2024-03-01 20:15:44 +00:00
|
|
|
{
|
|
|
|
pkgs,
|
|
|
|
lib,
|
|
|
|
stdenv,
|
|
|
|
autoconf-archive,
|
|
|
|
autoreconfHook,
|
|
|
|
aws-sdk-cpp,
|
2024-04-06 21:44:27 +00:00
|
|
|
# If the patched version of Boehm isn't passed, then patch it based off of
|
|
|
|
# pkgs.boehmgc. This allows `callPackage`ing this file without needing to
|
|
|
|
# to implement behavior that this package flat out doesn't build without
|
|
|
|
# anyway, but also allows easily overriding the patch logic.
|
|
|
|
boehmgc-nix ? __forDefaults.boehmgc-nix,
|
2024-03-01 20:15:44 +00:00
|
|
|
boehmgc,
|
|
|
|
nlohmann_json,
|
|
|
|
bison,
|
2024-03-26 17:32:25 +00:00
|
|
|
build-release-notes,
|
2024-03-01 20:15:44 +00:00
|
|
|
boost,
|
|
|
|
brotli,
|
|
|
|
bzip2,
|
2024-03-27 02:36:17 +00:00
|
|
|
cmake,
|
2024-03-01 20:15:44 +00:00
|
|
|
curl,
|
2024-03-09 04:09:11 +00:00
|
|
|
doxygen,
|
2024-03-01 20:15:44 +00:00
|
|
|
editline,
|
libstore/local-derivation-goal: prohibit creating setuid/setgid binaries
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that
isn't filtered away by the libseccomp sandbox.
Being able to use this to bypass that restriction has surprising results
for some builds such as lxc[1]:
> With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2,
> which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663.
> The fixupPhase then uses fchmodat, which fails.
> With older kernel or glibc, setting the suid bit fails in the
> install phase, which is not treated as fatal, and then the
> fixup phase does not try to set it again.
Please note that there are still ways to bypass this sandbox[2] and this is
mostly a fix for the breaking builds.
This change works by creating a syscall filter for the `fchmodat2`
syscall (number 452 on most systems). The problem is that glibc 2.39
is needed to have the correct syscall number available via
`__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on
nixpkgs 23.11. To have this change everywhere and not dependent on the
glibc this package is built against, I added a header
"fchmodat2-compat.hh" that sets the syscall number based on the
architecture. On most platforms its 452 according to glibc with a few
exceptions:
$ rg --pcre2 'define __NR_fchmodat2 (?!452)'
sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
58:#define __NR_fchmodat2 1073742276
sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
67:#define __NR_fchmodat2 6452
sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
62:#define __NR_fchmodat2 5452
sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
70:#define __NR_fchmodat2 4452
sysdeps/unix/sysv/linux/alpha/arch-syscall.h
59:#define __NR_fchmodat2 562
I added a small regression-test to the setuid integration-test that
attempts to set the suid bit on a file using the fchmodat2 syscall.
I confirmed that the test fails without the change in
local-derivation-goal.
Additionally, we require libseccomp 2.5.5 or greater now: as it turns
out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Lix against the project's flake.
To work around that
* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
scheduled[3].
* the package now uses libseccomp 2.5.5 on its own already. This is to
provide a quick fix since the correct fix for 23.11 is still a staging cycle
away.
We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷
Relevant PRs in CppNix:
* https://github.com/NixOS/nix/pull/10591
* https://github.com/NixOS/nix/pull/10501
[1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804
[2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251
[3] https://github.com/NixOS/nixpkgs/pull/306070
(cherry picked from commit ba6804518772e6afb403dd55478365d4b863c854)
Change-Id: I6921ab5a363188c6bff617750d00bb517276b7fe
2024-04-14 12:10:23 +00:00
|
|
|
fetchurl,
|
2024-03-01 20:15:44 +00:00
|
|
|
flex,
|
|
|
|
git,
|
|
|
|
gtest,
|
|
|
|
jq,
|
|
|
|
libarchive,
|
|
|
|
libcpuid,
|
libstore/local-derivation-goal: prohibit creating setuid/setgid binaries
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that
isn't filtered away by the libseccomp sandbox.
Being able to use this to bypass that restriction has surprising results
for some builds such as lxc[1]:
> With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2,
> which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663.
> The fixupPhase then uses fchmodat, which fails.
> With older kernel or glibc, setting the suid bit fails in the
> install phase, which is not treated as fatal, and then the
> fixup phase does not try to set it again.
Please note that there are still ways to bypass this sandbox[2] and this is
mostly a fix for the breaking builds.
This change works by creating a syscall filter for the `fchmodat2`
syscall (number 452 on most systems). The problem is that glibc 2.39
is needed to have the correct syscall number available via
`__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on
nixpkgs 23.11. To have this change everywhere and not dependent on the
glibc this package is built against, I added a header
"fchmodat2-compat.hh" that sets the syscall number based on the
architecture. On most platforms its 452 according to glibc with a few
exceptions:
$ rg --pcre2 'define __NR_fchmodat2 (?!452)'
sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
58:#define __NR_fchmodat2 1073742276
sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
67:#define __NR_fchmodat2 6452
sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
62:#define __NR_fchmodat2 5452
sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
70:#define __NR_fchmodat2 4452
sysdeps/unix/sysv/linux/alpha/arch-syscall.h
59:#define __NR_fchmodat2 562
I added a small regression-test to the setuid integration-test that
attempts to set the suid bit on a file using the fchmodat2 syscall.
