forked from lix-project/lix
Compare commits
7 commits
f34a895caf
...
368e3cfe82
Author | SHA1 | Date | |
---|---|---|---|
alois31 | 368e3cfe82 | ||
alois31 | 0903a99bad | ||
jade | 312f66b307 | ||
jade | 58ff8960cd | ||
alois31 | eeb7e71810 | ||
alois31 | 914b0febf7 | ||
Pierre Bourdon | e9ca5c92d2 |
8
doc/manual/rclone.conf
Normal file
8
doc/manual/rclone.conf
Normal file
|
@ -0,0 +1,8 @@
|
|||
[lix-docs]
|
||||
type = s3
|
||||
provider = Other
|
||||
env_auth = true
|
||||
endpoint = https://s3.lix.systems
|
||||
location_constraint = garage
|
||||
region = garage
|
||||
acl = private
|
|
@ -24,7 +24,6 @@ const redirects = {
|
|||
"chap-writing-nix-expressions": "language/index.html",
|
||||
"part-command-ref": "command-ref/command-ref.html",
|
||||
"conf-allow-import-from-derivation": "command-ref/conf-file.html#conf-allow-import-from-derivation",
|
||||
"conf-allow-new-privileges": "command-ref/conf-file.html#conf-allow-new-privileges",
|
||||
"conf-allowed-uris": "command-ref/conf-file.html#conf-allowed-uris",
|
||||
"conf-allowed-users": "command-ref/conf-file.html#conf-allowed-users",
|
||||
"conf-auto-optimise-store": "command-ref/conf-file.html#conf-auto-optimise-store",
|
||||
|
|
8
doc/manual/rl-next/linux-sandbox-consistency.md
Normal file
8
doc/manual/rl-next/linux-sandbox-consistency.md
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
synopsis: Enforce syscall filtering and no-new-privileges on Linux
|
||||
cls: 1063
|
||||
---
|
||||
|
||||
In order to improve consistency of the build environment, system call filtering and no-new-privileges are now unconditionally enabled on Linux.
|
||||
The `filter-syscalls` and `allow-new-privileges` options which could be used to disable these features under some circumstances have been removed.
|
||||
Furthermore, libseccomp is now a required dependency on Linux, and syscall filtering cannot be disabled at build time any more either.
|
8
doc/manual/rl-next/repl-interrupt.md
Normal file
8
doc/manual/rl-next/repl-interrupt.md
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
synopsis: Interrupting builds in the REPL works more than once
|
||||
cls: 1097
|
||||
---
|
||||
|
||||
Builds in the REPL can be interrupted by pressing Ctrl+C.
|
||||
Previously, this only worked once per REPL session; further attempts would be ignored.
|
||||
This issue is now fixed, so that builds can be canceled consistently.
|
|
@ -68,10 +68,7 @@ The most current alternative to this section is to read `package.nix` and see wh
|
|||
may also work, but ancient versions like the ubiquitous 2.5.4a
|
||||
won't.
|
||||
|
||||
- The `libseccomp` is used to provide syscall filtering on Linux. This
|
||||
is an optional dependency and can be disabled passing a
|
||||
`--disable-seccomp-sandboxing` option to the `configure` script (Not
|
||||
recommended unless your system doesn't support `libseccomp`). To get
|
||||
- The `libseccomp` is used to provide syscall filtering on Linux. To get
|
||||
the library, visit <https://github.com/seccomp/libseccomp>.
|
||||
|
||||
- On 64-bit x86 machines only, `libcpuid` library
|
||||
|
|
40
maintainers/upload_manual.sh
Executable file
40
maintainers/upload_manual.sh
Executable file
|
@ -0,0 +1,40 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
cd "$(dirname -- "$0")/.."
