Eelco Dolstra
ede95b1fc1
Put the chroot inside a directory that isn't group/world-accessible
...
Previously, the .chroot directory had permission 750 or 755 (depending
on the uid-range system feature) and was owned by root/nixbld. This
makes it possible for any nixbld user (if uid-range is disabled) or
any user (if uid-range is enabled) to inspect the contents of the
chroot of an active build and maybe interfere with it (e.g. via /tmp
in the chroot, which has 1777 permission).
To prevent this, the root is now a subdirectory of .chroot, which has
permission 700 and is owned by root/root.
2024-06-21 17:06:19 +02:00
Théophane Hufschmitt
d99c868b04
Add a release note for the build-dir hardening
2024-06-21 17:06:19 +02:00
Théophane Hufschmitt
1d3696f0fb
Run the builds in a daemon-controled directory
...
Instead of running the builds under
`$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them
under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}`
where the build directory is only readable and traversable by the daemon user.
This achieves two things:
1. It prevents builders from making their build directory world-readable
(or even writeable), which would allow the outside world to interact
with them.
2. It prevents external processes running as the build user (either
because that somehow leaked, maybe as a consequence of 1., or because
`build-users` isn't in use) from gaining access to the build
directory.
2024-06-21 17:06:19 +02:00
Théophane Hufschmitt
717f3eea39
Add a test for the user sandboxing
2024-06-21 17:06:18 +02:00
Eelco Dolstra
d4a70b67a0
Move flake-regressions repos to the NixOS org
2024-06-21 15:38:03 +02:00
Eelco Dolstra
6f3d2daee6
Fix spellcheck
2024-06-21 15:37:08 +02:00
Eelco Dolstra
0eec60968a
flake-regressions.sh: Make the sort order deterministic
2024-06-21 15:37:08 +02:00
Eelco Dolstra
36cc8d5f4b
Run the flake-regressions test suite
2024-06-21 15:37:08 +02:00
Robert Hensing
d9684664c8
Revert "tests/functional/common/init.sh: Use parentheses around negation"
...
ShellCheck doesn't want us to add extra parentheses for show.
This reverts commit 7c9f3eeef8
.
2024-06-20 22:31:32 +02:00
siddhantCodes
85b7989764
fix: handle errors in nix::createDirs
...
the `std::filesystem::create_directories` can fail due to insufficient
permissions. We convert this error into a `SysError` and catch it
wherever required.
2024-06-20 19:53:25 +05:30
siddhantCodes
857e380c7d
Merge branch 'rm-createdirs' of github.com:siddhantk232/nix into rm-createdirs
2024-06-20 18:47:51 +05:30
Robert Hensing
dcee46a0ef
Apply suggestions from code review
...
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2024-06-20 14:54:11 +02:00
Robert Hensing
7c9f3eeef8
tests/functional/common/init.sh: Use parentheses around negation
...
roberth: Not strictly necessary, but probably a good habit
Co-authored-by: Eelco Dolstra <edolstra@gmail.com>
2024-06-20 14:54:11 +02:00
Robert Hensing
648302b833
tests/functional: Enable more tests in NixOS VM
2024-06-20 14:54:11 +02:00
Robert Hensing
f0abe4d8f0
ci: Build tests.functional_user for PRs
2024-06-20 14:54:11 +02:00
Robert Hensing
fca160fbcd
doc/contributing/testing: Describe functional VM tests and quickBuild
2024-06-20 14:54:11 +02:00
Robert Hensing
d208e9dd9f
tests: Add quickBuild to all VM tests
2024-06-20 14:54:11 +02:00
Robert Hensing
8557d79650
tests/functional: Skip tests that don't work in NixOS environment yet
2024-06-20 14:54:11 +02:00
Robert Hensing
211aec473e
tests/functional/timeout.sh: Find missing test case
...
This reproduces an instance of
https://github.com/NixOS/nix/issues/4813
2024-06-20 14:54:11 +02:00
Robert Hensing
439022c5ac
tests: Add hydraJobs.tests.functional_*
2024-06-20 14:54:11 +02:00
Robert Hensing
dc720f89f2
flake.nix: Factor pkgs.nix_noTests out of buildNoTests
...
This is useful when iterating on the functional tests when trying
to run them in a VM test, for example.
2024-06-20 14:54:10 +02:00
Valentin Gagarin
1c131ec2b7
Port C API docs to Meson ( #10936 )
...