I confirmed that the test fails without the change in
local-derivation-goal.
Additionally, we require libseccomp 2.5.5 or greater now: as it turns
out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Lix against the project's flake.
To work around that
* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
scheduled[3].
* the package now uses libseccomp 2.5.5 on its own already. This is to
provide a quick fix since the correct fix for 23.11 is still a staging cycle
away.
We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷
Relevant PRs in CppNix:
* https://github.com/NixOS/nix/pull/10591
* https://github.com/NixOS/nix/pull/10501
[1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804
[2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251
[3] https://github.com/NixOS/nixpkgs/pull/306070
(cherry picked from commit ba6804518772e6afb403dd55478365d4b863c854)
Change-Id: I6921ab5a363188c6bff617750d00bb517276b7fe
2024-04-14 12:10:23 +00:00
|
|
|
libseccomp-nix ? __forDefaults.libseccomp-nix,
|
2024-03-01 20:15:44 +00:00
|
|
|
libseccomp,
|
|
|
|
libsodium,
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
lsof,
|
2024-03-01 20:15:44 +00:00
|
|
|
lowdown,
|
|
|
|
mdbook,
|
|
|
|
mdbook-linkcheck,
|
|
|
|
mercurial,
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
meson,
|
|
|
|
ninja,
|
2024-03-01 20:15:44 +00:00
|
|
|
openssl,
|
|
|
|
pkg-config,
|
2024-04-06 04:28:27 +00:00
|
|
|
python3,
|
2024-03-01 20:15:44 +00:00
|
|
|
rapidcheck,
|
|
|
|
sqlite,
|
2024-03-27 02:36:17 +00:00
|
|
|
toml11,
|
2024-03-01 20:15:44 +00:00
|
|
|
util-linuxMinimal ? utillinuxMinimal,
|
|
|
|
utillinuxMinimal ? null,
|
|
|
|
xz,
|
|
|
|
|
2024-03-09 08:22:06 +00:00
|
|
|
busybox-sandbox-shell,
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-04-07 23:16:21 +00:00
|
|
|
# internal fork of nix-doc providing :doc in the repl
|
|
|
|
lix-doc ? __forDefaults.lix-doc,
|
2024-03-18 00:01:05 +00:00
|
|
|
|
2024-03-01 20:15:44 +00:00
|
|
|
pname ? "nix",
|
|
|
|
versionSuffix ? "",
|
|
|
|
officialRelease ? true,
|
|
|
|
# Set to true to build the release notes for the next release.
|
|
|
|
buildUnreleasedNotes ? false,
|
2024-03-09 04:09:11 +00:00
|
|
|
internalApiDocs ? false,
|
2023-12-18 20:59:58 +00:00
|
|
|
# Avoid setting things that would interfere with a functioning devShell
|
|
|
|
forDevShell ? false,
|
2024-03-01 20:15:44 +00:00
|
|
|
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
# FIXME(Qyriad): build Lix using Meson instead of autoconf and make.
|
|
|
|
# This flag will be removed when the migration to Meson is complete.
|
meson: flip the switch!!
This commit makes Meson the default buildsystem for Lix.
The Make buildsystem is now deprecated and will be removed soon, but has
not yet, which will be done in a later commit when all seems good. The
mesonBuild jobs have been removed, and have not been replaced with
equivalent jobs to ensure the Make buildsystem still works.
The full, new commands in a development shell are:
$ meson setup ./build "--prefix=$out" $mesonFlags
(A simple `meson setup ./build` will also build, but will do a different
thing, not having the settings from package.nix applied.)
$ meson compile -C build
$ meson test -C build --suite=check
$ meson install -C build
$ meson test -C build --suite=installcheck
(Check and installcheck may both be done after install, allowing you to
omit the --suite argument entirely, but this is the order package.nix
runs them in.)
If tests fail and Meson helpfully has no output for why, use the
`--print-error-logs` option to `meson test`. Why this is not the default
I cannot explain.
If you change a setting in the buildsystem, most cases will
automatically regenerate the Meson configuration, but some cases, like
trying to build a specific target whose name is new to the buildsystem
(e.g. `meson compile -C build src/libmelt/libmelt.dylib`, when
`libmelt.dylib` did not exist as a target the last time the buildsystem
was generated), then you can reconfigure using new settings but
existing options, and only recompiling stuff affected by the changes:
$ meson setup --reconfigure build
Note that changes to the default values in `meson.options` or in the
`default_options :` argument to project() are NOT propagated with
`--reconfigure`.
If you want a totally clean build, you can use:
$ meson setup --wipe build
That will work regardless of if `./build` exists or not.
Specific, named targets may be addressed in
`meson build -C build <target>` with the "target ID" if there is one,
which is the first string argument passed to target functions that
have one, and unrelated to the variable name, e.g.:
libexpr_dylib = library('nixexpr', …)
can be addressed with:
$ meson compile -C build nixexpr
All targets may be addressed as their output, relative to the build
directory, e.g.:
$ meson compile -C build src/libexpr/libnixexpr.so
But Meson does not consider intermediate files like object files
targets. To build a specific object file, use Ninja directly and
specify the output file relative to the build directory:
$ ninja -C build src/libexpr/libnixexpr.so.p/nixexpr.cc.o
To inspect the canonical source of truth on what the state of the
buildsystem configuration is, use:
$ meson introspect
Have fun!
