2024-03-01 20:15:44 +00:00
|
|
|
{
|
|
|
|
pkgs,
|
|
|
|
lib,
|
|
|
|
stdenv,
|
|
|
|
aws-sdk-cpp,
|
2024-04-06 21:44:27 +00:00
|
|
|
# If the patched version of Boehm isn't passed, then patch it based off of
|
|
|
|
# pkgs.boehmgc. This allows `callPackage`ing this file without needing to
|
|
|
|
# to implement behavior that this package flat out doesn't build without
|
|
|
|
# anyway, but also allows easily overriding the patch logic.
|
|
|
|
boehmgc-nix ? __forDefaults.boehmgc-nix,
|
2024-03-01 20:15:44 +00:00
|
|
|
boehmgc,
|
|
|
|
nlohmann_json,
|
2024-05-07 20:40:18 +00:00
|
|
|
build-release-notes ? __forDefaults.build-release-notes,
|
2024-03-01 20:15:44 +00:00
|
|
|
boost,
|
|
|
|
brotli,
|
|
|
|
bzip2,
|
2024-06-26 07:44:46 +00:00
|
|
|
callPackage,
|
2024-08-31 23:37:10 +00:00
|
|
|
capnproto-lix ? __forDefaults.capnproto-lix,
|
|
|
|
capnproto,
|
2024-03-27 02:36:17 +00:00
|
|
|
cmake,
|
2024-03-01 20:15:44 +00:00
|
|
|
curl,
|
2024-03-09 04:09:11 +00:00
|
|
|
doxygen,
|
2024-05-24 03:07:35 +00:00
|
|
|
editline-lix ? __forDefaults.editline-lix,
|
2024-03-01 20:15:44 +00:00
|
|
|
editline,
|
|
|
|
git,
|
|
|
|
gtest,
|
|
|
|
jq,
|
|
|
|
libarchive,
|
|
|
|
libcpuid,
|
|
|
|
libseccomp,
|
|
|
|
libsodium,
|
2024-08-01 22:02:28 +00:00
|
|
|
lix-clang-tidy ? null,
|
|
|
|
llvmPackages,
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
lsof,
|
2024-03-01 20:15:44 +00:00
|
|
|
lowdown,
|
|
|
|
mdbook,
|
|
|
|
mdbook-linkcheck,
|
|
|
|
mercurial,
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
meson,
|
|
|
|
ninja,
|
2024-09-08 22:49:08 +00:00
|
|
|
ncurses,
|
2024-03-01 20:15:44 +00:00
|
|
|
openssl,
|
2024-07-26 06:43:48 +00:00
|
|
|
pegtl,
|
2024-03-01 20:15:44 +00:00
|
|
|
pkg-config,
|
2024-04-06 04:28:27 +00:00
|
|
|
python3,
|
2024-03-01 20:15:44 +00:00
|
|
|
rapidcheck,
|
2024-08-10 16:59:58 +00:00
|
|
|
rustPlatform,
|
|
|
|
rustc,
|
2024-03-01 20:15:44 +00:00
|
|
|
sqlite,
|
2024-03-27 02:36:17 +00:00
|
|
|
toml11,
|
2024-03-01 20:15:44 +00:00
|
|
|
util-linuxMinimal ? utillinuxMinimal,
|
|
|
|
utillinuxMinimal ? null,
|
|
|
|
xz,
|
|
|
|
|
2024-03-09 08:22:06 +00:00
|
|
|
busybox-sandbox-shell,
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-05-31 21:51:08 +00:00
|
|
|
pname ? "lix",
|
2024-03-01 20:15:44 +00:00
|
|
|
versionSuffix ? "",
|
2024-07-23 21:25:18 +00:00
|
|
|
officialRelease ? __forDefaults.versionJson.official_release,
|
2024-03-01 20:15:44 +00:00
|
|
|
# Set to true to build the release notes for the next release.
|
2024-05-15 22:01:38 +00:00
|
|
|
buildUnreleasedNotes ? true,
|
2024-03-09 04:09:11 +00:00
|
|
|
internalApiDocs ? false,
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-08-02 16:52:38 +00:00
|
|
|
# Support garbage collection in the evaluator.
|
|
|
|
enableGC ? sanitize == null || !builtins.elem "address" sanitize,
|
2024-07-23 20:43:38 +00:00
|
|
|
# List of Meson sanitize options. Accepts values of b_sanitize, e.g.
|
|
|
|
# "address", "undefined", "thread".
|
2024-08-02 16:52:38 +00:00
|
|
|
# Enabling the "address" sanitizer will disable garbage collection in the evaluator.
|