* Port C API docs to Meson
* don't cross-compile the docs
2024-06-19 22:43:54 +02:00
John Ericson
0c6029669d
Merge pull request #10935 from fricklerhandwerk/cli-docs-formatting
...
use separate paragraphs inside list items
2024-06-18 15:24:44 -04:00
John Ericson
613d598daa
Merge pull request #10934 from Artoria2e5/patch-1
...
optimize-store.cc: Update macos exclusion comments
2024-06-18 15:15:45 -04:00
Valentin Gagarin
b975151c09
dedent lists
...
this indentation is unnecessary and probably an artefact from the
migration off XML.
2024-06-18 11:26:09 +02:00
PoweredByPie
8b81d083a7
Remove lookupPathForProgram and implement initial runProgram test
...
Apparently, CreateProcessW already searches path, so manual path search
isn't really necessary.
2024-06-18 01:01:52 -07:00
PoweredByPie
fcb92b4fa4
Fix DWORD vs. int comparison warning
2024-06-17 22:14:38 -07:00
Mingye Wang
ff1fc780d2
optimize-store.cc: Update macos exclusion comments
...
#2230 broadened the scope of macOS hardlink exclusion but did not change the comments. This was a little confusing for me, so I figured the comments should be updated.
2024-06-18 12:05:59 +08:00
PoweredByPie
4f6e3b9402
Implement tests for lookupPathForProgram and fix bugs caught by tests
2024-06-17 18:46:08 -07:00
PoweredByPie
d7537f6955
Implement initial spawn tests (just testing windowsEscape for now)
2024-06-17 14:58:17 -07:00
PoweredByPie
4662e7d856
Implement windowsEscape
2024-06-17 14:57:57 -07:00
John Ericson
daf1b6b23a
Merge pull request #10933 from NixOS/meson-libfetchers
...
Meson for libfetchers
2024-06-17 17:56:11 -04:00
Tom Bereknyei
706edf26eb
build: meson for libfetchers
2024-06-17 17:25:56 -04:00
John Ericson
93218dc62a
Merge pull request #10930 from fricklerhandwerk/meson-docs
...
migrate internal API docs to Meson
2024-06-17 16:25:03 -04:00
PoweredByPie
b11cf8166f
Format runProgram declaration
2024-06-17 13:12:28 -07:00
Valentin Gagarin
6e34c68327
Convert the internal API doc build to Meson
2024-06-17 15:51:58 -04:00
John Ericson
69d404edad
Merge pull request #10914 from NixOS/combo-shell-perl
...
Integrate perl with the other meson builds
2024-06-17 15:15:05 -04:00
John Ericson
a83d95e26e
Integrate perl with the other meson builds
...
One big dev shell!
2024-06-17 14:48:20 -04:00
PoweredByPie
a58ca342ca
Initial runProgram implementation for Windows
...
This is incomplete; proper shell escaping needs to be done
2024-06-17 11:13:22 -07:00
John Ericson
a1bb668ccb
Merge remote-tracking branch 'upstream/master' into rm-createdirs
2024-06-17 12:57:54 -04:00
Valentin Gagarin
4f340213bb
use separate paragraphs inside list items
2024-06-17 17:55:29 +02:00
Robert Hensing
316b58dd5f
tests/shell.sh: Check that env is mostly unmodified
2024-06-17 17:03:58 +02:00
Robert Hensing
68b8a28bc4
tests/run.sh: Check that env is mostly unmodified
2024-06-17 17:03:58 +02:00
John Ericson
e0b4691754
Merge pull request #10929 from NixOS/avoid-building-too-many-jobs-at-once
...
Avoid building too many jobs at once
2024-06-17 09:53:43 -04:00
John Ericson
c9cdc2423a
Temporarily remove the Meson builds from packages
in the flake
...
This will avoid some out-of-memory issues in GitHub actions that result
from num jobs > 1 and num cores = 4. Once we only have the Meson build
system, this problem should go away, and we can reenable these jobs.
2024-06-17 09:16:18 -04:00
John Ericson
5e806673c3
Make hydraJobs.build
include the constituent packages
...
We were only doing that for the more exotic builds, just forgot.
2024-06-17 08:33:09 -04:00
Robert Hensing
e48abec567
Merge pull request #10916 from jmbaur/read-only-no-chown
...
Don't chown when local-store is read-only
2024-06-17 13:49:19 +02:00
Eelco Dolstra
48d38b32d2
Merge pull request #10918 from andir/restrict-tarfile-formats
...
Restrict supported tarball formats to actual Tarballs
2024-06-17 13:20:23 +02:00
Robert Hensing
83d1bc95b3
Merge pull request #10925 from hercules-ci/junit-report
...
`testresults` output
2024-06-17 10:54:29 +02:00
Robert Hensing
5e0e0ec2d3
Merge pull request #10927 from poweredbypie/windows-fix
...
Fix a compile error on windows
2024-06-17 10:52:09 +02:00