Change-Id: Ia3e7b1e6fae26daf3162e655b4ded611a5cd57ad
2024-04-18 02:07:38 +00:00
|
|
|
buildWithMeson ? true,
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
|
2024-03-01 20:15:44 +00:00
|
|
|
# Not a real argument, just the only way to approximate let-binding some
|
|
|
|
# stuff for argument defaults.
|
|
|
|
__forDefaults ? {
|
|
|
|
canRunInstalled = stdenv.buildPlatform.canExecute stdenv.hostPlatform;
|
2024-04-06 21:44:27 +00:00
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
boehmgc-nix = (boehmgc.override { enableLargeConfig = true; }).overrideAttrs {
|
2024-04-06 21:44:27 +00:00
|
|
|
patches = [
|
|
|
|
# We do *not* include prev.patches (which doesn't exist in normal pkgs.boehmgc anyway)
|
|
|
|
# because if the caller of this package passed a patched boehm as `boehmgc` instead of
|
|
|
|
# `boehmgc-nix` then this will almost certainly have duplicate patches, which means
|
|
|
|
# the patches won't apply and we'll get a build failure.
|
|
|
|
./boehmgc-coroutine-sp-fallback.diff
|
|
|
|
# https://github.com/ivmai/bdwgc/pull/586
|
|
|
|
./boehmgc-traceable_allocator-public.diff
|
|
|
|
];
|
|
|
|
};
|
2024-04-07 23:16:21 +00:00
|
|
|
|
|
|
|
lix-doc = pkgs.callPackage ./lix-doc/package.nix { };
|
libstore/local-derivation-goal: prohibit creating setuid/setgid binaries
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that
isn't filtered away by the libseccomp sandbox.
Being able to use this to bypass that restriction has surprising results
for some builds such as lxc[1]:
> With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2,
> which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663.
> The fixupPhase then uses fchmodat, which fails.
> With older kernel or glibc, setting the suid bit fails in the
> install phase, which is not treated as fatal, and then the
> fixup phase does not try to set it again.
Please note that there are still ways to bypass this sandbox[2] and this is
mostly a fix for the breaking builds.
This change works by creating a syscall filter for the `fchmodat2`
syscall (number 452 on most systems). The problem is that glibc 2.39
is needed to have the correct syscall number available via
`__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on
nixpkgs 23.11. To have this change everywhere and not dependent on the
glibc this package is built against, I added a header
"fchmodat2-compat.hh" that sets the syscall number based on the
architecture. On most platforms its 452 according to glibc with a few
exceptions:
$ rg --pcre2 'define __NR_fchmodat2 (?!452)'
sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
58:#define __NR_fchmodat2 1073742276
sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
67:#define __NR_fchmodat2 6452
sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
62:#define __NR_fchmodat2 5452
sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
70:#define __NR_fchmodat2 4452
sysdeps/unix/sysv/linux/alpha/arch-syscall.h
59:#define __NR_fchmodat2 562
I added a small regression-test to the setuid integration-test that
attempts to set the suid bit on a file using the fchmodat2 syscall.
I confirmed that the test fails without the change in
local-derivation-goal.
Additionally, we require libseccomp 2.5.5 or greater now: as it turns
out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Lix against the project's flake.
To work around that
* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
scheduled[3].
* the package now uses libseccomp 2.5.5 on its own already. This is to
provide a quick fix since the correct fix for 23.11 is still a staging cycle
away.
We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷
Relevant PRs in CppNix:
* https://github.com/NixOS/nix/pull/10591
* https://github.com/NixOS/nix/pull/10501
[1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804
[2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251
[3] https://github.com/NixOS/nixpkgs/pull/306070
(cherry picked from commit ba6804518772e6afb403dd55478365d4b863c854)
Change-Id: I6921ab5a363188c6bff617750d00bb517276b7fe
2024-04-14 12:10:23 +00:00
|
|
|
|
2024-05-04 08:33:26 +00:00
|
|
|
# FIXME remove when we have libsecomp 2.5.5 (currently in staging-23.11)
|
|
|
|
libseccomp-nix = libseccomp.overrideAttrs (_: rec {
|
|
|
|
version = "2.5.5";
|
|
|
|
src = fetchurl {
|
|
|
|
url = "https://github.com/seccomp/libseccomp/releases/download/v${version}/libseccomp-${version}.tar.gz";
|
|
|
|
hash = "sha256-JIosik2bmFiqa69ScSw0r+/PnJ6Ut23OAsHJqiX7M3U=";
|
|
|
|
};
|
|
|
|
});
|
2024-03-01 20:15:44 +00:00
|
|
|
},
|
2024-04-04 23:07:44 +00:00
|
|
|
}:
|
|
|
|
let
|
2024-03-01 20:15:44 +00:00
|
|
|
inherit (__forDefaults) canRunInstalled;
|
2024-04-07 00:12:35 +00:00
|
|
|
inherit (lib) fileset;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
|
|
|
version = lib.fileContents ./.version + versionSuffix;
|
|
|
|
|
2024-03-05 20:51:49 +00:00
|
|
|
aws-sdk-cpp-nix = aws-sdk-cpp.override {
|
2024-04-04 23:07:44 +00:00
|
|
|
apis = [
|
|
|
|
"s3"
|
|
|
|
"transfer"
|
|
|
|
];
|
2024-03-05 20:51:49 +00:00
|
|
|
customMemoryManagement = false;
|
|
|
|
};
|
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
testConfigureFlags = [ "RAPIDCHECK_HEADERS=${lib.getDev rapidcheck}/extras/gtest/include" ];
