Merge remote-tracking branch 'origin/master' into flakes
This commit is contained in:
commit
7abe3bde8a
5 changed files with 19 additions and 15 deletions
|
@ -567,7 +567,7 @@ install_from_extracted_nix() {
|
||||||
cd "$EXTRACTED_NIX_PATH"
|
cd "$EXTRACTED_NIX_PATH"
|
||||||
|
|
||||||
_sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \
|
_sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \
|
||||||
rsync -rlpt ./store/* "$NIX_ROOT/store/"
|
rsync -rlpt --chmod=-w ./store/* "$NIX_ROOT/store/"
|
||||||
|
|
||||||
if [ -d "$NIX_INSTALLED_NIX" ]; then
|
if [ -d "$NIX_INSTALLED_NIX" ]; then
|
||||||
echo " Alright! We have our first nix at $NIX_INSTALLED_NIX"
|
echo " Alright! We have our first nix at $NIX_INSTALLED_NIX"
|
||||||
|
|
|
@ -36,6 +36,7 @@ tarball="$tmpDir/$(basename "$tmpDir/nix-@nixVersion@-$system.tar.xz")"
|
||||||
|
|
||||||
require_util curl "download the binary tarball"
|
require_util curl "download the binary tarball"
|
||||||
require_util tar "unpack the binary tarball"
|
require_util tar "unpack the binary tarball"
|
||||||
|
require_util xz "unpack the binary tarball"
|
||||||
|
|
||||||
echo "downloading Nix @nixVersion@ binary tarball for $system from '$url' to '$tmpDir'..."
|
echo "downloading Nix @nixVersion@ binary tarball for $system from '$url' to '$tmpDir'..."
|
||||||
curl -L "$url" -o "$tarball" || oops "failed to download '$url'"
|
curl -L "$url" -o "$tarball" || oops "failed to download '$url'"
|
||||||
|
|
|
@ -20,13 +20,6 @@ namespace nix {
|
||||||
must be deleted and recreated on startup.) */
|
must be deleted and recreated on startup.) */
|
||||||
#define DEFAULT_SOCKET_PATH "/daemon-socket/socket"
|
#define DEFAULT_SOCKET_PATH "/daemon-socket/socket"
|
||||||
|
|
||||||
/* chroot-like behavior from Apple's sandbox */
|
|
||||||
#if __APPLE__
|
|
||||||
#define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
|
|
||||||
#else
|
|
||||||
#define DEFAULT_ALLOWED_IMPURE_PREFIXES ""
|
|
||||||
#endif
|
|
||||||
|
|
||||||
Settings settings;
|
Settings settings;
|
||||||
|
|
||||||
static GlobalConfig::Register r1(&settings);
|
static GlobalConfig::Register r1(&settings);
|
||||||
|
@ -68,7 +61,12 @@ Settings::Settings()
|
||||||
sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL);
|
sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES);
|
|
||||||
|
/* chroot-like behavior from Apple's sandbox */
|
||||||
|
#if __APPLE__
|
||||||
|
sandboxPaths = tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /bin/bash /private/tmp /private/var/tmp /usr/lib");
|
||||||
|
allowedImpureHostPrefixes = tokenizeString<StringSet>("/System/Library /usr/lib /dev /bin/sh");
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
void loadConfFile()
|
void loadConfFile()
|
||||||
|
|
|
@ -311,12 +311,7 @@ public:
|
||||||
Setting<bool> printMissing{this, true, "print-missing",
|
Setting<bool> printMissing{this, true, "print-missing",
|
||||||
"Whether to print what paths need to be built or downloaded."};
|
"Whether to print what paths need to be built or downloaded."};
|
||||||
|
|
||||||
Setting<std::string> preBuildHook{this,
|
Setting<std::string> preBuildHook{this, "",
|
||||||
#if __APPLE__
|
|
||||||
nixLibexecDir + "/nix/resolve-system-dependencies",
|
|
||||||
#else
|
|
||||||
"",
|
|
||||||
#endif
|
|
||||||
"pre-build-hook",
|
"pre-build-hook",
|
||||||
"A program to run just before a build to set derivation-specific build settings."};
|
"A program to run just before a build to set derivation-specific build settings."};
|
||||||
|
|
||||||
|
|
|
@ -71,6 +71,12 @@
|
||||||
(literal "/dev/zero")
|
(literal "/dev/zero")
|
||||||
(subpath "/dev/fd"))
|
(subpath "/dev/fd"))
|
||||||
|
|
||||||
|
; Allow pseudo-terminals.
|
||||||
|
(allow file*
|
||||||
|
(literal "/dev/ptmx")
|
||||||
|
(regex #"^/dev/pty[a-z]+")
|
||||||
|
(regex #"^/dev/ttys[0-9]+"))
|
||||||
|
|
||||||
; Does nothing, but reduces build noise.
|
; Does nothing, but reduces build noise.
|
||||||
(allow file* (literal "/dev/dtracehelper"))
|
(allow file* (literal "/dev/dtracehelper"))
|
||||||
|
|
||||||
|
@ -85,3 +91,7 @@
|
||||||
(literal "/etc")
|
(literal "/etc")
|
||||||
(literal "/var")
|
(literal "/var")
|
||||||
(literal "/private/var/tmp"))
|
(literal "/private/var/tmp"))
|
||||||
|
|
||||||
|
; This is used by /bin/sh on macOS 10.15 and later.
|
||||||
|
(allow file*
|
||||||
|
(literal "/private/var/select/sh"))
|
||||||
|
|
Loading…
Reference in a new issue