|
||||
|
||||
# This script uploads the Lix manual to the Lix s3 store.
|
||||
# It expects credentials to be configured like so:
|
||||
#
|
||||
# ~/.aws/credentials:
|
||||
#
|
||||
# [default]
|
||||
# aws_access_key_id = SOMEACCESSKEY
|
||||
# aws_secret_access_key = SOMESECRETKEY
|
||||
#
|
||||
# default can also be replaced by some other string if AWS_PROFILE is set in
|
||||
# environment.
|
||||
#
|
||||
# See: https://rclone.org/s3/#authentication
|
||||
#
|
||||
# To obtain such a key, log into the garage host and run:
|
||||
# (obtain GARAGE_RPC_SECRET into environment perhaps by systemctl cat garage)
|
||||
# garage key create SOME-KEY-NAME
|
||||
# garage bucket allow --read --write docs --key SOME-KEY-NAME
|
||||
|
||||
if [[ ! -f result-doc/share/doc/nix/manual/index.html ]]; then
|
||||
echo -e "result-doc does not appear to contain a Lix manual. You can build one with:\n nix build '.#default^*'" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# --checksum: https://rclone.org/s3/#avoiding-head-requests-to-read-the-modification-time
|
||||
# By default rclone uses the modification time to determine if something needs
|
||||
# syncing. This is actually very bad for our use case, since we have small
|
||||
# files that have meaningless (Unix epoch) local modification time data. We can
|
||||
# make it go both 16x faster and more correct by using md5s instead.
|
||||
rclone \
|
||||
--config doc/manual/rclone.conf \
|
||||
-vv \
|
||||
sync \
|
||||
--checksum \
|
||||
result-doc/share/doc/nix/manual/ lix-docs:docs/manual/nightly/
|
|
@ -180,11 +180,7 @@ configdata += {
|
|||
deps += cpuid
|
||||
|
||||
# seccomp only makes sense on Linux
|
||||
seccomp_required = is_linux ? get_option('seccomp-sandboxing') : false
|
||||
seccomp = dependency('libseccomp', 'seccomp', required : seccomp_required, version : '>=2.5.5')
|
||||
configdata += {
|
||||
'HAVE_SECCOMP': seccomp.found().to_int(),
|
||||
}
|
||||
seccomp = dependency('libseccomp', 'seccomp', required : is_linux, version : '>=2.5.5')
|
||||
|
||||
libarchive = dependency('libarchive', required : true)
|
||||
deps += libarchive
|
||||
|
|
|
@ -16,10 +16,6 @@ option('cpuid', type : 'feature',
|
|||
description : 'determine microarchitecture levels with libcpuid (only relevant on x86_64)',
|
||||
)
|
||||
|
||||
option('seccomp-sandboxing', type : 'feature',
|
||||
description : 'build support for seccomp sandboxing (recommended unless your arch doesn\'t support libseccomp, only relevant on Linux)',
|
||||
)
|
||||
|
||||
option('sandbox-shell', type : 'string', value : 'busybox',
|
||||
description : 'path to a statically-linked shell to use as /bin/sh in sandboxes (usually busybox)',
|
||||
)
|
||||
|
|
|
@ -262,6 +262,8 @@ ReplExitStatus NixRepl::mainLoop()
|
|||
std::string input;
|
||||
|
||||
while (true) {
|
||||
_isInterrupted = false;
|
||||
|
||||
// When continuing input from previous lines, don't print a prompt, just align to the same
|
||||
// number of chars as the prompt.