|
2024-03-05 20:51:49 +00:00
|
|
|
|
2024-04-22 21:39:22 +00:00
|
|
|
# Reimplementation of Nixpkgs' Meson cross file, with some additions to make
|
|
|
|
# it actually work.
|
|
|
|
mesonCrossFile =
|
|
|
|
let
|
|
|
|
cpuFamily =
|
|
|
|
platform:
|
|
|
|
with platform;
|
|
|
|
if isAarch32 then
|
|
|
|
"arm"
|
|
|
|
else if isx86_32 then
|
|
|
|
"x86"
|
|
|
|
else
|
|
|
|
platform.uname.processor;
|
|
|
|
in
|
|
|
|
builtins.toFile "lix-cross-file.conf" ''
|
|
|
|
[properties]
|
|
|
|
# Meson is convinced that if !buildPlatform.canExecute hostPlatform then we cannot
|
|
|
|
# build anything at all, which is not at all correct. If we can't execute the host
|
|
|
|
# platform, we'll just disable tests and doc gen.
|
|
|
|
needs_exe_wrapper = false
|
|
|
|
|
|
|
|
[binaries]
|
|
|
|
# Meson refuses to consider any CMake binary during cross compilation if it's
|
|
|
|
# not explicitly specified here, in the cross file.
|
|
|
|
# https://github.com/mesonbuild/meson/blob/0ed78cf6fa6d87c0738f67ae43525e661b50a8a2/mesonbuild/cmake/executor.py#L72
|
|
|
|
cmake = 'cmake'
|
|
|
|
'';
|
|
|
|
|
2024-03-09 04:09:11 +00:00
|
|
|
# The internal API docs need these for the build, but if we're not building
|
|
|
|
# Nix itself, then these don't need to be propagated.
|
|
|
|
maybePropagatedInputs = [
|
2024-04-06 21:44:27 +00:00
|
|
|
boehmgc-nix
|
2024-03-09 04:09:11 +00:00
|
|
|
nlohmann_json
|
|
|
|
];
|
|
|
|
|
2024-03-01 20:15:44 +00:00
|
|
|
# .gitignore has already been processed, so any changes in it are irrelevant
|
|
|
|
# at this point. It is not represented verbatim for test purposes because
|
|
|
|
# that would interfere with repo semantics.
|
|
|
|
baseFiles = fileset.fileFilter (f: f.name != ".gitignore") ./.;
|
2024-03-05 20:51:49 +00:00
|
|
|
|
|
|
|
configureFiles = fileset.unions [
|
|
|
|
./.version
|
|
|
|
./configure.ac
|
|
|
|
./m4
|
|
|
|
# TODO: do we really need README.md? It doesn't seem used in the build.
|
|
|
|
./README.md
|
|
|
|
];
|
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
topLevelBuildFiles = fileset.unions (
|
|
|
|
[
|
|
|
|
./local.mk
|
|
|
|
./Makefile
|
|
|
|
./Makefile.config.in
|
|
|
|
./mk
|
|
|
|
]
|
|
|
|
++ lib.optionals buildWithMeson [
|
|
|
|
./meson.build
|
|
|
|
./meson.options
|
|
|
|
./meson
|
|
|
|
./scripts/meson.build
|
|
|
|
]
|
|
|
|
);
|
|
|
|
|
|
|
|
functionalTestFiles = fileset.unions [
|
2024-03-05 20:51:49 +00:00
|
|
|
./tests/functional
|
|
|
|
./tests/unit
|
|
|
|
(fileset.fileFilter (f: lib.strings.hasPrefix "nix-profile" f.name) ./scripts)
|
2024-04-04 23:07:44 +00:00
|
|
|
];
|
|
|
|
in
|
|
|
|
stdenv.mkDerivation (finalAttrs: {
|
2024-03-05 20:51:49 +00:00
|
|
|
inherit pname version;
|
|
|
|
|
2024-03-01 20:15:44 +00:00
|
|
|
src = fileset.toSource {
|
|
|
|
root = ./.;
|
2024-04-04 23:07:44 +00:00
|
|
|
fileset = fileset.intersection baseFiles (
|
|
|
|
fileset.unions (
|
|
|
|
[
|
|
|
|
configureFiles
|
|
|
|
topLevelBuildFiles
|
|
|
|
functionalTestFiles
|
|
|
|
]
|
|
|
|
++ lib.optionals (!finalAttrs.dontBuild || internalApiDocs) [
|
|
|
|
./boehmgc-coroutine-sp-fallback.diff
|
|
|
|
./doc
|
|
|
|
./misc
|
|
|
|
./precompiled-headers.h
|
|
|
|
./src
|
|
|
|
./COPYING
|
|
|
|
./scripts/local.mk
|
|
|
|
]
|
|
|
|
)
|
|
|
|
);
|
2024-03-01 20:15:44 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
VERSION_SUFFIX = versionSuffix;
|
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
outputs =
|
|
|
|
[ "out" ]
|
|
|
|
++ lib.optionals (!finalAttrs.dontBuild) [
|
|
|
|
"dev"
|
|
|
|
"doc"
|
|
|
|
];
