Build sandbox support etc. unconditionally on Linux

Also, use "#if __APPLE__" instead of "#if SANDBOX_ENABLED" to prevent ambiguity.
2015-12-03 16:30:19 +01:00 · 2015-12-03 16:30:19 +01:00 · 8f67325a7c
parent 7431932b29
commit 8f67325a7c
4 changed files with 24 additions and 70 deletions
--- a/configure.ac
+++ b/configure.ac
@ -76,18 +76,7 @@ static char buf[1024];]],
 AC_LANG_POP(C++)
 # Check for chroot support (requires chroot() and bind mounts).
 AC_CHECK_FUNCS([chroot])
 AC_CHECK_FUNCS([unshare])
 AC_CHECK_FUNCS([statvfs])
 AC_CHECK_HEADERS([sched.h])
 AC_CHECK_HEADERS([sys/param.h])
 AC_CHECK_HEADERS([sys/mount.h], [], [],
 [#ifdef HAVE_SYS_PARAM_H
 # include <sys/param.h>
 # endif
 ])
 AC_CHECK_HEADERS([sys/syscall.h])
 # Check for lutimes, optionally used for changing the mtime of
@ -95,10 +84,6 @@ AC_CHECK_HEADERS([sys/syscall.h])
 AC_CHECK_FUNCS([lutimes])
 # Check for sched_setaffinity.
 AC_CHECK_FUNCS([sched_setaffinity])
 # Check whether the store optimiser can optimise symlinks.
 AC_MSG_CHECKING([whether it is possible to create a link to a symlink])
 ln -s bla tmp_link
@ -122,10 +107,6 @@ AC_CHECK_HEADER([err.h], [], [bsddiff_compat_include="-Icompat-include"])
 AC_SUBST([bsddiff_compat_include])
 # Check for <linux/fs.h> (for immutable file support).
 AC_CHECK_HEADERS([linux/fs.h])
 AC_DEFUN([NEED_PROG],
 [
 AC_PATH_PROG($1, $2)
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@ -34,47 +34,27 @@
 #include <bzlib.h>
 /* Includes required for chroot support. */
 #if HAVE_SYS_PARAM_H
 #include <sys/param.h>
 #endif
 #if HAVE_SYS_MOUNT_H
 #include <sys/mount.h>
 #endif
 #if HAVE_SYS_SYSCALL_H
 #include <sys/syscall.h>
 #endif
 #if HAVE_SCHED_H
 #include <sched.h>
 #endif
 /* In GNU libc 2.11, <sys/mount.h> does not define `MS_PRIVATE', but
   <linux/fs.h> does.  */
 #if !defined MS_PRIVATE && defined HAVE_LINUX_FS_H
 #include <linux/fs.h>
 #endif
 #define CHROOT_ENABLED HAVE_CHROOT && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE) && defined(CLONE_NEWNS) && defined(SYS_pivot_root)
 /* chroot-like behavior from Apple's sandbox */
 #if __APPLE__
    #define SANDBOX_ENABLED 1
    #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
 #else
    #define SANDBOX_ENABLED 0
    #define DEFAULT_ALLOWED_IMPURE_PREFIXES ""
 #endif
-#if CHROOT_ENABLED
+/* Includes required for chroot support. */
 #if __linux__
 #include <sys/socket.h>
 #include <sys/ioctl.h>
 #include <net/if.h>
 #include <netinet/ip.h>
 #endif
 #if __linux__
 #include <sys/personality.h>
 #include <sys/mman.h>
 #include <sched.h>
 #include <sys/param.h>
 #include <sys/mount.h>
 #include <sys/syscall.h>
 #include <linux/fs.h>
 #define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
 #endif
 #if HAVE_STATVFS
@ -781,10 +761,10 @@ private:
    DirsInChroot dirsInChroot;
    typedef map<string, string> Environment;
    Environment env;
-#if SANDBOX_ENABLED
+
 #if __APPLE__
    typedef string SandboxProfile;
    SandboxProfile additionalSandboxProfile;
    AutoDelete autoDelSandbox;
 #endif
@ -1908,7 +1888,7 @@ void DerivationGoal::startBuilder()
    if (useChroot) {
        string defaultChrootDirs;
-#if CHROOT_ENABLED
+#if __linux__
        if (isInStore(BASH_PATH))
            defaultChrootDirs = "/bin/sh=" BASH_PATH;
 #endif
@ -1943,7 +1923,7 @@ void DerivationGoal::startBuilder()
        for (auto & i : closure)
            dirsInChroot[i] = i;
-#if SANDBOX_ENABLED
+#if __APPLE__
        additionalSandboxProfile = get(drv->env, "__sandboxProfile");
 #endif
        string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES));
@ -1972,7 +1952,7 @@ void DerivationGoal::startBuilder()
            dirsInChroot[i] = i;
        }
-#if CHROOT_ENABLED
+#if __linux__
        /* Create a temporary directory in which we set up the chroot
           environment using bind-mounts.  We put it in the Nix store
           to ensure that we can create hard-links to non-directory
@ -2065,7 +2045,7 @@ void DerivationGoal::startBuilder()
        for (auto & i : drv->outputs)
            dirsInChroot.erase(i.second.path);
-#elif SANDBOX_ENABLED
+#elif __APPLE__
        /* We don't really have any parent prep work to do (yet?)
