forked from lix-project/lix
Merge pull request #6710 from edolstra/embedded-sandbox-shell
Embed the sandbox shell into the statically linked 'nix' binary
This commit is contained in:
commit
3c57db1a0f
5 changed files with 39 additions and 4 deletions
|
@ -1,4 +1,3 @@
|
||||||
HOST_OS = @host_os@
|
|
||||||
AR = @AR@
|
AR = @AR@
|
||||||
BDW_GC_LIBS = @BDW_GC_LIBS@
|
BDW_GC_LIBS = @BDW_GC_LIBS@
|
||||||
BOOST_LDFLAGS = @BOOST_LDFLAGS@
|
BOOST_LDFLAGS = @BOOST_LDFLAGS@
|
||||||
|
@ -13,13 +12,14 @@ ENABLE_S3 = @ENABLE_S3@
|
||||||
GTEST_LIBS = @GTEST_LIBS@
|
GTEST_LIBS = @GTEST_LIBS@
|
||||||
HAVE_LIBCPUID = @HAVE_LIBCPUID@
|
HAVE_LIBCPUID = @HAVE_LIBCPUID@
|
||||||
HAVE_SECCOMP = @HAVE_SECCOMP@
|
HAVE_SECCOMP = @HAVE_SECCOMP@
|
||||||
|
HOST_OS = @host_os@
|
||||||
LDFLAGS = @LDFLAGS@
|
LDFLAGS = @LDFLAGS@
|
||||||
LIBARCHIVE_LIBS = @LIBARCHIVE_LIBS@
|
LIBARCHIVE_LIBS = @LIBARCHIVE_LIBS@
|
||||||
LIBBROTLI_LIBS = @LIBBROTLI_LIBS@
|
LIBBROTLI_LIBS = @LIBBROTLI_LIBS@
|
||||||
LIBCURL_LIBS = @LIBCURL_LIBS@
|
LIBCURL_LIBS = @LIBCURL_LIBS@
|
||||||
|
LIBSECCOMP_LIBS = @LIBSECCOMP_LIBS@
|
||||||
LOWDOWN_LIBS = @LOWDOWN_LIBS@
|
LOWDOWN_LIBS = @LOWDOWN_LIBS@
|
||||||
OPENSSL_LIBS = @OPENSSL_LIBS@
|
OPENSSL_LIBS = @OPENSSL_LIBS@
|
||||||
LIBSECCOMP_LIBS = @LIBSECCOMP_LIBS@
|
|
||||||
PACKAGE_NAME = @PACKAGE_NAME@
|
PACKAGE_NAME = @PACKAGE_NAME@
|
||||||
PACKAGE_VERSION = @PACKAGE_VERSION@
|
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||||
SHELL = @bash@
|
SHELL = @bash@
|
||||||
|
@ -31,6 +31,7 @@ datadir = @datadir@
|
||||||
datarootdir = @datarootdir@
|
datarootdir = @datarootdir@
|
||||||
doc_generate = @doc_generate@
|
doc_generate = @doc_generate@
|
||||||
docdir = @docdir@
|
docdir = @docdir@
|
||||||
|
embedded_sandbox_shell = @embedded_sandbox_shell@
|
||||||
exec_prefix = @exec_prefix@
|
exec_prefix = @exec_prefix@
|
||||||
includedir = @includedir@
|
includedir = @includedir@
|
||||||
libdir = @libdir@
|
libdir = @libdir@
|
||||||
|
|
|
@ -320,6 +320,14 @@ if test ${cross_compiling:-no} = no && ! test -z ${sandbox_shell+x}; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
AC_ARG_ENABLE(embedded-sandbox-shell, AS_HELP_STRING([--enable-embedded-sandbox-shell],[include the sandbox shell in the Nix binary [default=no]]),
|
||||||
|
embedded_sandbox_shell=$enableval, embedded_sandbox_shell=no)
|
||||||
|
AC_SUBST(embedded_sandbox_shell)
|
||||||
|
if test "$embedded_sandbox_shell" = yes; then
|
||||||
|
AC_DEFINE(HAVE_EMBEDDED_SANDBOX_SHELL, 1, [Include the sandbox shell in the Nix binary.])
