||||
|
|
||||||
|
|
||||||
AC_DEFUN([NEED_PROG],
|
AC_DEFUN([NEED_PROG],
|
||||||
[
|
[
|
||||||
AC_PATH_PROG($1, $2)
|
AC_PATH_PROG($1, $2)
|
||||||
|
|
|
@ -34,47 +34,27 @@
|
||||||
|
|
||||||
#include <bzlib.h>
|
#include <bzlib.h>
|
||||||
|
|
||||||
/* Includes required for chroot support. */
|
|
||||||
#if HAVE_SYS_PARAM_H
|
|
||||||
#include <sys/param.h>
|
|
||||||
#endif
|
|
||||||
#if HAVE_SYS_MOUNT_H
|
|
||||||
#include <sys/mount.h>
|
|
||||||
#endif
|
|
||||||
#if HAVE_SYS_SYSCALL_H
|
|
||||||
#include <sys/syscall.h>
|
|
||||||
#endif
|
|
||||||
#if HAVE_SCHED_H
|
|
||||||
#include <sched.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* In GNU libc 2.11, <sys/mount.h> does not define `MS_PRIVATE', but
|
|
||||||
<linux/fs.h> does. */
|
|
||||||
#if !defined MS_PRIVATE && defined HAVE_LINUX_FS_H
|
|
||||||
#include <linux/fs.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define CHROOT_ENABLED HAVE_CHROOT && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE) && defined(CLONE_NEWNS) && defined(SYS_pivot_root)
|
|
||||||
|
|
||||||
/* chroot-like behavior from Apple's sandbox */
|
/* chroot-like behavior from Apple's sandbox */
|
||||||
#if __APPLE__
|
#if __APPLE__
|
||||||
#define SANDBOX_ENABLED 1
|
|
||||||
#define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
|
#define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
|
||||||
#else
|
#else
|
||||||
#define SANDBOX_ENABLED 0
|
|
||||||
#define DEFAULT_ALLOWED_IMPURE_PREFIXES ""
|
#define DEFAULT_ALLOWED_IMPURE_PREFIXES ""
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if CHROOT_ENABLED
|
/* Includes required for chroot support. */
|
||||||
|
#if __linux__
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
#include <sys/ioctl.h>
|
#include <sys/ioctl.h>
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
#include <netinet/ip.h>
|
#include <netinet/ip.h>
|
||||||
#endif
|
|
||||||
|
|
||||||
#if __linux__
|
|
||||||
#include <sys/personality.h>
|
#include <sys/personality.h>
|
||||||
#include <sys/mman.h>
|
#include <sys/mman.h>
|
||||||
|
#include <sched.h>
|
||||||
|
#include <sys/param.h>
|
||||||
|
#include <sys/mount.h>
|
||||||
|
#include <sys/syscall.h>
|
||||||
|
#include <linux/fs.h>
|
||||||
|
#define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if HAVE_STATVFS
|
#if HAVE_STATVFS
|
||||||
|
@ -781,10 +761,10 @@ private:
|
||||||
DirsInChroot dirsInChroot;
|
DirsInChroot dirsInChroot;
|
||||||
typedef map<string, string> Environment;
|
typedef map<string, string> Environment;
|
||||||
Environment env;
|
Environment env;
|
||||||
#if SANDBOX_ENABLED
|
|
||||||
|
#if __APPLE__
|
||||||
typedef string SandboxProfile;
|
typedef string SandboxProfile;
|
||||||
SandboxProfile additionalSandboxProfile;
|
SandboxProfile additionalSandboxProfile;
|
||||||
|
|
||||||
AutoDelete autoDelSandbox;
|
AutoDelete autoDelSandbox;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -1908,7 +1888,7 @@ void DerivationGoal::startBuilder()
|
||||||
if (useChroot) {
|
if (useChroot) {
|
||||||
|
|
||||||
string defaultChrootDirs;
|
string defaultChrootDirs;
|
||||||
#if CHROOT_ENABLED
|
#if __linux__
|
||||||
if (isInStore(BASH_PATH))
|
if (isInStore(BASH_PATH))
|
||||||
defaultChrootDirs = "/bin/sh=" BASH_PATH;
|
defaultChrootDirs = "/bin/sh=" BASH_PATH;
|
||||||
#endif
|
#endif
|
||||||
|
@ -1943,7 +1923,7 @@ void DerivationGoal::startBuilder()
|
||||||
for (auto & i : closure)
|
for (auto & i : closure)
|
||||||
dirsInChroot[i] = i;
|
dirsInChroot[i] = i;
|
||||||
