No description
Find a file
Puck Meerburg 6f36a8834c Copy the output of fixed-output derivations before registering them
It is possible to exfiltrate a file descriptor out of the build sandbox
of FODs, and use it to modify the store path after it has been
registered. To avoid that issue, don't register the output of the build,
but a copy of it (that will be free of any leaked file descriptor).

Test that we can't leverage abstract unix domain sockets to leak file
descriptors out of the sandbox and modify the path after it has been
registered.

(cherry picked from commit 2dadfeb690e7f4b8f97298e29791d202fdba5ca6)
(tests cherry picked from commit c854ae5b3078ac5d99fa75fe148005044809e18c)

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io>
Co-authored-by: Tom Bereknyei <tomberek@gmail.com>

Change-Id: I87cd58f1c0a4f7b7a610d354206b33301e47b1a4
2024-03-07 01:44:58 +00:00
.github Put functional tests in tests/functional 2023-12-01 12:06:43 -05:00
config Run autoupdate 2021-06-01 11:42:38 +02:00
contrib function-trace: always show the trace 2019-09-18 23:23:21 +02:00
doc Merge pull request #5145 from fedepell/local_doc_build_5140 2024-03-05 23:01:05 +01:00
m4 Merge pull request #6258 from obsidiansystems/gcc-bug-ergonomics 2024-03-04 05:24:33 +01:00
maintainers Merge pull request #9393 from hercules-ci/changelog-d 2024-03-04 07:11:19 +01:00
misc Merge pull request #9573 from hercules-ci/rl-next-md-frontmatter 2024-03-04 07:12:09 +01:00
mk Merge pull request #5145 from fedepell/local_doc_build_5140 2024-03-05 23:01:05 +01:00
perl Merge pull request #9152 from obsidiansystems/split-out-perl-nix 2024-03-04 04:37:44 +01:00
scripts Merge pull request #10001 from abathur/fix_macos_daemon_perms 2024-03-04 09:25:17 +01:00
src Copy the output of fixed-output derivations before registering them 2024-03-07 01:44:58 +00:00
tests Copy the output of fixed-output derivations before registering them 2024-03-07 01:44:58 +00:00
unit-test-data/libstore Merge pull request #9247 from obsidiansystems/derivation-test-with-files 2024-03-04 05:21:10 +01:00
.dir-locals.el .dir-locals.el: Set c-block-comment-prefix 2020-07-10 11:21:06 +02:00
.editorconfig Add .editorconfig 2017-06-05 22:57:28 +01:00
.gitignore Merge pull request #10085 from ShamrockLee/ignore-obsolete-testdir 2024-03-05 23:36:31 -07:00
.version Bump version 2023-09-20 15:20:52 +02:00
boehmgc-coroutine-sp-fallback.diff Merge pull request #8887 from obsidiansystems/bsd-cross-ci 2024-03-04 04:36:04 +01:00
boehmgc-traceable_allocator-public.diff Merge pull request #9430 from hercules-ci/remove-vlas 2024-03-04 07:11:25 +01:00
configure.ac Merge pull request #9844 from NixOS/pkg-config-gmock 2024-03-04 08:47:39 +01:00
CONTRIBUTING.md Put functional tests in tests/functional 2023-12-01 12:06:43 -05:00
COPYING * Change this to LGPL to keep the government happy. 2006-04-25 16:41:06 +00:00
default.nix add flake-compat to flake.nix and use sha256 in default.nix 2023-03-06 21:11:24 +01:00
docker.nix fix "add an option to include flake-registry..." 2023-05-16 14:35:31 +02:00
flake.lock Merge pull request #9608 from NixOS/default-lowdown 2024-03-05 23:36:11 -07:00
flake.nix Merge pull request #9608 from NixOS/default-lowdown 2024-03-05 23:36:11 -07:00
local.mk Merge pull request #9106 from Ericson2314/positive-source-filtering 2024-03-04 04:36:42 +01:00
Makefile Merge pull request #5145 from fedepell/local_doc_build_5140 2024-03-05 23:01:05 +01:00
Makefile.config.in Merge pull request #9106 from Ericson2314/positive-source-filtering 2024-03-04 04:36:42 +01:00
precompiled-headers.h Config: Use nlohmann/json 2020-08-20 11:02:16 +02:00
README.md Improve hacking.md 2023-02-13 12:00:00 +04:00
shell.nix Remove url literals 2022-01-24 13:28:21 +01:00

Nix

Open Collective supporters Test

Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Please refer to the Nix manual for more details.

Installation

On Linux and macOS the easiest way to install Nix is to run the following shell command (as a user other than root):

$ curl -L https://nixos.org/nix/install | sh

Information on additional installation methods is available on the Nix download page.

Building And Developing

See our Hacking guide in our manual for instruction on how to to set up a development environment and build Nix from source.

Additional Resources

License

Nix is released under the LGPL v2.1.