|
2024-03-05 20:51:49 +00:00
|
|
|
|
|
|
|
dontBuild = false;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
# FIXME(Qyriad): see if this is still needed once the migration to Meson is completed.
|
2024-04-11 18:17:19 +00:00
|
|
|
mesonFlags =
|
|
|
|
lib.optionals (buildWithMeson && stdenv.hostPlatform.isLinux) [
|
|
|
|
"-Dsandbox-shell=${lib.getBin busybox-sandbox-shell}/bin/busybox"
|
|
|
|
]
|
2024-04-18 22:15:24 +00:00
|
|
|
++ lib.optional stdenv.hostPlatform.isStatic "-Denable-embedded-sandbox-shell=true"
|
2024-04-11 18:17:19 +00:00
|
|
|
++ lib.optional (finalAttrs.dontBuild) "-Denable-build=false"
|
2024-04-22 21:39:22 +00:00
|
|
|
++ [
|
|
|
|
# mesonConfigurePhase automatically passes -Dauto_features=enabled,
|
|
|
|
# so we must explicitly enable or disable features that we are not passing
|
|
|
|
# dependencies for.
|
|
|
|
(lib.mesonEnable "internal-api-docs" internalApiDocs)
|
|
|
|
(lib.mesonBool "enable-tests" finalAttrs.doCheck)
|
|
|
|
(lib.mesonBool "enable-docs" canRunInstalled)
|
|
|
|
]
|
|
|
|
++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) "--cross-file=${mesonCrossFile}";
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
|
2024-03-27 02:36:17 +00:00
|
|
|
# We only include CMake so that Meson can locate toml11, which only ships CMake dependency metadata.
|
|
|
|
dontUseCmakeConfigure = true;
|
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
nativeBuildInputs =
|
|
|
|
[
|
|
|
|
bison
|
|
|
|
flex
|
|
|
|
python3
|
|
|
|
]
|
|
|
|
++ [
|
|
|
|
(lib.getBin lowdown)
|
|
|
|
mdbook
|
|
|
|
mdbook-linkcheck
|
|
|
|
autoconf-archive
|
|
|
|
]
|
|
|
|
++ lib.optional (!buildWithMeson) autoreconfHook
|
|
|
|
++ [
|
|
|
|
pkg-config
|
|
|
|
|
|
|
|
# Tests
|
|
|
|
git
|
|
|
|
mercurial
|
|
|
|
jq
|
|
|
|
lsof
|
|
|
|
]
|
|
|
|
++ lib.optional stdenv.hostPlatform.isLinux util-linuxMinimal
|
2024-03-26 17:32:25 +00:00
|
|
|
++ lib.optional (!officialRelease && buildUnreleasedNotes) build-release-notes
|
2024-04-11 18:17:19 +00:00
|
|
|
++ lib.optional (internalApiDocs || forDevShell) doxygen
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
++ lib.optionals buildWithMeson [
|
|
|
|
meson
|
|
|
|
ninja
|
2024-03-27 02:36:17 +00:00
|
|
|
cmake
|
2024-04-04 23:07:44 +00:00
|
|
|
];
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
buildInputs =
|
|
|
|
[
|
|
|
|
curl
|
|
|
|
bzip2
|
|
|
|
xz
|
|
|
|
brotli
|
|
|
|
editline
|
|
|
|
openssl
|
|
|
|
sqlite
|
|
|
|
libarchive
|
|
|
|
boost
|
|
|
|
lowdown
|
|
|
|
libsodium
|
|
|
|
toml11
|
|
|
|
lix-doc
|
|
|
|
]
|
|
|
|
++ lib.optionals stdenv.hostPlatform.isLinux [
|
libstore/local-derivation-goal: prohibit creating setuid/setgid binaries
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that
isn't filtered away by the libseccomp sandbox.
Being able to use this to bypass that restriction has surprising results
for some builds such as lxc[1]:
> With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2,
> which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663.
> The fixupPhase then uses fchmodat, which fails.
> With older kernel or glibc, setting the suid bit fails in the
> install phase, which is not treated as fatal, and then the
> fixup phase does not try to set it again.
Please note that there are still ways to bypass this sandbox[2] and this is
mostly a fix for the breaking builds.
