2024-03-05 20:11:59 +00:00
|
|
|
{ lib, nixpkgs, nixpkgsFor }:
|
|
|
|
|
|
|
|
let
|
|
|
|
|
|
|
|
nixos-lib = import (nixpkgs + "/nixos/lib") { };
|
|
|
|
|
|
|
|
# https://nixos.org/manual/nixos/unstable/index.html#sec-calling-nixos-tests
|
2024-03-07 09:25:03 +00:00
|
|
|
runNixOSTestFor = system: test:
|
|
|
|
(nixos-lib.runTest {
|
|
|
|
imports = [ test ];
|
|
|
|
hostPkgs = nixpkgsFor.${system}.native;
|
|
|
|
defaults = {
|
|
|
|
nixpkgs.pkgs = nixpkgsFor.${system}.native;
|
|
|
|
nix.checkAllErrors = false;
|
|
|
|
};
|
|
|
|
_module.args.nixpkgs = nixpkgs;
|
|
|
|
_module.args.system = system;
|
|
|
|
})
|
|
|
|
// {
|
|
|
|
# allow running tests against older nix versions via `nix eval --apply`
|
|
|
|
# Example:
|
|
|
|
# nix build "$(nix eval --raw --impure .#hydraJobs.tests.fetch-git --apply 't: (t.forNix "2.19.2").drvPath')^*"
|
|
|
|
forNix = nixVersion: runNixOSTestFor system {
|
|
|
|
imports = [test];
|
|
|
|
defaults.nixpkgs.overlays = [(curr: prev: {
|
|
|
|
nix = (builtins.getFlake "nix/${nixVersion}").packages.${system}.nix;
|
|
|
|
})];
|
|
|
|
};
|
2024-03-05 20:11:59 +00:00
|
|
|
};
|
|
|
|
|
2024-03-07 01:58:26 +00:00
|
|
|
# Checks that a NixOS configuration does not contain any references to our
|
|
|
|
# locally defined Nix version.
|
|
|
|
checkOverrideNixVersion = { pkgs, lib, ... }: {
|
|
|
|
# pkgs.nix: The new Nix in this repo
|
|
|
|
# We disallow it, to make sure we don't accidentally use it.
|
[resubmit] flake: update nixpkgs pin 23.11->24.05 (+ boehmgc compat changes)
-- message from cl/1418 --
The boehmgc changes are bundled into this commit because doing otherwise
would require an annoying dance of "adding compatibility for < 8.2.6 and
>= 8.2.6" then updating the pin then removing the (now unneeded)
compatibility. It doesn't seem worth the trouble to me given the low
complexity of said changes.
Rebased coroutine-sp-fallback.diff patch taken from https://github.com/NixOS/nixpkgs/pull/317227
-- jade resubmit changes --
This is a resubmission of https://gerrit.lix.systems/c/lix/+/1418, which
was reverted in https://gerrit.lix.systems/c/lix/+/1432 for breaking CI
evaluation without being detected.
I have run `nix flake check -Lv` on this one before submission and it
passes on my machine and crucially without eval errors, so the CI result
should be accurate.
It seems like someone renamed forbiddenDependenciesRegex to
forbiddenDependenciesRegexes in nixpkgs and also changed the type
incompatibly. That's pretty silly, but at least it's just an eval error.
Also, `xonsh` regressed the availability of `xonsh-unwrapped`, but it
was fixed by us in https://github.com/NixOS/nixpkgs/pull/317636, which
is now in our channel, so we update nixpkgs compared to the original
iteration of this to simply get that.
We originally had a regression related to some reorganization of the
nixpkgs lib test suite in which there was broken parameter passing.