|
||||
if (!interacter->getLine(input, input.empty() ? ReplPromptType::ReplPrompt : ReplPromptType::ContinuationPrompt)) {
|
||||
|
@ -424,8 +426,6 @@ ProcessLineResult NixRepl::processLine(std::string line)
|
|||
if (line.empty())
|
||||
return ProcessLineResult::PromptAgain;
|
||||
|
||||
_isInterrupted = false;
|
||||
|
||||
std::string command, arg;
|
||||
|
||||
if (line[0] == ':') {
|
||||
|
|
|
@ -320,16 +320,7 @@ int handleExceptions(const std::string & programName, std::function<void()> fun)
|
|||
|
||||
std::string error = ANSI_RED "error:" ANSI_NORMAL " ";
|
||||
try {
|
||||
try {
|
||||
fun();
|
||||
} catch (...) {
|
||||
/* Subtle: we have to make sure that any `interrupted'
|
||||
condition is discharged before we reach printMsg()
|
||||
below, since otherwise it will throw an (uncaught)
|
||||
exception. */
|
||||
setInterruptThrown();
|
||||
throw;
|
||||
}
|
||||
fun();
|
||||
} catch (Exit & e) {
|
||||
return e.status;
|
||||
} catch (UsageError & e) {
|
||||
|
|
|
@ -45,9 +45,6 @@
|
|||
#include <sys/param.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/syscall.h>
|
||||
#if HAVE_SECCOMP
|
||||
#include <seccomp.h>
|
||||
#endif
|
||||
#define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
|
||||
#endif
|
||||
|
||||
|
|
|
@ -43,9 +43,7 @@
|
|||
#include <sys/mount.h>
|
||||
#include <sys/prctl.h>
|
||||
#include <sys/syscall.h>
|
||||
#if HAVE_SECCOMP
|
||||
#include <seccomp.h>
|
||||
#endif
|
||||
#define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
|
||||
#endif
|
||||
|
||||
|
@ -1618,8 +1616,6 @@ void LocalDerivationGoal::chownToBuilder(const Path & path)
|
|||
void setupSeccomp()
|
||||
{
|
||||
#if __linux__
|
||||
if (!settings.filterSyscalls) return;
|
||||
#if HAVE_SECCOMP
|
||||
scmp_filter_ctx ctx;
|
||||
|
||||
if (!(ctx = seccomp_init(SCMP_ACT_ALLOW)))
|
||||
|
@ -1684,16 +1680,14 @@ void setupSeccomp()
|
|||
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0)
|
||||
throw SysError("unable to add seccomp rule");
|
||||
|
||||
if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, settings.allowNewPrivileges ? 0 : 1) != 0)
|
||||
// Set the NO_NEW_PRIVS prctl flag.
|
||||
// This both makes loading seccomp filters work for unprivileged users,
|
||||
// and is an additional security measure in its own right.
|
||||
if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 1) != 0)
|
||||
throw SysError("unable to set 'no new privileges' seccomp attribute");
|
||||
|
||||
if (seccomp_load(ctx) != 0)
|
||||
throw SysError("unable to load seccomp BPF program");
|
||||
#else
|
||||
throw Error(
|
||||
"seccomp is not supported on this platform; "
|
||||
"you can bypass this error by setting the option 'filter-syscalls' to false, but note that untrusted builds can then create setuid binaries!");
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -1960,10 +1954,6 @@ void LocalDerivationGoal::runChild()
|
|||
throw SysError("setuid failed");
|
||||
|
||||
setUser = false;
|
||||
|
||||
// Make sure we can't possibly gain new privileges in the sandbox
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
|
||||
throw SysError("PR_SET_NO_NEW_PRIVS failed");
|
||||
}
|
||||
#endif
|
||||
|
||||
|
|
|
@ -903,29 +903,6 @@ public:
|
|||
)"};
|
||||
|
||||
#if __linux__
|
||||
Setting<bool> filterSyscalls{
|
||||
this, true, "filter-syscalls",
|
||||
R"(
|
||||
Whether to prevent certain dangerous system calls, such as
|
||||
creation of setuid/setgid files or adding ACLs or extended
|
||||
attributes. Only disable this if you're aware of the
|
||||
security implications.
