From a2d92bb20e82a0957067ede60e91fab256948b41 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 15 May 2017 17:30:33 +0200 Subject: [PATCH] Add --with-sandbox-shell configure flag And add a 116 KiB ash shell from busybox to the release build. This helps to make sandbox builds work out of the box on non-NixOS systems and with diverted stores. --- Makefile.config.in | 1 + configure.ac | 6 ++++++ release-common.nix | 21 +++++++++++++++++++++ release.nix | 9 ++++----- shell.nix | 7 +++---- src/libstore/globals.cc | 4 ++-- src/libstore/local.mk | 2 +- 7 files changed, 38 insertions(+), 12 deletions(-) create mode 100644 release-common.nix diff --git a/Makefile.config.in b/Makefile.config.in index 3cae30d4..45a70cd6 100644 --- a/Makefile.config.in +++ b/Makefile.config.in @@ -28,6 +28,7 @@ localstatedir = @localstatedir@ mandir = @mandir@ pkglibdir = $(libdir)/$(PACKAGE_NAME) prefix = @prefix@ +sandbox_shell = @sandbox_shell@ storedir = @storedir@ sysconfdir = @sysconfdir@ doc_generate = @doc_generate@ diff --git a/configure.ac b/configure.ac index c7026cf9..24a95ce5 100644 --- a/configure.ac +++ b/configure.ac @@ -240,6 +240,12 @@ fi AC_SUBST(tarFlags) +AC_ARG_WITH(sandbox-shell, AC_HELP_STRING([--with-sandbox-shell=PATH], + [path of a statically-linked shell to use as /bin/sh in sandboxes]), + sandbox_shell=$withval) +AC_SUBST(sandbox_shell) + + # Expand all variables in config.status. test "$prefix" = NONE && prefix=$ac_default_prefix test "$exec_prefix" = NONE && exec_prefix='${prefix}' diff --git a/release-common.nix b/release-common.nix new file mode 100644 index 00000000..8047c75b --- /dev/null +++ b/release-common.nix @@ -0,0 +1,21 @@ +{ pkgs }: + +rec { + sh = pkgs.busybox.override { + useMusl = true; + enableStatic = true; + enableMinimal = true; + extraConfig = '' + CONFIG_ASH y + CONFIG_ASH_BUILTIN_ECHO y + CONFIG_ASH_BUILTIN_TEST y + CONFIG_ASH_OPTIMIZE_FOR_SIZE y + ''; + }; + + configureFlags = + [ "--disable-init-state" + "--enable-gc" + "--with-sandbox-shell=${sh}/bin/busybox" + ]; +} diff --git a/release.nix b/release.nix index 54d20c86..f1a553d0 100644 --- a/release.nix +++ b/release.nix @@ -66,6 +66,8 @@ let with import { inherit system; }; + with import ./release-common.nix { inherit pkgs; }; + releaseTools.nixBuild { name = "nix"; src = tarball; @@ -83,11 +85,8 @@ let customMemoryManagement = false; }); - configureFlags = '' - --disable-init-state - --enable-gc - --sysconfdir=/etc - ''; + configureFlags = configureFlags ++ + [ "--sysconfdir=/etc" ]; enableParallelBuilding = true; diff --git a/shell.nix b/shell.nix index 8645d360..c4e2a20f 100644 --- a/shell.nix +++ b/shell.nix @@ -2,6 +2,8 @@ with import {}; +with import ./release-common.nix { inherit pkgs; }; + (if useClang then clangStdenv else stdenv).mkDerivation { name = "nix"; @@ -22,10 +24,7 @@ with import {}; perlPackages.DBDSQLite ]; - configureFlags = - [ "--disable-init-state" - "--enable-gc" - ]; + inherit configureFlags; enableParallelBuilding = true; diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc index 4bdbde98..3dd2508a 100644 --- a/src/libstore/globals.cc +++ b/src/libstore/globals.cc @@ -47,8 +47,8 @@ Settings::Settings() auto s = getEnv("NIX_REMOTE_SYSTEMS"); if (s != "") builderFiles = tokenizeString(s, ":"); -#if __linux__ - sandboxPaths = tokenizeString("/bin/sh=" BASH_PATH); +#if defined(__linux__) && defined(SANDBOX_SHELL) + sandboxPaths = tokenizeString("/bin/sh=" SANDBOX_SHELL); #endif allowedImpureHostPrefixes = tokenizeString(DEFAULT_ALLOWED_IMPURE_PREFIXES); diff --git a/src/libstore/local.mk b/src/libstore/local.mk index 4da20330..e0600258 100644 --- a/src/libstore/local.mk +++ b/src/libstore/local.mk @@ -27,7 +27,7 @@ libstore_CXXFLAGS = \ -DNIX_CONF_DIR=\"$(sysconfdir)/nix\" \ -DNIX_LIBEXEC_DIR=\"$(libexecdir)\" \ -DNIX_BIN_DIR=\"$(bindir)\" \ - -DBASH_PATH="\"$(bash)\"" \ + -DSANDBOX_SHELL="\"$(sandbox_shell)\"" \ -DLSOF=\"$(lsof)\" $(d)/local-store.cc: $(d)/schema.sql.hh