This change works by creating a syscall filter for the `fchmodat2`
syscall (number 452 on most systems). The problem is that glibc 2.39
is needed to have the correct syscall number available via
`__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on
nixpkgs 23.11. To have this change everywhere and not dependent on the
glibc this package is built against, I added a header
"fchmodat2-compat.hh" that sets the syscall number based on the
architecture. On most platforms its 452 according to glibc with a few
exceptions:
$ rg --pcre2 'define __NR_fchmodat2 (?!452)'
sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
58:#define __NR_fchmodat2 1073742276
sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
67:#define __NR_fchmodat2 6452
sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
62:#define __NR_fchmodat2 5452
sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
70:#define __NR_fchmodat2 4452
sysdeps/unix/sysv/linux/alpha/arch-syscall.h
59:#define __NR_fchmodat2 562
I added a small regression-test to the setuid integration-test that
attempts to set the suid bit on a file using the fchmodat2 syscall.
I confirmed that the test fails without the change in
local-derivation-goal.
Additionally, we require libseccomp 2.5.5 or greater now: as it turns
out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Lix against the project's flake.
To work around that
* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
scheduled[3].
* the package now uses libseccomp 2.5.5 on its own already. This is to
provide a quick fix since the correct fix for 23.11 is still a staging cycle
away.
We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷
Relevant PRs in CppNix:
* https://github.com/NixOS/nix/pull/10591
* https://github.com/NixOS/nix/pull/10501
[1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804
[2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251
[3] https://github.com/NixOS/nixpkgs/pull/306070
(cherry picked from commit ba6804518772e6afb403dd55478365d4b863c854)
Change-Id: I6921ab5a363188c6bff617750d00bb517276b7fe
2024-04-14 12:10:23 +00:00
|
|
|
libseccomp-nix
|
2024-04-04 23:07:44 +00:00
|
|
|
busybox-sandbox-shell
|
|
|
|
]
|
2024-04-11 18:17:19 +00:00
|
|
|
++ lib.optional internalApiDocs rapidcheck
|
2024-03-01 20:15:44 +00:00
|
|
|
++ lib.optional stdenv.hostPlatform.isx86_64 libcpuid
|
|
|
|
# There have been issues building these dependencies
|
|
|
|
++ lib.optional (stdenv.hostPlatform == stdenv.buildPlatform) aws-sdk-cpp-nix
|
2024-04-04 23:07:44 +00:00
|
|
|
++ lib.optionals (finalAttrs.dontBuild) maybePropagatedInputs;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-03-09 08:22:06 +00:00
|
|
|
checkInputs = [
|
2024-03-01 20:15:44 +00:00
|
|
|
gtest
|
|
|
|
rapidcheck
|
|
|
|
];
|
|
|
|
|
2024-03-09 04:09:11 +00:00
|
|
|
propagatedBuildInputs = lib.optionals (!finalAttrs.dontBuild) maybePropagatedInputs;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
disallowedReferences = [ boost ];
|
2024-03-01 20:15:44 +00:00
|
|
|
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
# Needed for Meson to find Boost.
|
|
|
|
# https://github.com/NixOS/nixpkgs/issues/86131.
|
|
|
|
env = lib.optionalAttrs (buildWithMeson || forDevShell) {
|
|
|
|
BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
|
|
|
|
BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
|
|
|
|
};
|
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
preConfigure =
|
|
|
|
lib.optionalString (!finalAttrs.dontBuild && !stdenv.hostPlatform.isStatic) ''
|
|
|
|
# Copy libboost_context so we don't get all of Boost in our closure.
|
|
|
|
# https://github.com/NixOS/nixpkgs/issues/45462
|
|
|
|
mkdir -p $out/lib
|
|
|
|
cp -pd ${boost}/lib/{libboost_context*,libboost_thread*,libboost_system*} $out/lib
|
|
|
|
rm -f $out/lib/*.a
|
|
|
|
''
|
|
|
|
+ lib.optionalString (!finalAttrs.dontBuild && stdenv.hostPlatform.isLinux) ''
|
|
|
|
chmod u+w $out/lib/*.so.*
|
|
|
|
patchelf --set-rpath $out/lib:${stdenv.cc.cc.lib}/lib $out/lib/libboost_thread.so.*
|
|
|
|
''
|
|
|
|
+ lib.optionalString (!finalAttrs.dontBuild && stdenv.hostPlatform.isDarwin) ''
|
|
|
|
for LIB in $out/lib/*.dylib; do
|
|
|
|
chmod u+w $LIB
|
|
|
|
install_name_tool -id $LIB $LIB
|
|
|
|
install_name_tool -delete_rpath ${boost}/lib/ $LIB || true
|
|
|
|
done
|
|
|
|
install_name_tool -change ${boost}/lib/libboost_system.dylib $out/lib/libboost_system.dylib $out/lib/libboost_thread.dylib
|
|
|
|
''
|
|
|
|
+ ''