2024-07-23 20:43:38 +00:00
|
|
|
sanitize ? null,
|
2024-07-23 20:53:56 +00:00
|
|
|
# Turn compiler warnings into errors.
|
|
|
|
werror ? false,
|
2024-07-23 20:43:38 +00:00
|
|
|
|
2024-08-01 22:02:28 +00:00
|
|
|
lintInsteadOfBuild ? false,
|
|
|
|
|
2024-03-01 20:15:44 +00:00
|
|
|
# Not a real argument, just the only way to approximate let-binding some
|
|
|
|
# stuff for argument defaults.
|
|
|
|
__forDefaults ? {
|
|
|
|
canRunInstalled = stdenv.buildPlatform.canExecute stdenv.hostPlatform;
|
2024-04-06 21:44:27 +00:00
|
|
|
|
2024-07-23 21:25:18 +00:00
|
|
|
versionJson = builtins.fromJSON (builtins.readFile ./version.json);
|
|
|
|
|
2024-05-10 22:49:22 +00:00
|
|
|
boehmgc-nix = boehmgc.override { enableLargeConfig = true; };
|
2024-04-07 23:16:21 +00:00
|
|
|
|
2024-05-24 03:07:35 +00:00
|
|
|
editline-lix = editline.overrideAttrs (prev: {
|
2024-09-08 22:49:08 +00:00
|
|
|
patches = (prev.patches or [ ]) ++ [
|
|
|
|
# Recognize `Alt-Left` and `Alt-Right` for navigating by words in more
|
|
|
|
# terminals/shells/platforms.
|
|
|
|
#
|
2024-09-11 16:34:42 +00:00
|
|
|
# See: https://github.com/troglobit/editline/pull/70
|
|
|
|
./nix-support/editline.patch
|
2024-09-08 22:49:08 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
configureFlags = (prev.configureFlags or [ ]) ++ [
|
|
|
|
# Enable SIGSTOP (Ctrl-Z) behavior.
|
|
|
|
(lib.enableFeature true "sigstop")
|
|
|
|
# Enable ANSI arrow keys.
|
|
|
|
(lib.enableFeature true "arrow-keys")
|
|
|
|
# Use termcap library to query terminal size.
|
|
|
|
(lib.enableFeature (ncurses != null) "termcap")
|
|
|
|
];
|
|
|
|
|
2024-09-18 03:43:21 +00:00
|
|
|
buildInputs = (prev.buildInputs or [ ]) ++ [ ncurses ];
|
2024-05-24 03:07:35 +00:00
|
|
|
});
|
|
|
|
|
2024-06-26 07:44:46 +00:00
|
|
|
build-release-notes = callPackage ./maintainers/build-release-notes.nix { };
|
2024-08-31 23:37:10 +00:00
|
|
|
|
|
|
|
# needs explicit c++20 to enable coroutine support
|
|
|
|
capnproto-lix = capnproto.overrideAttrs { CXXFLAGS = "-std=c++20"; };
|
2024-03-01 20:15:44 +00:00
|
|
|
},
|
2024-04-04 23:07:44 +00:00
|
|
|
}:
|
2024-08-31 23:37:10 +00:00
|
|
|
|
|
|
|
# gcc miscompiles coroutines at least until 13.2, possibly longer
|
2024-09-23 22:21:16 +00:00
|
|
|
assert stdenv.cc.isClang || lintInsteadOfBuild || internalApiDocs;
|
2024-08-31 23:37:10 +00:00
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
let
|
2024-03-01 20:15:44 +00:00
|
|
|
inherit (__forDefaults) canRunInstalled;
|
2024-04-07 00:12:35 +00:00
|
|
|
inherit (lib) fileset;
|
2024-05-30 01:40:25 +00:00
|
|
|
inherit (stdenv) hostPlatform buildPlatform;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-07-23 21:25:18 +00:00
|
|
|
version = __forDefaults.versionJson.version + versionSuffix;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-08-01 02:29:03 +00:00
|
|
|
aws-sdk-cpp-nix =
|
|
|
|
if aws-sdk-cpp == null then
|
|
|
|
null
|
|
|
|
else
|
|
|
|
aws-sdk-cpp.override {
|
|
|
|
apis = [
|
|
|
|
"s3"
|
|
|
|
"transfer"
|
|
|
|
];
|
|
|
|
customMemoryManagement = false;
|
|
|
|
};