|
||||
)"};
|
||||
|
||||
Setting<bool> allowNewPrivileges{
|
||||
this, false, "allow-new-privileges",
|
||||
R"(
|
||||
(Linux-specific.) By default, builders on Linux cannot acquire new
|
||||
privileges by calling setuid/setgid programs or programs that have
|
||||
file capabilities. For example, programs such as `sudo` or `ping`
|
||||
will fail. (Note that in sandbox builds, no such programs are
|
||||
available unless you bind-mount them into the sandbox via the
|
||||
`sandbox-paths` option.) You can allow the use of such programs by
|
||||
enabling this option. This is impure and usually undesirable, but
|
||||
may be useful in certain scenarios (e.g. to spin up containers or
|
||||
set up userspace network interfaces in tests).
|
||||
)"};
|
||||
|
||||
Setting<StringSet> ignoredAcls{
|
||||
this, {"security.selinux", "system.nfs4_acl", "security.csm"}, "ignored-acls",
|
||||
R"(
|
||||
|
|
|
@ -20,18 +20,16 @@
|
|||
#pragma once
|
||||
///@file
|
||||
|
||||
#if HAVE_SECCOMP
|
||||
# if defined(__alpha__)
|
||||
# define NIX_SYSCALL_FCHMODAT2 562
|
||||
# elif defined(__x86_64__) && SIZE_MAX == 0xFFFFFFFF // x32
|
||||
# define NIX_SYSCALL_FCHMODAT2 1073742276
|
||||
# elif defined(__mips__) && defined(__mips64) && defined(_ABIN64) // mips64/n64
|
||||
# define NIX_SYSCALL_FCHMODAT2 5452
|
||||
# elif defined(__mips__) && defined(__mips64) && defined(_ABIN32) // mips64/n32
|
||||
# define NIX_SYSCALL_FCHMODAT2 6452
|
||||
# elif defined(__mips__) && defined(_ABIO32) // mips32
|
||||
# define NIX_SYSCALL_FCHMODAT2 4452
|
||||
# else
|
||||
# define NIX_SYSCALL_FCHMODAT2 452
|
||||
# endif
|
||||
#endif // HAVE_SECCOMP
|
||||
#if defined(__alpha__)
|
||||
# define NIX_SYSCALL_FCHMODAT2 562
|
||||
#elif defined(__x86_64__) && SIZE_MAX == 0xFFFFFFFF // x32
|
||||
# define NIX_SYSCALL_FCHMODAT2 1073742276
|
||||
#elif defined(__mips__) && defined(__mips64) && defined(_ABIN64) // mips64/n64
|
||||
# define NIX_SYSCALL_FCHMODAT2 5452
|
||||
#elif defined(__mips__) && defined(__mips64) && defined(_ABIN32) // mips64/n32
|
||||
# define NIX_SYSCALL_FCHMODAT2 6452
|
||||
#elif defined(__mips__) && defined(_ABIO32) // mips32
|
||||
# define NIX_SYSCALL_FCHMODAT2 4452
|
||||
#else
|
||||
# define NIX_SYSCALL_FCHMODAT2 452
|
||||
#endif
|
||||
|
|
|
@ -210,7 +210,6 @@ libstore = library(
|
|||
seccomp,
|
||||
sqlite,
|
||||
sodium,
|
||||
seccomp,
|
||||
curl,
|
||||
openssl,
|
||||
aws_sdk,
|
||||
|
|
|
@ -9,21 +9,14 @@ namespace nix {
|
|||
|
||||
std::atomic<bool> _isInterrupted = false;
|
||||
|
||||
static thread_local bool interruptThrown = false;
|
||||
thread_local std::function<bool()> interruptCheck;
|
||||
|
||||
void setInterruptThrown()
|
||||
{
|
||||
interruptThrown = true;
|
||||
}
|
||||
|
||||
void _interrupted()
|
||||
{
|
||||
/* Block user interrupts while an exception is being handled.