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Expand all variables in config.status.
|
# Expand all variables in config.status.
|
||||||
test "$prefix" = NONE && prefix=$ac_default_prefix
|
test "$prefix" = NONE && prefix=$ac_default_prefix
|
||||||
test "$exec_prefix" = NONE && exec_prefix='${prefix}'
|
test "$exec_prefix" = NONE && exec_prefix='${prefix}'
|
||||||
|
|
|
@ -578,7 +578,11 @@
|
||||||
doInstallCheck=1
|
doInstallCheck=1
|
||||||
'';
|
'';
|
||||||
|
|
||||||
configureFlags = [ "--sysconfdir=/etc" ];
|
configureFlags =
|
||||||
|
configureFlags ++
|
||||||
|
[ "--sysconfdir=/etc"
|
||||||
|
"--enable-embedded-sandbox-shell"
|
||||||
|
];
|
||||||
|
|
||||||
enableParallelBuilding = true;
|
enableParallelBuilding = true;
|
||||||
|
|
||||||
|
|
|
@ -1717,7 +1717,19 @@ void LocalDerivationGoal::runChild()
|
||||||
|
|
||||||
for (auto & i : dirsInChroot) {
|
for (auto & i : dirsInChroot) {
|
||||||
if (i.second.source == "/proc") continue; // backwards compatibility
|
if (i.second.source == "/proc") continue; // backwards compatibility
|
||||||
doBind(i.second.source, chrootRootDir + i.first, i.second.optional);
|
|
||||||
|
#if HAVE_EMBEDDED_SANDBOX_SHELL
|
||||||
|
if (i.second.source == "__embedded_sandbox_shell__") {
|
||||||
|
static unsigned char sh[] = {
|
||||||
|
#include "embedded-sandbox-shell.gen.hh"
|
||||||
|
};
|
||||||
|
auto dst = chrootRootDir + i.first;
|
||||||
|
createDirs(dirOf(dst));
|
||||||
|
writeFile(dst, std::string_view((const char *) sh, sizeof(sh)));
|
||||||
|
chmod_(dst, 0555);
|
||||||
|
} else
|
||||||
|
#endif
|
||||||
|
doBind(i.second.source, chrootRootDir + i.first, i.second.optional);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Bind a new instance of procfs on /proc. */
|
/* Bind a new instance of procfs on /proc. */
|
||||||
|
|
|
@ -43,9 +43,19 @@ libstore_CXXFLAGS += \
|
||||||
-DNIX_MAN_DIR=\"$(mandir)\" \
|
-DNIX_MAN_DIR=\"$(mandir)\" \
|
||||||
-DLSOF=\"$(lsof)\"
|
-DLSOF=\"$(lsof)\"
|
||||||
|
|
||||||
|
ifeq ($(embedded_sandbox_shell),yes)
|
||||||
|
libstore_CXXFLAGS += -DSANDBOX_SHELL=\"__embedded_sandbox_shell__\"
|
||||||
|
|
||||||
|
$(d)/build/local-derivation-goal.cc: $(d)/embedded-sandbox-shell.gen.hh
|
||||||
|
|
||||||
|
$(d)/embedded-sandbox-shell.gen.hh: $(sandbox_shell)
|
||||||
|
$(trace-gen) hexdump -v -e '1/1 "0x%x," "\n"' < $< > $@.tmp
|
||||||
|
@mv $@.tmp $@
|
||||||
|
else
|
||||||
ifneq ($(sandbox_shell),)
|
ifneq ($(sandbox_shell),)
|
||||||
libstore_CXXFLAGS += -DSANDBOX_SHELL="\"$(sandbox_shell)\""
|
libstore_CXXFLAGS += -DSANDBOX_SHELL="\"$(sandbox_shell)\""
|
||||||
endif
|
endif
|
||||||
|
endif
|
||||||
|
|
||||||
$(d)/local-store.cc: $(d)/schema.sql.gen.hh $(d)/ca-specific-schema.sql.gen.hh
|
$(d)/local-store.cc: $(d)/schema.sql.gen.hh $(d)/ca-specific-schema.sql.gen.hh
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue