Staging environment for Lix release engineering scripts
Find a file
Eelco Dolstra 6cf23c3e8f
Add allow-new-privileges option
This allows builds to call setuid binaries. This was previously
possible until we started using seccomp. Turns out that seccomp by
default disallows processes from acquiring new privileges. Generally,
any use of setuid binaries (except those created by the builder
itself) is by definition impure, but some people were relying on this
ability for certain tests.

Example:

  $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --no-allow-new-privileges
  builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 2 log lines:
    cannot raise the capability into the Ambient set
    : Operation not permitted

  $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --allow-new-privileges
  builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 6 log lines:
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=15.2 ms

Fixes #1429.
2017-07-04 15:48:25 +02:00
config Add config.guess, config.sub and install-sh 2013-11-25 11:26:02 +00:00
corepkgs <nix/fetchurl.nix>: Support sha512 argument 2017-07-04 14:45:50 +02:00
doc/manual Add allow-new-privileges option 2017-07-04 15:48:25 +02:00
maintainers Update upload-release script 2017-01-03 11:42:56 +01:00
misc Provide a builtin default for $NIX_SSL_CERT_FILE 2017-06-12 16:44:43 +02:00
mk set _GNU_SOURCE on cygwin 2017-04-21 11:27:27 -03:00
perl Support base-64 hashes 2017-07-04 15:07:41 +02:00
scripts nix-profile.sh: remove sbin from PATH 2017-05-07 07:41:19 +01:00
src Add allow-new-privileges option 2017-07-04 15:48:25 +02:00
tests Support base-64 hashes 2017-07-04 15:07:41 +02:00
.dir-locals.el Add .dir-locals.el for Emacs 2016-01-28 11:12:04 +01:00
.editorconfig Add .editorconfig 2017-06-05 22:57:28 +01:00
.gitignore Always use the Darwin sandbox 2017-06-06 18:44:49 +02:00
bootstrap.sh bootstrap: Simplify & make more robust. 2011-09-06 12:11:05 +00:00
configure.ac Add a seccomp filter to prevent creating setuid/setgid binaries 2017-05-29 16:14:10 +02:00
COPYING * Change this to LGPL to keep the government happy. 2006-04-25 16:41:06 +00:00
local.mk Shut up some warnings 2017-04-14 14:42:20 +02:00
Makefile Merge branch 'remove-perl' of https://github.com/shlevy/nix 2017-03-31 14:13:32 +02:00
Makefile.config.in Add --with-sandbox-shell configure flag 2017-05-15 17:36:32 +02:00
nix.spec.in RPM, Deb: Add dependency on libseccomp 2017-06-01 14:28:21 +02:00
README.md Fix minor grammatical nitpick ("it's" vs. "its") in README.md. 2017-03-22 10:11:23 -04:00
release-common.nix Only pass --with-sandbox-shell on Linux 2017-05-30 15:56:15 +02:00
release.nix Let hydra choose an alternate list of systems 2017-06-19 14:21:06 -04:00
shell.nix Add a seccomp filter to prevent creating setuid/setgid binaries 2017-05-29 16:14:10 +02:00
version Bump 2016-01-20 16:34:37 +01:00

Nix, the purely functional package manager

Nix is a new take on package management that is fairly unique. Because of its purity aspects, a lot of issues found in traditional package managers don't appear with Nix.

To find out more about the tool, usage and installation instructions, please read the manual, which is available on the Nix website at http://nixos.org/nix/manual.

Contributing

Take a look at the Hacking Section of the manual. It helps you to get started with building Nix from source.

License

Nix is released under the LGPL v2.1

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.