6cc6c15a2d
This prevents builders from setting the S_ISUID or S_ISGID bits,
preventing users from using a nixbld* user to create a setuid/setgid
binary to interfere with subsequent builds under the same nixbld* uid.
This is based on aszlig's seccomp code
(47f587700d).
Reported by Linus Heckemann.
42 lines
884 B
Nix
42 lines
884 B
Nix
{ useClang ? false }:
|
|
|
|
with import <nixpkgs> {};
|
|
|
|
with import ./release-common.nix { inherit pkgs; };
|
|
|
|
(if useClang then clangStdenv else stdenv).mkDerivation {
|
|
name = "nix";
|
|
|
|
buildInputs =
|
|
[ curl bison flex libxml2 libxslt
|
|
bzip2 xz brotli
|
|
pkgconfig sqlite libsodium boehmgc
|
|
docbook5 docbook5_xsl
|
|
autoconf-archive
|
|
(aws-sdk-cpp.override {
|
|
apis = ["s3"];
|
|
customMemoryManagement = false;
|
|
})
|
|
autoreconfHook
|
|
|
|
# For nix-perl
|
|
perl
|
|
perlPackages.DBDSQLite
|
|
]
|
|
++ lib.optional stdenv.isLinux libseccomp;
|
|
|
|
inherit configureFlags;
|
|
|
|
enableParallelBuilding = true;
|
|
|
|
installFlags = "sysconfdir=$(out)/etc";
|
|
|
|
shellHook =
|
|
''
|
|
export prefix=$(pwd)/inst
|
|
configureFlags+=" --prefix=$prefix"
|
|
PKG_CONFIG_PATH=$prefix/lib/pkgconfig:$PKG_CONFIG_PATH
|
|
PATH=$prefix/bin:$PATH
|
|
'';
|
|
}
|