           All work happens in the child, instead. */
 #else
@ -2148,7 +2128,7 @@ void DerivationGoal::startBuilder()
    builderOut.create();
    /* Fork a child to build the package. */
-#if CHROOT_ENABLED
+#if __linux__
    if (useChroot) {
        /* Set up private namespaces for the build:
@ -2250,7 +2230,7 @@ void DerivationGoal::runChild()
        commonChildInit(builderOut);
-#if CHROOT_ENABLED
+#if __linux__
        if (useChroot) {
            /* Initialise the loopback interface. */
@ -2383,10 +2363,8 @@ void DerivationGoal::runChild()
            if (mkdir("real-root", 0) == -1)
                throw SysError("cannot create real-root directory");
 #define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
            if (pivot_root(".", "real-root") == -1)
                throw SysError(format("cannot pivot old root directory onto ‘%1%’") % (chrootRootDir + "/real-root"));
 #undef pivot_root
            if (chroot(".") == -1)
                throw SysError(format("cannot change root directory to ‘%1%’") % chrootRootDir);
@ -2468,7 +2446,7 @@ void DerivationGoal::runChild()
        string sandboxProfile;
        if (isBuiltin(*drv)) {
            ;
-#if SANDBOX_ENABLED
+#if __APPLE__
        } else if (useChroot) {
            /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
            PathSet ancestry;
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@ -23,16 +23,11 @@
 #include <time.h>
 #include <grp.h>
-#if HAVE_UNSHARE && HAVE_STATVFS && HAVE_SYS_MOUNT_H
+#if __linux__
 #include <sched.h>
 #include <sys/statvfs.h>
 #include <sys/mount.h>
 #endif
 #if HAVE_LINUX_FS_H
 #include <linux/fs.h>
 #include <sys/ioctl.h>
 #include <errno.h>
 #endif
 #include <sqlite3.h>
@ -502,7 +497,7 @@ void LocalStore::openDB(bool create)
   bind mount.  So make the Nix store writable for this process. */
 void LocalStore::makeStoreWritable()
 {
-#if HAVE_UNSHARE && HAVE_STATVFS && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_REMOUNT)
+#if __linux__
    if (getuid() != 0) return;
    /* Check if /nix/store is on a read-only mount. */
    struct statvfs stat;
--- a/src/libutil/affinity.cc
+++ b/src/libutil/affinity.cc
@ -2,14 +2,14 @@
 #include "util.hh"
 #include "affinity.hh"
-#if HAVE_SCHED_H
+#if __linux__
 #include <sched.h>
 #endif
 namespace nix {
-#if HAVE_SCHED_SETAFFINITY
+#if __linux__
 static bool didSaveAffinity = false;
 static cpu_set_t savedAffinity;
 #endif
@ -17,7 +17,7 @@ static cpu_set_t savedAffinity;
 void setAffinityTo(int cpu)
 {
-#if HAVE_SCHED_SETAFFINITY
+#if __linux__
    if (sched_getaffinity(0, sizeof(cpu_set_t), &savedAffinity) == -1) return;
    didSaveAffinity = true;
    printMsg(lvlDebug, format("locking this thread to CPU %1%") % cpu);
@ -32,7 +32,7 @@ void setAffinityTo(int cpu)
 int lockToCurrentCPU()
 {
-#if HAVE_SCHED_SETAFFINITY
+#if __linux__
    int cpu = sched_getcpu();
    if (cpu != -1) setAffinityTo(cpu);
    return cpu;
@ -44,7 +44,7 @@ int lockToCurrentCPU()
 void restoreAffinity()
 {
-#if HAVE_SCHED_SETAFFINITY
+#if __linux__
    if (!didSaveAffinity) return;
    if (sched_setaffinity(0, sizeof(cpu_set_t), &savedAffinity) == -1)
        printMsg(lvlError, "failed to restore affinity %1%");