This, too, we got quickfixed in nixpkgs, so we don't need any changes
for it: https://github.com/NixOS/nixpkgs/pull/317772
Related: https://gerrit.lix.systems/c/lix/+/1428
Fixes: https://git.lix.systems/lix-project/lix/issues/385
Change-Id: I26d41ea826fec900ebcad0f82a727feb6bcd28f3
2024-06-08 14:57:08 +00:00
|
|
|
system.forbiddenDependenciesRegexes = [ (lib.strings.escapeRegex "nix-${pkgs.nix.version}") ];
|
2024-03-07 01:58:26 +00:00
|
|
|
};
|
2024-03-05 20:11:59 +00:00
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
authorization = runNixOSTestFor "x86_64-linux" ./authorization.nix;
|
|
|
|
|
|
|
|
remoteBuilds = runNixOSTestFor "x86_64-linux" ./remote-builds.nix;
|
|
|
|
|
2024-03-07 01:58:26 +00:00
|
|
|
# Test our Nix as a client against remotes that are older
|
|
|
|
|
|
|
|
remoteBuilds_remote_2_3 = runNixOSTestFor "x86_64-linux" {
|
|
|
|
name = "remoteBuilds_remote_2_3";
|
|
|
|
imports = [ ./remote-builds.nix ];
|
|
|
|
builders.config = { lib, pkgs, ... }: {
|
|
|
|
imports = [ checkOverrideNixVersion ];
|
|
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-05-23 19:16:40 +00:00
|
|
|
remoteBuilds_remote_2_18 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
|
|
name = "remoteBuilds_remote_2_18";
|
|
|
|
imports = [ ./remote-builds.nix ];
|
|
|
|
builders.config = { lib, pkgs, ... }: {
|
|
|
|
imports = [ checkOverrideNixVersion ];
|
|
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_18;
|
|
|
|
};
|
|
|
|
});
|
2024-03-07 01:58:26 +00:00
|
|
|
|
|
|
|
# Test our Nix as a builder for clients that are older
|
|
|
|
|
|
|
|
remoteBuilds_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
|
|
name = "remoteBuilds_local_2_3";
|
|
|
|
imports = [ ./remote-builds.nix ];
|
|
|
|
nodes.client = { lib, pkgs, ... }: {
|
|
|
|
imports = [ checkOverrideNixVersion ];
|
|
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
|
|
};
|
|
|
|
});
|
|
|
|
|
2024-05-23 19:16:40 +00:00
|
|
|
remoteBuilds_local_2_18 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
|
|
name = "remoteBuilds_local_2_18";
|
|
|
|
imports = [ ./remote-builds.nix ];
|
|
|
|
nodes.client = { lib, pkgs, ... }: {
|
|
|
|
imports = [ checkOverrideNixVersion ];
|
|
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_18;
|
|
|
|
};
|
|
|
|
});
|
2024-03-07 01:58:26 +00:00
|
|
|
|
|
|
|
# End remoteBuilds tests
|
|
|
|
|
2024-03-07 01:31:59 +00:00
|
|
|
remoteBuildsSshNg = runNixOSTestFor "x86_64-linux" ./remote-builds-ssh-ng.nix;
|
|
|
|
|
2024-03-07 01:58:26 +00:00
|
|
|
# Test our Nix as a client against remotes that are older
|
|
|
|
|
|
|
|
remoteBuildsSshNg_remote_2_3 = runNixOSTestFor "x86_64-linux" {
|
|
|
|
name = "remoteBuildsSshNg_remote_2_3";
|
|
|
|
imports = [ ./remote-builds-ssh-ng.nix ];
|
|
|
|
builders.config = { lib, pkgs, ... }: {
|
|
|
|
imports = [ checkOverrideNixVersion ];
|
|
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-05-23 19:16:40 +00:00
|
|
|
remoteBuildsSshNg_remote_2_18 = runNixOSTestFor "x86_64-linux" {
|
|
|
|
name = "remoteBuildsSshNg_remote_2_18";
|
|
|
|
imports = [ ./remote-builds-ssh-ng.nix ];
|
|
|
|
builders.config = { lib, pkgs, ... }: {
|
|
|
|
imports = [ checkOverrideNixVersion ];
|
|
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_18;
|
|
|
|
};
|
|
|
|
};
|
2024-03-07 01:58:26 +00:00
|
|
|
|
|
|
|
# Test our Nix as a builder for clients that are older
|
|
|
|
|
|
|
|
# FIXME: these tests don't work yet
|
|
|
|
/*
|
|
|
|
remoteBuildsSshNg_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
|
|
name = "remoteBuildsSshNg_local_2_3";
|
|
|
|
imports = [ ./remote-builds-ssh-ng.nix ];
|
|
|
|
nodes.client = { lib, pkgs, ... }: {
|
|
|
|
imports = [ checkOverrideNixVersion ];
|
|
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
|
|
};
|
|
|
|
});