|
||||
Throwing an exception while another exception is being handled
|
||||
kills the program! */
|
||||
if (!interruptThrown && !std::uncaught_exceptions()) {
|
||||
interruptThrown = true;
|
||||
if (!std::uncaught_exceptions()) {
|
||||
throw Interrupted("interrupted by the user");
|
||||
}
|
||||
}
|
||||
|
|
|
@ -22,8 +22,6 @@ extern std::atomic<bool> _isInterrupted;
|
|||
|
||||
extern thread_local std::function<bool()> interruptCheck;
|
||||
|
||||
void setInterruptThrown();
|
||||
|
||||
void _interrupted();
|
||||
|
||||
void inline checkInterrupt()
|
||||
|
|
|
@ -54,8 +54,6 @@ export busybox="@sandbox_shell@"
|
|||
export version=@PACKAGE_VERSION@
|
||||
export system=@system@
|
||||
|
||||
export BUILD_SHARED_LIBS=@BUILD_SHARED_LIBS@
|
||||
|
||||
export IMPURE_VAR1=foo
|
||||
export IMPURE_VAR2=bar
|
||||
|
||||
|
|
|
@ -7,7 +7,6 @@ test_confdata = {
|
|||
'sandbox_shell': busybox.found() ? busybox.full_path() : '',
|
||||
'PACKAGE_VERSION': meson.project_version(),
|
||||
'system': host_system,
|
||||
'BUILD_SHARED_LIBS': '1', # XXX(Qyriad): detect this!
|
||||
}
|
||||
|
||||
# Just configures `common/vars-and-functions.sh.in`.
|
||||
|
@ -180,11 +179,15 @@ functional_tests_scripts = [
|
|||
'read-only-store.sh',
|
||||
'nested-sandboxing.sh',
|
||||
'debugger.sh',
|
||||
'plugins.sh',
|
||||
'test-libstoreconsumer.sh',
|
||||
'extra-sandbox-profile.sh',
|
||||
]
|
||||
|
||||
# Plugin tests require shared libraries support.
|
||||
if get_option('default_library') != 'static'
|
||||
functional_tests_scripts += ['plugins.sh']
|
||||
endif
|
||||
|
||||
# TODO(Qyriad): this will hopefully be able to be removed when we remove the autoconf+Make
|
||||
# buildsystem. See the comments at the top of setup-functional-tests.py for why this is here.
|
||||
meson.add_install_script(
|
||||
|
|
|
@ -1,9 +1,5 @@
|
|||
source common.sh
|
||||
|
||||
if [[ $BUILD_SHARED_LIBS != 1 ]]; then
|
||||
skipTest "Plugins are not supported"
|
||||
fi
|
||||
|
||||
# FIXME(Qyriad): this is working around Meson putting `libplugintest.so.p` in the same place
|
||||
# as `libplugintest.so`, so `libplugintest.*` grabs both.
|
||||
libext=so
|
||||
|
|
|
@ -1,11 +1,16 @@
|
|||
{ lib, nixpkgs, nixpkgsFor }:
|
||||
{
|
||||
lib,
|
||||
nixpkgs,
|
||||
nixpkgsFor,
|
||||
}:
|
||||
|
||||
let
|
||||
|
||||
nixos-lib = import (nixpkgs + "/nixos/lib") { };
|
||||
|
||||
# https://nixos.org/manual/nixos/unstable/index.html#sec-calling-nixos-tests
|
||||
runNixOSTestFor = system: test:
|
||||
runNixOSTestFor =
|
||||
system: test:
|
||||
(nixos-lib.runTest {
|
||||
imports = [ test ];
|
||||
hostPkgs = nixpkgsFor.${system}.native;
|
||||
|
@ -20,21 +25,25 @@ let
|
|||
# allow running tests against older nix versions via `nix eval --apply`
|
||||
# Example:
|
||||
# nix build "$(nix eval --raw --impure .#hydraJobs.tests.fetch-git --apply 't: (t.forNix "2.19.2").drvPath')^*"
|
||||
forNix = nixVersion: runNixOSTestFor system {
|
||||
imports = [test];
|
||||
defaults.nixpkgs.overlays = [(curr: prev: {
|
||||
nix = (builtins.getFlake "nix/${nixVersion}").packages.${system}.nix;
|
||||
})];
|
||||
};
|
||||
forNix =
|
||||
nixVersion:
|
||||
runNixOSTestFor system {
|
||||
imports = [ test ];
|
||||
defaults.nixpkgs.overlays = [
|
||||
(curr: prev: { nix = (builtins.getFlake "nix/${nixVersion}").packages.${system}.nix; })