|
2024-03-05 20:51:49 +00:00
|
|
|
|
2024-04-22 21:39:22 +00:00
|
|
|
# Reimplementation of Nixpkgs' Meson cross file, with some additions to make
|
|
|
|
# it actually work.
|
2024-07-23 19:53:43 +00:00
|
|
|
mesonCrossFile = builtins.toFile "lix-cross-file.conf" ''
|
|
|
|
[properties]
|
|
|
|
# Meson is convinced that if !buildPlatform.canExecute hostPlatform then we cannot
|
|
|
|
# build anything at all, which is not at all correct. If we can't execute the host
|
|
|
|
# platform, we'll just disable tests and doc gen.
|
|
|
|
needs_exe_wrapper = false
|
2024-04-22 21:39:22 +00:00
|
|
|
|
2024-07-23 19:53:43 +00:00
|
|
|
[binaries]
|
|
|
|
# Meson refuses to consider any CMake binary during cross compilation if it's
|
|
|
|
# not explicitly specified here, in the cross file.
|
|
|
|
# https://github.com/mesonbuild/meson/blob/0ed78cf6fa6d87c0738f67ae43525e661b50a8a2/mesonbuild/cmake/executor.py#L72
|
|
|
|
cmake = 'cmake'
|
|
|
|
'';
|
2024-04-22 21:39:22 +00:00
|
|
|
|
2024-03-09 04:09:11 +00:00
|
|
|
# The internal API docs need these for the build, but if we're not building
|
|
|
|
# Nix itself, then these don't need to be propagated.
|
2024-08-02 16:52:38 +00:00
|
|
|
maybePropagatedInputs = lib.optional enableGC boehmgc-nix ++ [ nlohmann_json ];
|
2024-03-09 04:09:11 +00:00
|
|
|
|
2024-03-01 20:15:44 +00:00
|
|
|
# .gitignore has already been processed, so any changes in it are irrelevant
|
|
|
|
# at this point. It is not represented verbatim for test purposes because
|
|
|
|
# that would interfere with repo semantics.
|
|
|
|
baseFiles = fileset.fileFilter (f: f.name != ".gitignore") ./.;
|
2024-03-05 20:51:49 +00:00
|
|
|
|
2024-06-06 18:35:03 +00:00
|
|
|
configureFiles = fileset.unions [ ./version.json ];
|
2024-03-05 20:51:49 +00:00
|
|
|
|
2024-05-07 19:34:36 +00:00
|
|
|
topLevelBuildFiles = fileset.unions ([
|
|
|
|
./meson.build
|
|
|
|
./meson.options
|
|
|
|
./meson
|
|
|
|
./scripts/meson.build
|
2024-05-30 06:40:25 +00:00
|
|
|
./subprojects
|
2024-08-12 03:55:24 +00:00
|
|
|
# Required for meson to generate Cargo wraps
|
|
|
|
./Cargo.lock
|
2024-05-07 19:34:36 +00:00
|
|
|
]);
|
2024-04-04 23:07:44 +00:00
|
|
|
|
|
|
|
functionalTestFiles = fileset.unions [
|
2024-03-05 20:51:49 +00:00
|
|
|
./tests/functional
|
2024-10-05 04:00:30 +00:00
|
|
|
./tests/functional2
|
2024-03-05 20:51:49 +00:00
|
|
|
./tests/unit
|
|
|
|
(fileset.fileFilter (f: lib.strings.hasPrefix "nix-profile" f.name) ./scripts)
|
2024-04-04 23:07:44 +00:00
|
|
|
];
|
|
|
|
in
|
2024-08-01 22:02:28 +00:00
|
|
|
assert (lintInsteadOfBuild -> lix-clang-tidy != null);
|
2024-04-04 23:07:44 +00:00
|
|
|
stdenv.mkDerivation (finalAttrs: {
|
2024-03-05 20:51:49 +00:00
|
|
|
inherit pname version;
|
|
|
|
|
2024-03-01 20:15:44 +00:00
|
|
|
src = fileset.toSource {
|
|
|
|
root = ./.;
|
2024-04-04 23:07:44 +00:00
|
|
|