|
|
|
|
# Workaround https://github.com/NixOS/nixpkgs/issues/294890.
|
|
|
|
if [[ -n "''${doCheck:-}" ]]; then
|
|
|
|
appendToVar configureFlags "--enable-tests"
|
|
|
|
else
|
|
|
|
appendToVar configureFlags "--disable-tests"
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
|
|
|
|
configureFlags =
|
|
|
|
[ "--with-boost=${boost}/lib" ]
|
|
|
|
++ lib.optionals stdenv.isLinux [ "--with-sandbox-shell=${busybox-sandbox-shell}/bin/busybox" ]
|
|
|
|
++ lib.optionals (
|
|
|
|
stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")
|
|
|
|
) [ "LDFLAGS=-fuse-ld=gold" ]
|
2024-03-01 20:15:44 +00:00
|
|
|
++ lib.optional stdenv.hostPlatform.isStatic "--enable-embedded-sandbox-shell"
|
2024-03-09 04:09:11 +00:00
|
|
|
++ lib.optionals (finalAttrs.doCheck || internalApiDocs) testConfigureFlags
|
2024-03-01 20:15:44 +00:00
|
|
|
++ lib.optional (!canRunInstalled) "--disable-doc-gen"
|
2024-03-09 04:09:11 +00:00
|
|
|
++ [ (lib.enableFeature internalApiDocs "internal-api-docs") ]
|
2024-03-27 02:36:17 +00:00
|
|
|
++ lib.optional (!forDevShell) "--sysconfdir=/etc"
|
2024-04-04 23:07:44 +00:00
|
|
|
++ [ "TOML11_HEADERS=${lib.getDev toml11}/include" ];
|
2024-03-01 20:15:44 +00:00
|
|
|
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
mesonBuildType = lib.optional (buildWithMeson || forDevShell) "debugoptimized";
|
|
|
|
|
2024-03-09 04:09:11 +00:00
|
|
|
installTargets = lib.optional internalApiDocs "internal-api-html";
|
|
|
|
|
2024-03-01 20:15:44 +00:00
|
|
|
enableParallelBuilding = true;
|
|
|
|
|
|
|
|
makeFlags = "profiledir=$(out)/etc/profile.d PRECOMPILE_HEADERS=1";
|
|
|
|
|
2024-04-22 21:39:22 +00:00
|
|
|
doCheck = canRunInstalled;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
mesonCheckFlags = lib.optionals (buildWithMeson || forDevShell) [ "--suite=check" ];
|
2024-03-21 21:38:11 +00:00
|
|
|
|
2024-03-01 20:15:44 +00:00
|
|
|
installFlags = "sysconfdir=$(out)/etc";
|
|
|
|
|
2024-04-11 18:17:19 +00:00
|
|
|
# Make sure the internal API docs are already built, because mesonInstallPhase
|
|
|
|
# won't let us build them there. They would normally be built in buildPhase,
|
|
|
|
# but the internal API docs are conventionally built with doBuild = false.
|
|
|
|
preInstall = lib.optional (buildWithMeson && internalApiDocs) ''
|
|
|
|
meson ''${mesonBuildFlags:-} compile "$installTargets"
|
|
|
|
'';
|
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
postInstall =
|
|
|
|
lib.optionalString (!finalAttrs.dontBuild) ''
|
|
|
|
mkdir -p $doc/nix-support
|
|
|
|
echo "doc manual $doc/share/doc/nix/manual" >> $doc/nix-support/hydra-build-products
|
|
|
|
''
|
|
|
|
+ lib.optionalString stdenv.hostPlatform.isStatic ''
|
|
|
|
mkdir -p $out/nix-support
|
|
|
|
echo "file binary-dist $out/bin/nix" >> $out/nix-support/hydra-build-products
|
|
|
|
''
|
|
|
|
+ lib.optionalString stdenv.isDarwin ''
|
|
|
|
for lib in libnixutil.dylib libnixexpr.dylib; do
|
|
|
|
install_name_tool \
|
|
|
|
-change "${lib.getLib boost}/lib/libboost_context.dylib" \
|
|
|
|
"$out/lib/libboost_context.dylib" \
|
|
|
|
"$out/lib/$lib"
|
|
|
|
done
|
|
|
|
''
|
|
|
|
+ lib.optionalString internalApiDocs ''
|
|
|
|
mkdir -p $out/nix-support
|
|
|
|
echo "doc internal-api-docs $out/share/doc/nix/internal-api/html" >> "$out/nix-support/hydra-build-products"
|
|
|
|
'';
|
2024-03-01 20:15:44 +00:00
|
|
|
|
|
|
|
doInstallCheck = finalAttrs.doCheck;
|
|
|
|
installCheckFlags = "sysconfdir=$(out)/etc";
|
|
|
|
installCheckTarget = "installcheck"; # work around buggy detection in stdenv
|
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
mesonInstallCheckFlags = [ "--suite=installcheck" ];
|
2024-03-25 18:12:56 +00:00
|
|
|
|
|
|
|
installCheckPhase = lib.optionalString buildWithMeson ''
|
|
|
|
runHook preInstallCheck
|
|
|
|
flagsArray=($mesonInstallCheckFlags "''${mesonInstallCheckFlagsArray[@]}")
|
|
|
|
meson test --no-rebuild "''${flagsArray[@]}"
|
|
|
|
runHook postInstallCheck
|
|
|
|
'';
|
|
|
|
|
2024-03-05 20:51:49 +00:00
|
|
|
separateDebugInfo = !stdenv.hostPlatform.isStatic && !finalAttrs.dontBuild;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
|
|
|
strictDeps = true;
|
|
|
|
|
2024-03-25 06:45:25 +00:00
|
|
|
# strictoverflow is disabled because we trap on signed overflow instead
|
2024-04-04 23:07:44 +00:00
|
|
|
hardeningDisable = [ "strictoverflow" ] ++ lib.optional stdenv.hostPlatform.isStatic "pie";
|
2024-03-01 20:15:44 +00:00
|
|
|
|
|
|
|
meta.platforms = lib.platforms.unix;
|
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
passthru.perl-bindings = pkgs.callPackage ./perl { inherit fileset stdenv buildWithMeson; };
|
2024-04-06 21:44:27 +00:00
|
|
|
|
libstore/local-derivation-goal: prohibit creating setuid/setgid binaries
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that
isn't filtered away by the libseccomp sandbox.
Being able to use this to bypass that restriction has surprising results
for some builds such as lxc[1]:
> With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2,
> which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663.
> The fixupPhase then uses fchmodat, which fails.
> With older kernel or glibc, setting the suid bit fails in the
> install phase, which is not treated as fatal, and then the
> fixup phase does not try to set it again.
Please note that there are still ways to bypass this sandbox[2] and this is
mostly a fix for the breaking builds.
This change works by creating a syscall filter for the `fchmodat2`
syscall (number 452 on most systems). The problem is that glibc 2.39
is needed to have the correct syscall number available via
`__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on
nixpkgs 23.11. To have this change everywhere and not dependent on the
glibc this package is built against, I added a header
"fchmodat2-compat.hh" that sets the syscall number based on the
architecture. On most platforms its 452 according to glibc with a few
exceptions:
$ rg --pcre2 'define __NR_fchmodat2 (?!452)'
sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
58:#define __NR_fchmodat2 1073742276
sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
67:#define __NR_fchmodat2 6452
sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
62:#define __NR_fchmodat2 5452
sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
70:#define __NR_fchmodat2 4452
sysdeps/unix/sysv/linux/alpha/arch-syscall.h
59:#define __NR_fchmodat2 562
I added a small regression-test to the setuid integration-test that
attempts to set the suid bit on a file using the fchmodat2 syscall.
I confirmed that the test fails without the change in
local-derivation-goal.
Additionally, we require libseccomp 2.5.5 or greater now: as it turns
out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Lix against the project's flake.
To work around that
* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
scheduled[3].
* the package now uses libseccomp 2.5.5 on its own already. This is to
provide a quick fix since the correct fix for 23.11 is still a staging cycle
away.
We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷
Relevant PRs in CppNix:
* https://github.com/NixOS/nix/pull/10591
* https://github.com/NixOS/nix/pull/10501
[1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804
[2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251
[3] https://github.com/NixOS/nixpkgs/pull/306070
(cherry picked from commit ba6804518772e6afb403dd55478365d4b863c854)
Change-Id: I6921ab5a363188c6bff617750d00bb517276b7fe
2024-04-14 12:10:23 +00:00
|
|
|
# Export the patched version of boehmgc & libseccomp.
|
2024-04-06 21:44:27 +00:00
|
|
|
# flake.nix exports that into its overlay.
|
libstore/local-derivation-goal: prohibit creating setuid/setgid binaries
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that
isn't filtered away by the libseccomp sandbox.
Being able to use this to bypass that restriction has surprising results
for some builds such as lxc[1]:
> With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2,
> which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663.
> The fixupPhase then uses fchmodat, which fails.
> With older kernel or glibc, setting the suid bit fails in the
> install phase, which is not treated as fatal, and then the
> fixup phase does not try to set it again.
Please note that there are still ways to bypass this sandbox[2] and this is
mostly a fix for the breaking builds.
This change works by creating a syscall filter for the `fchmodat2`
syscall (number 452 on most systems). The problem is that glibc 2.39
is needed to have the correct syscall number available via
`__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on
nixpkgs 23.11. To have this change everywhere and not dependent on the
glibc this package is built against, I added a header
"fchmodat2-compat.hh" that sets the syscall number based on the
architecture. On most platforms its 452 according to glibc with a few
exceptions:
$ rg --pcre2 'define __NR_fchmodat2 (?!452)'
sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
58:#define __NR_fchmodat2 1073742276
sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
67:#define __NR_fchmodat2 6452
sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
62:#define __NR_fchmodat2 5452
sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
70:#define __NR_fchmodat2 4452
sysdeps/unix/sysv/linux/alpha/arch-syscall.h
59:#define __NR_fchmodat2 562
I added a small regression-test to the setuid integration-test that
attempts to set the suid bit on a file using the fchmodat2 syscall.
I confirmed that the test fails without the change in
local-derivation-goal.
Additionally, we require libseccomp 2.5.5 or greater now: as it turns
out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Lix against the project's flake.
To work around that
* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
scheduled[3].
* the package now uses libseccomp 2.5.5 on its own already. This is to
provide a quick fix since the correct fix for 23.11 is still a staging cycle
away.
We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷
Relevant PRs in CppNix:
* https://github.com/NixOS/nix/pull/10591
* https://github.com/NixOS/nix/pull/10501
[1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804
[2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251
[3] https://github.com/NixOS/nixpkgs/pull/306070
(cherry picked from commit ba6804518772e6afb403dd55478365d4b863c854)
Change-Id: I6921ab5a363188c6bff617750d00bb517276b7fe
2024-04-14 12:10:23 +00:00
|
|
|
passthru = {
|
|
|
|
inherit (__forDefaults) boehmgc-nix libseccomp-nix;
|
|
|
|
};
|
2024-03-01 20:15:44 +00:00
|
|
|
})
|