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
# Checks that a NixOS configuration does not contain any references to our
|
||||
# locally defined Nix version.
|
||||
checkOverrideNixVersion = { pkgs, lib, ... }: {
|
||||
# pkgs.nix: The new Nix in this repo
|
||||
# We disallow it, to make sure we don't accidentally use it.
|
||||
system.forbiddenDependenciesRegex = lib.strings.escapeRegex "nix-${pkgs.nix.version}";
|
||||
};
|
||||
checkOverrideNixVersion =
|
||||
{ pkgs, lib, ... }:
|
||||
{
|
||||
# pkgs.nix: The new Nix in this repo
|
||||
# We disallow it, to make sure we don't accidentally use it.
|
||||
system.forbiddenDependenciesRegex = lib.strings.escapeRegex "nix-${pkgs.nix.version}";
|
||||
};
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -47,42 +56,59 @@ in
|
|||
remoteBuilds_remote_2_3 = runNixOSTestFor "x86_64-linux" {
|
||||
name = "remoteBuilds_remote_2_3";
|
||||
imports = [ ./remote-builds.nix ];
|
||||
builders.config = { lib, pkgs, ... }: {
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
||||
};
|
||||
builders.config =
|
||||
{ lib, pkgs, ... }:
|
||||
{
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
||||
};
|
||||
};
|
||||
|
||||
remoteBuilds_remote_2_13 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
||||
name = "remoteBuilds_remote_2_13";
|
||||
imports = [ ./remote-builds.nix ];
|
||||
builders.config = { lib, pkgs, ... }: {
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
||||
};
|
||||
});
|
||||
remoteBuilds_remote_2_13 = runNixOSTestFor "x86_64-linux" (
|
||||
{ lib, pkgs, ... }:
|
||||
{
|
||||
name = "remoteBuilds_remote_2_13";
|
||||
imports = [ ./remote-builds.nix ];
|
||||
builders.config =
|
||||
{ lib, pkgs, ... }:
|
||||
{
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
||||
};
|
||||
}
|
||||
);
|
||||
|
||||
# TODO: (nixpkgs update) remoteBuilds_remote_2_18 = ...
|
||||
|
||||
# Test our Nix as a builder for clients that are older
|
||||
|
||||
remoteBuilds_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
||||
name = "remoteBuilds_local_2_3";
|
||||
imports = [ ./remote-builds.nix ];
|
||||
nodes.client = { lib, pkgs, ... }: {
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
||||
};
|
||||
});
|
||||
remoteBuilds_local_2_3 = runNixOSTestFor "x86_64-linux" (
|
||||
{ lib, pkgs, ... }:
|
||||
{
|
||||
name = "remoteBuilds_local_2_3";
|
||||
imports = [ ./remote-builds.nix ];
|
||||
nodes.client =
|
||||
{ lib, pkgs, ... }:
|
||||
{
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
||||
};
|
||||
}
|
||||
);
|
||||
|
||||
remoteBuilds_local_2_13 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
||||
name = "remoteBuilds_local_2_13";
|
||||
imports = [ ./remote-builds.nix ];
|
||||
nodes.client = { lib, pkgs, ... }: {
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
||||
};
|
||||
});
|
||||
remoteBuilds_local_2_13 = runNixOSTestFor "x86_64-linux" (
|
||||
{ lib, pkgs, ... }:
|
||||
{
|
||||
name = "remoteBuilds_local_2_13";
|
||||
imports = [ ./remote-builds.nix ];
|
||||
nodes.client =
|
||||
{ lib, pkgs, ... }:
|
||||
{
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
||||
};
|
||||
}
|
||||
);