fileset = fileset.intersection baseFiles (
|
|
|
|
fileset.unions (
|
|
|
|
[
|
|
|
|
configureFiles
|
|
|
|
topLevelBuildFiles
|
|
|
|
functionalTestFiles
|
|
|
|
]
|
2024-08-01 22:02:28 +00:00
|
|
|
++ lib.optionals (!finalAttrs.dontBuild || internalApiDocs || lintInsteadOfBuild) [
|
2024-04-04 23:07:44 +00:00
|
|
|
./doc
|
|
|
|
./misc
|
|
|
|
./src
|
|
|
|
./COPYING
|
|
|
|
]
|
2024-08-01 22:02:28 +00:00
|
|
|
++ lib.optionals lintInsteadOfBuild [ ./.clang-tidy ]
|
2024-04-04 23:07:44 +00:00
|
|
|
)
|
|
|
|
);
|
2024-03-01 20:15:44 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
VERSION_SUFFIX = versionSuffix;
|
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
outputs =
|
|
|
|
[ "out" ]
|
|
|
|
++ lib.optionals (!finalAttrs.dontBuild) [
|
|
|
|
"dev"
|
|
|
|
"doc"
|
|
|
|
];
|
2024-03-05 20:51:49 +00:00
|
|
|
|
2024-08-01 22:02:28 +00:00
|
|
|
dontBuild = lintInsteadOfBuild;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-04-11 18:17:19 +00:00
|
|
|
mesonFlags =
|
2024-07-23 20:43:38 +00:00
|
|
|
let
|
2024-08-02 16:52:38 +00:00
|
|
|
sanitizeOpts = lib.optional (
|
|
|
|
sanitize != null
|
|
|
|
) "-Db_sanitize=${builtins.concatStringsSep "," sanitize}";
|
2024-07-23 20:43:38 +00:00
|
|
|
in
|
2024-05-30 01:40:25 +00:00
|
|
|
lib.optionals hostPlatform.isLinux [
|
2024-05-07 19:34:36 +00:00
|
|
|
# You'd think meson could just find this in PATH, but busybox is in buildInputs,
|
|
|
|
# which don't actually get added to PATH. And buildInputs is correct over
|
|
|
|
# nativeBuildInputs since this should be a busybox executable on the host.
|
|
|
|
"-Dsandbox-shell=${lib.getExe' busybox-sandbox-shell "busybox"}"
|
2024-04-11 18:17:19 +00:00
|
|
|
]
|
2024-05-30 01:40:25 +00:00
|
|
|
++ lib.optional hostPlatform.isStatic "-Denable-embedded-sandbox-shell=true"
|
2024-08-01 22:02:28 +00:00
|
|
|
++ lib.optional (finalAttrs.dontBuild && !lintInsteadOfBuild) "-Denable-build=false"
|
|
|
|
++ lib.optional lintInsteadOfBuild "-Dlix-clang-tidy-checks-path=${lix-clang-tidy}/lib/liblix-clang-tidy.so"
|
2024-04-22 21:39:22 +00:00
|
|
|
++ [
|
|
|
|
# mesonConfigurePhase automatically passes -Dauto_features=enabled,
|
|
|
|
# so we must explicitly enable or disable features that we are not passing
|
|
|
|
# dependencies for.
|
2024-08-02 16:52:38 +00:00
|
|
|
(lib.mesonEnable "gc" enableGC)
|
2024-04-22 21:39:22 +00:00
|
|
|
(lib.mesonEnable "internal-api-docs" internalApiDocs)
|
2024-08-01 22:02:28 +00:00
|
|
|
(lib.mesonBool "enable-tests" (finalAttrs.finalPackage.doCheck || lintInsteadOfBuild))
|
2024-04-22 21:39:22 +00:00
|
|
|
(lib.mesonBool "enable-docs" canRunInstalled)
|
2024-07-23 20:53:56 +00:00
|
|
|
(lib.mesonBool "werror" werror)
|
2024-04-22 21:39:22 +00:00
|
|
|
]
|
2024-07-23 20:43:38 +00:00
|
|
|
++ lib.optional (hostPlatform != buildPlatform) "--cross-file=${mesonCrossFile}"
|
|
|
|
++ sanitizeOpts;
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
|
2024-03-27 02:36:17 +00:00
|
|
|
# We only include CMake so that Meson can locate toml11, which only ships CMake dependency metadata.
|
|
|
|
dontUseCmakeConfigure = true;
|
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
nativeBuildInputs =
|
|
|
|
[
|
|
|
|
python3
|
2024-10-05 04:00:30 +00:00
|
|
|
python3.pkgs.pytest
|
2024-05-07 19:34:36 +00:00
|
|
|
meson
|
|
|
|
ninja
|
|
|
|
cmake
|
2024-08-10 16:59:58 +00:00
|
|
|
rustc
|
2024-08-31 23:37:10 +00:00
|
|
|
capnproto-lix
|
2024-04-04 23:07:44 +00:00
|
|
|
]
|
|
|
|
++ [
|
|
|
|
(lib.getBin lowdown)
|
|
|
|
mdbook
|
|
|
|
mdbook-linkcheck
|
|
|
|
]
|
|
|
|
++ [
|
|
|
|
pkg-config
|
|
|
|
|
|
|
|
# Tests
|
|
|
|
git
|
|
|
|
mercurial
|
|
|
|
jq
|
|
|
|
lsof
|
|
|
|
]
|
2024-05-30 01:40:25 +00:00
|
|
|
++ lib.optional hostPlatform.isLinux util-linuxMinimal
|
2024-03-26 17:32:25 +00:00
|
|
|
++ lib.optional (!officialRelease && buildUnreleasedNotes) build-release-notes
|
2024-08-01 22:02:28 +00:00
|
|
|
++ lib.optional internalApiDocs doxygen
|
|
|
|
++ lib.optionals lintInsteadOfBuild [
|
|
|
|
# required for a wrapped clang-tidy
|
|
|
|
llvmPackages.clang-tools
|
|
|
|
# required for run-clang-tidy
|
|
|
|
llvmPackages.clang-unwrapped
|
|
|
|
];
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
buildInputs =
|
|
|
|
[
|
|
|
|
curl
|
|
|
|
bzip2
|
|
|
|
xz
|
|
|
|
brotli
|
2024-05-24 03:07:35 +00:00
|
|
|
editline-lix
|
2024-04-04 23:07:44 +00:00
|
|
|
openssl
|
|
|
|
sqlite
|
|
|
|
libarchive
|
|
|
|
boost
|
|
|
|
lowdown
|
|
|
|
libsodium
|
|
|
|
toml11
|
2024-06-16 21:10:09 +00:00
|
|
|
pegtl
|
2024-08-31 23:37:10 +00:00
|
|
|
capnproto-lix
|
2024-04-04 23:07:44 +00:00
|
|
|
]
|
2024-05-30 01:40:25 +00:00
|
|
|
++ lib.optionals hostPlatform.isLinux [
|
2024-05-08 08:00:56 +00:00
|
|
|
libseccomp
|
2024-04-04 23:07:44 +00:00
|
|
|
busybox-sandbox-shell
|
|
|
|
]
|
2024-04-11 18:17:19 +00:00
|
|
|
++ lib.optional internalApiDocs rapidcheck
|
2024-05-30 01:40:25 +00:00
|
|
|
++ lib.optional hostPlatform.isx86_64 libcpuid
|
2024-03-01 20:15:44 +00:00
|
|
|
# There have been issues building these dependencies
|
2024-05-30 06:40:25 +00:00
|
|
|
++ lib.optional (hostPlatform.canExecute buildPlatform) aws-sdk-cpp-nix
|
2024-08-01 22:02:28 +00:00
|
|
|
++ lib.optionals (finalAttrs.dontBuild) maybePropagatedInputs
|
|
|
|
# I am so sorry. This is because checkInputs are required to pass
|
|
|
|
# configure, but we don't actually want to *run* the checks here.
|
|
|
|
++ lib.optionals lintInsteadOfBuild finalAttrs.checkInputs;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-03-09 08:22:06 +00:00
|
|
|
checkInputs = [
|
2024-03-01 20:15:44 +00:00
|
|
|
gtest
|
|
|
|
rapidcheck
|
|
|
|
];
|
|
|
|
|
2024-03-09 04:09:11 +00:00
|
|
|
propagatedBuildInputs = lib.optionals (!finalAttrs.dontBuild) maybePropagatedInputs;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
disallowedReferences = [ boost ];
|
2024-03-01 20:15:44 +00:00
|
|
|
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
# Needed for Meson to find Boost.
|
|
|
|
# https://github.com/NixOS/nixpkgs/issues/86131.
|
2024-05-07 19:34:36 +00:00
|
|
|
env = {
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
|
|
|
|
BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
|
2024-08-20 23:52:46 +00:00
|
|
|
|
|
|
|
# Meson allows referencing a /usr/share/cargo/registry shaped thing for subproject sources.
|
|
|
|
# Turns out the Nix-generated Cargo dependencies are named the same as they
|
|
|
|
# would be in a Cargo registry cache.
|
|
|
|
MESON_PACKAGE_CACHE_DIR = finalAttrs.cargoDeps;
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
};
|
|
|
|
|
2024-08-12 03:55:24 +00:00
|
|
|
cargoDeps = rustPlatform.importCargoLock { lockFile = ./Cargo.lock; };
|
2024-08-10 16:59:58 +00:00
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
preConfigure =
|
2024-05-30 01:40:25 +00:00
|
|
|
lib.optionalString (!finalAttrs.dontBuild && !hostPlatform.isStatic) ''
|
2024-04-04 23:07:44 +00:00
|
|
|
# Copy libboost_context so we don't get all of Boost in our closure.
|
|
|
|
# https://github.com/NixOS/nixpkgs/issues/45462
|
|
|
|
mkdir -p $out/lib
|
|
|
|
cp -pd ${boost}/lib/{libboost_context*,libboost_thread*,libboost_system*} $out/lib
|
|
|
|
rm -f $out/lib/*.a
|
|
|
|
''
|
2024-05-30 02:11:12 +00:00
|
|
|
+ lib.optionalString (!finalAttrs.dontBuild && hostPlatform.isLinux && !hostPlatform.isStatic) ''
|
2024-04-04 23:07:44 +00:00
|
|
|
chmod u+w $out/lib/*.so.*
|
|
|
|
patchelf --set-rpath $out/lib:${stdenv.cc.cc.lib}/lib $out/lib/libboost_thread.so.*
|
|
|
|
''
|
2024-05-30 01:40:25 +00:00
|
|
|
+ lib.optionalString (!finalAttrs.dontBuild && hostPlatform.isDarwin) ''
|
2024-04-04 23:07:44 +00:00
|
|
|
for LIB in $out/lib/*.dylib; do
|
|
|
|
chmod u+w $LIB
|
|
|
|
install_name_tool -id $LIB $LIB
|
|
|
|
install_name_tool -delete_rpath ${boost}/lib/ $LIB || true
|
|
|
|
done
|
|
|
|
install_name_tool -change ${boost}/lib/libboost_system.dylib $out/lib/libboost_system.dylib $out/lib/libboost_thread.dylib
|
|
|
|
''
|
|
|
|
+ ''
|
2024-06-24 19:28:36 +00:00
|
|
|
# Fix up /usr/bin/env shebangs relied on by the build
|
|
|
|
patchShebangs --build tests/ doc/manual/
|
2024-04-04 23:07:44 +00:00
|
|
|
'';
|
|
|
|
|
2024-05-07 19:34:36 +00:00
|
|
|
mesonBuildType = "debugoptimized";
|
build: optionally build and install with meson
This commit adds several meson.build, which successfully build and
install Lix executables, libraries, and headers. Meson does not yet
build docs, Perl bindings, or run tests, which will be added in
following commits. As such, this commit does not remove the existing
build system, or make it the default, and also as such, this commit has
several FIXMEs and TODOs as notes for what should be done before the
existing autoconf + make buildsystem can be removed and Meson made the
default. This commit does not modify any source files.
A Meson-enabled build is also added as a Hydra job, and to
`nix flake check`.
Change-Id: I667c8685b13b7bab91e281053f807a11616ae3d4
2024-03-21 19:41:23 +00:00
|
|
|
|
2024-03-09 04:09:11 +00:00
|
|
|
installTargets = lib.optional internalApiDocs "internal-api-html";
|
|
|
|
|
2024-03-01 20:15:44 +00:00
|
|
|
enableParallelBuilding = true;
|
|
|
|
|
2024-08-01 22:02:28 +00:00
|
|
|
doCheck = canRunInstalled && !lintInsteadOfBuild;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-05-17 19:29:13 +00:00
|
|
|
mesonCheckFlags = [
|
|
|
|
"--suite=check"
|
|
|
|
"--print-errorlogs"
|
|
|
|
];
|
2024-05-15 09:11:32 +00:00
|
|
|
# the tests access localhost.
|
|
|
|
__darwinAllowLocalNetworking = true;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-04-11 18:17:19 +00:00
|
|
|
# Make sure the internal API docs are already built, because mesonInstallPhase
|
|
|
|
# won't let us build them there. They would normally be built in buildPhase,
|
|
|
|
# but the internal API docs are conventionally built with doBuild = false.
|
2024-08-01 22:02:28 +00:00
|
|
|
preInstall =
|
|
|
|
(lib.optionalString internalApiDocs ''
|
|
|
|
meson ''${mesonBuildFlags:-} compile "$installTargets"
|
|
|
|
'')
|
|
|
|
# evil, but like above, we do not want to run an actual build phase
|
|
|
|
+ lib.optionalString lintInsteadOfBuild ''
|
|
|
|
ninja clang-tidy
|
|
|
|
'';
|
|
|
|
|
|
|
|
installPhase = lib.optionalString lintInsteadOfBuild ''
|
|
|
|
runHook preInstall
|
|
|
|
touch $out
|
|
|
|
runHook postInstall
|
2024-04-11 18:17:19 +00:00
|
|
|
'';
|
|
|
|
|
2024-04-04 23:07:44 +00:00
|
|
|
postInstall =
|
|
|
|
lib.optionalString (!finalAttrs.dontBuild) ''
|
|
|
|
mkdir -p $doc/nix-support
|
|
|
|
echo "doc manual $doc/share/doc/nix/manual" >> $doc/nix-support/hydra-build-products
|
|
|
|
''
|
2024-05-30 01:40:25 +00:00
|
|
|
+ lib.optionalString hostPlatform.isStatic ''
|
2024-04-04 23:07:44 +00:00
|
|
|
mkdir -p $out/nix-support
|
|
|
|
echo "file binary-dist $out/bin/nix" >> $out/nix-support/hydra-build-products
|
|
|
|
''
|
|
|
|
+ lib.optionalString stdenv.isDarwin ''
|
2024-05-17 00:04:05 +00:00
|
|
|
for lib in liblixutil.dylib liblixexpr.dylib; do
|
2024-04-04 23:07:44 +00:00
|
|
|
install_name_tool \
|
|
|
|
-change "${lib.getLib boost}/lib/libboost_context.dylib" \
|
|
|
|
"$out/lib/libboost_context.dylib" \
|
|
|
|
"$out/lib/$lib"
|
|
|
|
done
|
|
|
|
''
|
|
|
|
+ lib.optionalString internalApiDocs ''
|
|
|
|
mkdir -p $out/nix-support
|
|
|
|
echo "doc internal-api-docs $out/share/doc/nix/internal-api/html" >> "$out/nix-support/hydra-build-products"
|
|
|
|
'';
|
2024-03-01 20:15:44 +00:00
|
|
|
|
|
|
|
doInstallCheck = finalAttrs.doCheck;
|
|
|
|
|
2024-05-17 19:29:13 +00:00
|
|
|
mesonInstallCheckFlags = [
|
|
|
|
"--suite=installcheck"
|
|
|
|
"--print-errorlogs"
|
|
|
|
];
|
2024-03-25 18:12:56 +00:00
|
|
|
|
2024-05-07 19:34:36 +00:00
|
|
|
installCheckPhase = ''
|
2024-03-25 18:12:56 +00:00
|
|
|
runHook preInstallCheck
|
|
|
|
flagsArray=($mesonInstallCheckFlags "''${mesonInstallCheckFlagsArray[@]}")
|
|
|
|
meson test --no-rebuild "''${flagsArray[@]}"
|
|
|
|
runHook postInstallCheck
|
|
|
|
'';
|
|
|
|
|
2024-05-30 01:40:25 +00:00
|
|
|
separateDebugInfo = !hostPlatform.isStatic && !finalAttrs.dontBuild;
|
2024-03-01 20:15:44 +00:00
|
|
|
|
|
|
|
strictDeps = true;
|
|
|
|
|
2024-03-25 06:45:25 +00:00
|
|
|
# strictoverflow is disabled because we trap on signed overflow instead
|
2024-05-30 01:40:25 +00:00
|
|
|
hardeningDisable = [ "strictoverflow" ] ++ lib.optional hostPlatform.isStatic "pie";
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-05-24 01:17:34 +00:00
|
|
|
meta = {
|
|
|
|
mainProgram = "nix";
|
|
|
|
platforms = lib.platforms.unix;
|
|
|
|
};
|
2024-03-01 20:15:44 +00:00
|
|
|
|
2024-05-08 08:00:56 +00:00
|
|
|
# Export the patched version of boehmgc.
|
2024-04-06 21:44:27 +00:00
|
|
|
# flake.nix exports that into its overlay.
|
libstore/local-derivation-goal: prohibit creating setuid/setgid binaries
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that
isn't filtered away by the libseccomp sandbox.