|
|
|
|
|
|
|
|
# TODO: (nixpkgs update) remoteBuildsSshNg_local_2_18 = ...
|
|
|
|
*/
|
|
|
|
|
2024-03-05 20:11:59 +00:00
|
|
|
nix-copy-closure = runNixOSTestFor "x86_64-linux" ./nix-copy-closure.nix;
|
|
|
|
|
|
|
|
nix-copy = runNixOSTestFor "x86_64-linux" ./nix-copy.nix;
|
|
|
|
|
2024-04-28 23:23:31 +00:00
|
|
|
nix-upgrade-nix = runNixOSTestFor "x86_64-linux" ./nix-upgrade-nix.nix;
|
|
|
|
|
2024-03-05 20:11:59 +00:00
|
|
|
nssPreload = runNixOSTestFor "x86_64-linux" ./nss-preload.nix;
|
|
|
|
|
|
|
|
githubFlakes = runNixOSTestFor "x86_64-linux" ./github-flakes.nix;
|
|
|
|
|
|
|
|
sourcehutFlakes = runNixOSTestFor "x86_64-linux" ./sourcehut-flakes.nix;
|
|
|
|
|
|
|
|
tarballFlakes = runNixOSTestFor "x86_64-linux" ./tarball-flakes.nix;
|
|
|
|
|
|
|
|
containers = runNixOSTestFor "x86_64-linux" ./containers/containers.nix;
|
|
|
|
|
|
|
|
setuid = lib.genAttrs
|
|
|
|
["i686-linux" "x86_64-linux"]
|
libstore/local-derivation-goal: prohibit creating setuid/setgid binaries
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that
isn't filtered away by the libseccomp sandbox.
Being able to use this to bypass that restriction has surprising results
for some builds such as lxc[1]:
> With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2,
> which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663.
> The fixupPhase then uses fchmodat, which fails.
> With older kernel or glibc, setting the suid bit fails in the
> install phase, which is not treated as fatal, and then the
> fixup phase does not try to set it again.
Please note that there are still ways to bypass this sandbox[2] and this is
mostly a fix for the breaking builds.
This change works by creating a syscall filter for the `fchmodat2`
syscall (number 452 on most systems). The problem is that glibc 2.39
is needed to have the correct syscall number available via
`__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on
nixpkgs 23.11. To have this change everywhere and not dependent on the
glibc this package is built against, I added a header
"fchmodat2-compat.hh" that sets the syscall number based on the
architecture. On most platforms its 452 according to glibc with a few
exceptions:
$ rg --pcre2 'define __NR_fchmodat2 (?!452)'
sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
58:#define __NR_fchmodat2 1073742276
sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
67:#define __NR_fchmodat2 6452
sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
62:#define __NR_fchmodat2 5452
sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
70:#define __NR_fchmodat2 4452
sysdeps/unix/sysv/linux/alpha/arch-syscall.h
59:#define __NR_fchmodat2 562
I added a small regression-test to the setuid integration-test that
attempts to set the suid bit on a file using the fchmodat2 syscall.
I confirmed that the test fails without the change in
local-derivation-goal.
Additionally, we require libseccomp 2.5.5 or greater now: as it turns
out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Lix against the project's flake.
To work around that
* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
scheduled[3].
* the package now uses libseccomp 2.5.5 on its own already. This is to
provide a quick fix since the correct fix for 23.11 is still a staging cycle
away.
We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷
Relevant PRs in CppNix:
* https://github.com/NixOS/nix/pull/10591
* https://github.com/NixOS/nix/pull/10501
[1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804
[2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251
[3] https://github.com/NixOS/nixpkgs/pull/306070
(cherry picked from commit ba6804518772e6afb403dd55478365d4b863c854)
Change-Id: I6921ab5a363188c6bff617750d00bb517276b7fe
2024-04-14 12:10:23 +00:00
|
|
|
(system: runNixOSTestFor system ./setuid/setuid.nix);
|
2024-03-06 23:26:40 +00:00
|
|
|
|
|
|
|
ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak;
|
2024-03-07 09:25:03 +00:00
|
|
|
|
|
|
|
fetch-git = runNixOSTestFor "x86_64-linux" ./fetch-git;
|
2024-04-12 09:29:10 +00:00
|
|
|
|
|
|
|
symlinkResolvconf = runNixOSTestFor "x86_64-linux" ./symlink-resolvconf.nix;
|
2024-04-14 13:41:06 +00:00
|
|
|
|
2024-05-08 17:15:00 +00:00
|
|
|
noNewPrivilegesInSandbox = runNixOSTestFor "x86_64-linux" ./no-new-privileges/sandbox.nix;
|
|
|
|
|
|
|
|
noNewPrivilegesOutsideSandbox = runNixOSTestFor "x86_64-linux" ./no-new-privileges/no-sandbox.nix;
|
2024-05-04 07:55:15 +00:00
|
|
|
|
|
|
|
broken-userns = runNixOSTestFor "x86_64-linux" ./broken-userns.nix;
|
2024-05-10 05:25:12 +00:00
|
|
|
|
|
|
|
coredumps = runNixOSTestFor "x86_64-linux" ./coredumps;
|
2024-03-05 20:11:59 +00:00
|
|
|
}
|