|
||||
|
||||
# TODO: (nixpkgs update) remoteBuilds_local_2_18 = ...
|
||||
|
||||
|
@ -95,19 +121,23 @@ in
|
|||
remoteBuildsSshNg_remote_2_3 = runNixOSTestFor "x86_64-linux" {
|
||||
name = "remoteBuildsSshNg_remote_2_3";
|
||||
imports = [ ./remote-builds-ssh-ng.nix ];
|
||||
builders.config = { lib, pkgs, ... }: {
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
||||
};
|
||||
builders.config =
|
||||
{ lib, pkgs, ... }:
|
||||
{
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
||||
};
|
||||
};
|
||||
|
||||
remoteBuildsSshNg_remote_2_13 = runNixOSTestFor "x86_64-linux" {
|
||||
name = "remoteBuildsSshNg_remote_2_13";
|
||||
imports = [ ./remote-builds-ssh-ng.nix ];
|
||||
builders.config = { lib, pkgs, ... }: {
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
||||
};
|
||||
builders.config =
|
||||
{ lib, pkgs, ... }:
|
||||
{
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
||||
};
|
||||
};
|
||||
|
||||
# TODO: (nixpkgs update) remoteBuildsSshNg_remote_2_18 = ...
|
||||
|
@ -116,25 +146,25 @@ in
|
|||
|
||||
# FIXME: these tests don't work yet
|
||||
/*
|
||||
remoteBuildsSshNg_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
||||
name = "remoteBuildsSshNg_local_2_3";
|
||||
imports = [ ./remote-builds-ssh-ng.nix ];
|
||||
nodes.client = { lib, pkgs, ... }: {
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
||||
};
|
||||
});
|
||||
remoteBuildsSshNg_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
||||
name = "remoteBuildsSshNg_local_2_3";
|
||||
imports = [ ./remote-builds-ssh-ng.nix ];
|
||||
nodes.client = { lib, pkgs, ... }: {
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
||||
};
|
||||
});
|
||||
|
||||
remoteBuildsSshNg_local_2_13 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
||||
name = "remoteBuildsSshNg_local_2_13";
|
||||
imports = [ ./remote-builds-ssh-ng.nix ];
|
||||
nodes.client = { lib, pkgs, ... }: {
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
||||
};
|
||||
});
|
||||
remoteBuildsSshNg_local_2_13 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
||||
name = "remoteBuildsSshNg_local_2_13";
|
||||
imports = [ ./remote-builds-ssh-ng.nix ];
|
||||
nodes.client = { lib, pkgs, ... }: {
|
||||
imports = [ checkOverrideNixVersion ];
|
||||
nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
|
||||
};
|
||||
});