|
|
||||||
#if SANDBOX_ENABLED
|
#if __APPLE__
|
||||||
additionalSandboxProfile = get(drv->env, "__sandboxProfile");
|
additionalSandboxProfile = get(drv->env, "__sandboxProfile");
|
||||||
#endif
|
#endif
|
||||||
string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES));
|
string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES));
|
||||||
|
@ -1972,7 +1952,7 @@ void DerivationGoal::startBuilder()
|
||||||
dirsInChroot[i] = i;
|
dirsInChroot[i] = i;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if CHROOT_ENABLED
|
#if __linux__
|
||||||
/* Create a temporary directory in which we set up the chroot
|
/* Create a temporary directory in which we set up the chroot
|
||||||
environment using bind-mounts. We put it in the Nix store
|
environment using bind-mounts. We put it in the Nix store
|
||||||
to ensure that we can create hard-links to non-directory
|
to ensure that we can create hard-links to non-directory
|
||||||
|
@ -2065,7 +2045,7 @@ void DerivationGoal::startBuilder()
|
||||||
for (auto & i : drv->outputs)
|
for (auto & i : drv->outputs)
|
||||||
dirsInChroot.erase(i.second.path);
|
dirsInChroot.erase(i.second.path);
|
||||||
|
|
||||||
#elif SANDBOX_ENABLED
|
#elif __APPLE__
|
||||||
/* We don't really have any parent prep work to do (yet?)
|
/* We don't really have any parent prep work to do (yet?)
|
||||||
All work happens in the child, instead. */
|
All work happens in the child, instead. */
|
||||||
#else
|
#else
|
||||||
|
@ -2148,7 +2128,7 @@ void DerivationGoal::startBuilder()
|
||||||
builderOut.create();
|
builderOut.create();
|
||||||
|
|
||||||
/* Fork a child to build the package. */
|
/* Fork a child to build the package. */
|
||||||
#if CHROOT_ENABLED
|
#if __linux__
|
||||||
if (useChroot) {
|
if (useChroot) {
|
||||||
/* Set up private namespaces for the build:
|
/* Set up private namespaces for the build:
|
||||||
|
|
||||||
|
@ -2250,7 +2230,7 @@ void DerivationGoal::runChild()
|
||||||
|
|
||||||
commonChildInit(builderOut);
|
commonChildInit(builderOut);
|
||||||
|
|
||||||
#if CHROOT_ENABLED
|
#if __linux__
|
||||||
if (useChroot) {
|
if (useChroot) {
|
||||||
|
|
||||||
/* Initialise the loopback interface. */
|
/* Initialise the loopback interface. */
|
||||||
|
@ -2383,10 +2363,8 @@ void DerivationGoal::runChild()
|
||||||
if (mkdir("real-root", 0) == -1)
|
if (mkdir("real-root", 0) == -1)
|
||||||
throw SysError("cannot create real-root directory");
|
throw SysError("cannot create real-root directory");
|
||||||
|
|
||||||
#define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
|
|
||||||
if (pivot_root(".", "real-root") == -1)
|
if (pivot_root(".", "real-root") == -1)
|
||||||
throw SysError(format("cannot pivot old root directory onto ‘%1%’") % (chrootRootDir + "/real-root"));
|
throw SysError(format("cannot pivot old root directory onto ‘%1%’") % (chrootRootDir + "/real-root"));
|
||||||
#undef pivot_root
|
|
||||||
|
|
||||||
if (chroot(".") == -1)
|
if (chroot(".") == -1)
|
||||||
throw SysError(format("cannot change root directory to ‘%1%’") % chrootRootDir);
|
throw SysError(format("cannot change root directory to ‘%1%’") % chrootRootDir);
|
||||||
|
@ -2468,7 +2446,7 @@ void DerivationGoal::runChild()
|
||||||
string sandboxProfile;
|
string sandboxProfile;
|
||||||
if (isBuiltin(*drv)) {
|
if (isBuiltin(*drv)) {
|
||||||
;
|
;
|
||||||
#if SANDBOX_ENABLED
|
#if __APPLE__
|
||||||
} else if (useChroot) {
|
} else if (useChroot) {
|
||||||
/* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
