lix/src/libstore
Eelco Dolstra 6cf23c3e8f
Add allow-new-privileges option
This allows builds to call setuid binaries. This was previously
possible until we started using seccomp. Turns out that seccomp by
default disallows processes from acquiring new privileges. Generally,
any use of setuid binaries (except those created by the builder
itself) is by definition impure, but some people were relying on this
ability for certain tests.

Example:

  $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --no-allow-new-privileges
  builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 2 log lines:
    cannot raise the capability into the Ambient set
    : Operation not permitted

  $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --allow-new-privileges
  builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 6 log lines:
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=15.2 ms

Fixes #1429.
2017-07-04 15:48:25 +02:00
..
binary-cache-store.cc Support base-64 hashes 2017-07-04 15:07:41 +02:00
binary-cache-store.hh Replace a few bool flags with enums 2017-07-03 11:38:08 +02:00
build.cc Add allow-new-privileges option 2017-07-04 15:48:25 +02:00
builtins.cc Improve progress indicator 2017-05-16 16:09:57 +02:00
builtins.hh Support netrc in <nix/fetchurl.nix> 2017-02-16 15:51:50 +01:00
crypto.cc Convert Settings to the new config system 2017-04-13 20:53:23 +02:00
crypto.hh Revert "Get rid of unicode quotes (#1140)" 2016-11-26 00:38:01 +01:00
derivations.cc Support base-64 hashes 2017-07-04 15:07:41 +02:00
derivations.hh Replace a few bool flags with enums 2017-07-03 11:38:08 +02:00
download.cc Support base-64 hashes 2017-07-04 15:07:41 +02:00
download.hh Improve progress indicator 2017-05-16 16:09:57 +02:00
export-import.cc Support base-64 hashes 2017-07-04 15:07:41 +02:00
fs-accessor.hh Add NAR / Store accessor abstraction 2016-02-25 17:43:19 +01:00
gc.cc Support base-64 hashes 2017-07-04 15:07:41 +02:00
globals.cc Provide a builtin default for $NIX_SSL_CERT_FILE 2017-06-12 16:44:43 +02:00
globals.hh Add allow-new-privileges option 2017-07-04 15:48:25 +02:00
http-binary-cache-store.cc Improve progress indicator 2017-05-16 16:09:57 +02:00
legacy-ssh-store.cc Replace a few bool flags with enums 2017-07-03 11:38:08 +02:00
local-binary-cache-store.cc S3BinaryCacheStore: Set Content-Type 2017-03-15 16:50:19 +01:00
local-fs-store.cc LocalStoreAccessor: Fix handling of diverted stores 2017-05-02 15:46:09 +02:00
local-store.cc Support base-64 hashes 2017-07-04 15:07:41 +02:00
local-store.hh Replace a few bool flags with enums 2017-07-03 11:38:08 +02:00
local.mk Always use the Darwin sandbox 2017-06-06 18:44:49 +02:00
machines.cc Make the location of the build directory in the sandbox configurable 2017-05-05 17:45:22 +02:00
machines.hh Replace $NIX_REMOTE_SYSTEMS with an option "builder-files" 2017-05-02 15:46:09 +02:00
misc.cc Revert "Get rid of unicode quotes (#1140)" 2016-11-26 00:38:01 +01:00
nar-accessor.cc nar-accessor.cc: remove unused member NarIndexer::currentName 2017-05-15 19:41:59 +02:00
nar-accessor.hh Add NAR / Store accessor abstraction 2016-02-25 17:43:19 +01:00
nar-info-disk-cache.cc Support base-64 hashes 2017-07-04 15:07:41 +02:00
nar-info-disk-cache.hh HttpBinaryCacheStore: Fix caching of WantMassQuery 2016-06-01 16:24:17 +02:00
nar-info.cc Support base-64 hashes 2017-07-04 15:07:41 +02:00
nar-info.hh Make the store directory a member variable of Store 2016-06-01 16:24:17 +02:00
nix-store.pc.in Install some pkgconfig files 2014-09-18 12:00:40 +02:00
optimise-store.cc Support base-64 hashes 2017-07-04 15:07:41 +02:00
pathlocks.cc Fix assertion failure when a path is locked 2017-01-26 20:40:33 +01:00
pathlocks.hh openLockFile: Return an AutoCloseFD 2017-01-26 20:40:33 +01:00
profiles.cc Revert "Get rid of unicode quotes (#1140)" 2016-11-26 00:38:01 +01:00
profiles.hh Allow setting the state directory as a store parameter 2016-06-02 16:02:48 +02:00
references.cc Revert "Get rid of unicode quotes (#1140)" 2016-11-26 00:38:01 +01:00
references.hh Use "#pragma once" to prevent repeated header file inclusion 2012-07-18 14:59:03 -04:00
remote-fs-accessor.cc Revert "Get rid of unicode quotes (#1140)" 2016-11-26 00:38:01 +01:00
remote-fs-accessor.hh Factor a general remote FS accessor out of BinaryCacheStore 2016-09-02 14:24:34 -04:00
remote-store.cc Support base-64 hashes 2017-07-04 15:07:41 +02:00
remote-store.hh Replace a few bool flags with enums 2017-07-03 11:38:08 +02:00
s3-binary-cache-store.cc Disable use of virtual hosting in aws-sdk-cpp 2017-06-19 18:51:33 +02:00
s3-binary-cache-store.hh Fix getS3Stats() 2016-10-06 17:00:52 +02:00
s3.hh Add aws-region param to S3 store URLs 2017-03-03 16:12:17 -05:00
sandbox-defaults.sb Always use the Darwin sandbox 2017-06-06 18:44:49 +02:00
sandbox-minimal.sb Always use the Darwin sandbox 2017-06-06 18:44:49 +02:00
sandbox-network.sb OS X sandbox: Improve builtin sandbox profile 2017-05-31 17:25:51 +02:00
schema.sql Mark content-addressed paths in the Nix database and in .narinfo 2016-08-10 18:05:35 +02:00
serve-protocol.hh Provide default implementations for a couple of Store methods 2017-02-07 19:29:21 +01:00
sqlite.cc Improve SQLite busy handling 2017-02-28 13:59:11 +01:00
sqlite.hh Improve SQLite busy handling 2017-02-28 13:59:11 +01:00
ssh-store.cc Add a Config class to simplify adding configuration settings 2017-04-13 16:03:31 +02:00
ssh.cc build-remote: Ugly hackery to get build logs to work 2017-05-02 12:02:23 +02:00
ssh.hh build-remote: Ugly hackery to get build logs to work 2017-05-02 12:02:23 +02:00
store-api.cc Support base-64 hashes 2017-07-04 15:07:41 +02:00
store-api.hh Replace a few bool flags with enums 2017-07-03 11:38:08 +02:00
worker-protocol.hh Implement RemoteStore::queryMissing() 2017-04-06 18:40:19 +02:00