|
||||
|
||||
# TODO: (nixpkgs update) remoteBuildsSshNg_local_2_18 = ...
|
||||
# TODO: (nixpkgs update) remoteBuildsSshNg_local_2_18 = ...
|
||||
*/
|
||||
|
||||
nix-copy-closure = runNixOSTestFor "x86_64-linux" ./nix-copy-closure.nix;
|
||||
|
@ -153,9 +183,10 @@ in
|
|||
|
||||
containers = runNixOSTestFor "x86_64-linux" ./containers/containers.nix;
|
||||
|
||||
setuid = lib.genAttrs
|
||||
["i686-linux" "x86_64-linux"]
|
||||
(system: runNixOSTestFor system ./setuid/setuid.nix);
|
||||
setuid = lib.genAttrs [
|
||||
"i686-linux"
|
||||
"x86_64-linux"
|
||||
] (system: runNixOSTestFor system ./setuid/setuid.nix);
|
||||
|
||||
ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak;
|
||||
|
||||
|
@ -163,7 +194,9 @@ in
|
|||
|
||||
symlinkResolvconf = runNixOSTestFor "x86_64-linux" ./symlink-resolvconf.nix;
|
||||
|
||||
rootInSandbox = runNixOSTestFor "x86_64-linux" ./root-in-sandbox;
|
||||
noNewPrivilegesInSandbox = runNixOSTestFor "x86_64-linux" ./no-new-privileges/sandbox.nix;
|
||||
|
||||
noNewPrivilegesOutsideSandbox = runNixOSTestFor "x86_64-linux" ./no-new-privileges/no-sandbox.nix;
|
||||
|
||||
broken-userns = runNixOSTestFor "x86_64-linux" ./broken-userns.nix;
|
||||
}
|
||||
|
|
21
tests/nixos/no-new-privileges/no-sandbox.nix
Normal file
21
tests/nixos/no-new-privileges/no-sandbox.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
let
|
||||
inherit (import ../util.nix) mkNixBuildTest;
|
||||
in
|
||||
mkNixBuildTest {
|
||||
name = "no-new-privileges-outside-sandbox";
|
||||
extraMachineConfig =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
security.wrappers.ohno = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_sys_nice=eip";
|
||||
source = "${pkgs.libcap}/bin/getpcaps";
|
||||
};
|
||||
nix.settings = {
|
||||
extra-sandbox-paths = [ "/run/wrappers/bin/ohno" ];
|
||||
sandbox = false;
|
||||
};
|
||||
};
|
||||
expressionFile = ./package.nix;
|
||||
}
|
8
tests/nixos/no-new-privileges/package.nix
Normal file
8
tests/nixos/no-new-privileges/package.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{ runCommand, libcap }:
|
||||
runCommand "cant-get-capabilities" { nativeBuildInputs = [ libcap.out ]; } ''
|
||||
if /run/wrappers/bin/ohno; then
|
||||
echo "Oh no! We gained capabilities!"
|
||||
exit 1
|
||||
fi
|
||||
touch $out
|
||||
''
|
18
tests/nixos/no-new-privileges/sandbox.nix
Normal file
18
tests/nixos/no-new-privileges/sandbox.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
let
|
||||
inherit (import ../util.nix) mkNixBuildTest;
|
||||
in
|
||||
mkNixBuildTest {
|
||||
name = "no-new-privileges-in-sandbox";
|
||||
extraMachineConfig =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
security.wrappers.ohno = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_sys_nice=eip";
|
||||
source = "${pkgs.libcap}/bin/getpcaps";
|
||||
};
|
||||
nix.settings.extra-sandbox-paths = [ "/run/wrappers/bin/ohno" ];
|
||||
};
|
||||
expressionFile = ./package.nix;
|
||||
}
|
|
@ -1,15 +0,0 @@
|
|||
let
|
||||
inherit (import ../util.nix) mkNixBuildTest;
|
||||
in mkNixBuildTest {
|
||||
name = "root-in-sandbox";
|
||||
extraMachineConfig = { pkgs, ... }: {
|
||||
security.wrappers.ohno = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
source = "${pkgs.coreutils}/bin/whoami";
|
||||
};
|
||||
nix.settings.extra-sandbox-paths = ["/run/wrappers/bin"];
|
||||
};
|
||||
expressionFile = ./package.nix;
|
||||
}
|
|
@ -1,8 +0,0 @@
|
|||
{ runCommand }:
|
||||
runCommand "cant-get-root-in-sandbox" {} ''
|
||||
if /run/wrappers/bin/ohno; then
|
||||
echo "Oh no! We're root in the sandbox!"
|
||||
exit 1
|
||||
fi
|
||||
touch $out
|
||||
''
|
Loading…
Reference in a new issue