|
/* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
|
||||||
PathSet ancestry;
|
PathSet ancestry;
|
||||||
|
|
|
@ -23,16 +23,11 @@
|
||||||
#include <time.h>
|
#include <time.h>
|
||||||
#include <grp.h>
|
#include <grp.h>
|
||||||
|
|
||||||
#if HAVE_UNSHARE && HAVE_STATVFS && HAVE_SYS_MOUNT_H
|
#if __linux__
|
||||||
#include <sched.h>
|
#include <sched.h>
|
||||||
#include <sys/statvfs.h>
|
#include <sys/statvfs.h>
|
||||||
#include <sys/mount.h>
|
#include <sys/mount.h>
|
||||||
#endif
|
|
||||||
|
|
||||||
#if HAVE_LINUX_FS_H
|
|
||||||
#include <linux/fs.h>
|
|
||||||
#include <sys/ioctl.h>
|
#include <sys/ioctl.h>
|
||||||
#include <errno.h>
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include <sqlite3.h>
|
#include <sqlite3.h>
|
||||||
|
@ -502,7 +497,7 @@ void LocalStore::openDB(bool create)
|
||||||
bind mount. So make the Nix store writable for this process. */
|
bind mount. So make the Nix store writable for this process. */
|
||||||
void LocalStore::makeStoreWritable()
|
void LocalStore::makeStoreWritable()
|
||||||
{
|
{
|
||||||
#if HAVE_UNSHARE && HAVE_STATVFS && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_REMOUNT)
|
#if __linux__
|
||||||
if (getuid() != 0) return;
|
if (getuid() != 0) return;
|
||||||
/* Check if /nix/store is on a read-only mount. */
|
/* Check if /nix/store is on a read-only mount. */
|
||||||
struct statvfs stat;
|
struct statvfs stat;
|
||||||
|
|
|
@ -2,14 +2,14 @@
|
||||||
#include "util.hh"
|
#include "util.hh"
|
||||||
#include "affinity.hh"
|
#include "affinity.hh"
|
||||||
|
|
||||||
#if HAVE_SCHED_H
|
#if __linux__
|
||||||
#include <sched.h>
|
#include <sched.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
namespace nix {
|
namespace nix {
|
||||||
|
|
||||||
|
|
||||||
#if HAVE_SCHED_SETAFFINITY
|
#if __linux__
|
||||||
static bool didSaveAffinity = false;
|
static bool didSaveAffinity = false;
|
||||||
static cpu_set_t savedAffinity;
|
static cpu_set_t savedAffinity;
|
||||||
#endif
|
#endif
|
||||||
|
@ -17,7 +17,7 @@ static cpu_set_t savedAffinity;
|
||||||
|
|
||||||
void setAffinityTo(int cpu)
|
void setAffinityTo(int cpu)
|
||||||
{
|
{
|
||||||
#if HAVE_SCHED_SETAFFINITY
|
#if __linux__
|
||||||
if (sched_getaffinity(0, sizeof(cpu_set_t), &savedAffinity) == -1) return;
|
if (sched_getaffinity(0, sizeof(cpu_set_t), &savedAffinity) == -1) return;
|
||||||
didSaveAffinity = true;
|
didSaveAffinity = true;
|
||||||
printMsg(lvlDebug, format("locking this thread to CPU %1%") % cpu);
|
printMsg(lvlDebug, format("locking this thread to CPU %1%") % cpu);
|
||||||
|
@ -32,7 +32,7 @@ void setAffinityTo(int cpu)
|
||||||
|
|
||||||
int lockToCurrentCPU()
|
int lockToCurrentCPU()
|
||||||
{
|
{
|
||||||
#if HAVE_SCHED_SETAFFINITY
|
#if __linux__
|
||||||
int cpu = sched_getcpu();
|
int cpu = sched_getcpu();
|
||||||
if (cpu != -1) setAffinityTo(cpu);
|
if (cpu != -1) setAffinityTo(cpu);
|
||||||
return cpu;
|
return cpu;
|
||||||
|
@ -44,7 +44,7 @@ int lockToCurrentCPU()
|
||||||
|
|
||||||
void restoreAffinity()
|
void restoreAffinity()
|
||||||
{
|
{
|
||||||
#if HAVE_SCHED_SETAFFINITY
|
#if __linux__
|
||||||
if (!didSaveAffinity) return;
|
if (!didSaveAffinity) return;
|
||||||
if (sched_setaffinity(0, sizeof(cpu_set_t), &savedAffinity) == -1)
|
if (sched_setaffinity(0, sizeof(cpu_set_t), &savedAffinity) == -1)
|
||||||
printMsg(lvlError, "failed to restore affinity %1%");
|
printMsg(lvlError, "failed to restore affinity %1%");
|
||||||
|
|
Loading…
Reference in a new issue