Being able to use this to bypass that restriction has surprising results
for some builds such as lxc[1]:
> With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2,
> which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663.
> The fixupPhase then uses fchmodat, which fails.
> With older kernel or glibc, setting the suid bit fails in the
> install phase, which is not treated as fatal, and then the
> fixup phase does not try to set it again.
Please note that there are still ways to bypass this sandbox[2] and this is
mostly a fix for the breaking builds.
This change works by creating a syscall filter for the `fchmodat2`
syscall (number 452 on most systems). The problem is that glibc 2.39
is needed to have the correct syscall number available via
`__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on
nixpkgs 23.11. To have this change everywhere and not dependent on the
glibc this package is built against, I added a header
"fchmodat2-compat.hh" that sets the syscall number based on the
architecture. On most platforms its 452 according to glibc with a few
exceptions:
$ rg --pcre2 'define __NR_fchmodat2 (?!452)'
sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
58:#define __NR_fchmodat2 1073742276
sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
67:#define __NR_fchmodat2 6452
sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
62:#define __NR_fchmodat2 5452
sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
70:#define __NR_fchmodat2 4452
sysdeps/unix/sysv/linux/alpha/arch-syscall.h
59:#define __NR_fchmodat2 562
I added a small regression-test to the setuid integration-test that
attempts to set the suid bit on a file using the fchmodat2 syscall.
I confirmed that the test fails without the change in
local-derivation-goal.
Additionally, we require libseccomp 2.5.5 or greater now: as it turns
out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Lix against the project's flake.
To work around that
* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
scheduled[3].
* the package now uses libseccomp 2.5.5 on its own already. This is to
provide a quick fix since the correct fix for 23.11 is still a staging cycle
away.
We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷
Relevant PRs in CppNix:
* https://github.com/NixOS/nix/pull/10591
* https://github.com/NixOS/nix/pull/10501
[1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804
[2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251
[3] https://github.com/NixOS/nixpkgs/pull/306070
(cherry picked from commit ba6804518772e6afb403dd55478365d4b863c854)
Change-Id: I6921ab5a363188c6bff617750d00bb517276b7fe
2024-04-14 12:10:23 +00:00
|
|
|
passthru = {
|
2024-06-26 07:44:46 +00:00
|
|
|
inherit (__forDefaults)
|
|
|
|
boehmgc-nix
|
|
|
|
editline-lix
|
|
|
|
build-release-notes
|
|
|
|
pegtl
|
|
|
|
;
|
2024-05-07 21:25:08 +00:00
|
|
|
|
|
|
|
# The collection of dependency logic for this derivation is complicated enough that
|
|
|
|
# it's easier to parameterize the devShell off an already called package.nix.
|
|
|
|
mkDevShell =
|
|
|
|
{
|
|
|
|
mkShell,
|
2024-06-08 14:57:08 +00:00
|
|
|
|
|
|
|
bashInteractive,
|
2024-05-07 21:25:08 +00:00
|
|
|
clangbuildanalyzer,
|
2024-06-24 22:57:38 +00:00
|
|
|
doxygen,
|
2024-06-08 14:57:08 +00:00
|
|
|
glibcLocales,
|
|
|
|
just,
|
2024-07-22 17:09:58 +00:00
|
|
|
nixfmt-rfc-style,
|
[resubmit] flake: update nixpkgs pin 23.11->24.05 (+ boehmgc compat changes)
-- message from cl/1418 --
The boehmgc changes are bundled into this commit because doing otherwise
would require an annoying dance of "adding compatibility for < 8.2.6 and
>= 8.2.6" then updating the pin then removing the (now unneeded)
compatibility. It doesn't seem worth the trouble to me given the low
complexity of said changes.
Rebased coroutine-sp-fallback.diff patch taken from https://github.com/NixOS/nixpkgs/pull/317227
-- jade resubmit changes --
This is a resubmission of https://gerrit.lix.systems/c/lix/+/1418, which
was reverted in https://gerrit.lix.systems/c/lix/+/1432 for breaking CI
evaluation without being detected.
I have run `nix flake check -Lv` on this one before submission and it
passes on my machine and crucially without eval errors, so the CI result
should be accurate.
It seems like someone renamed forbiddenDependenciesRegex to
forbiddenDependenciesRegexes in nixpkgs and also changed the type
incompatibly. That's pretty silly, but at least it's just an eval error.
Also, `xonsh` regressed the availability of `xonsh-unwrapped`, but it
was fixed by us in https://github.com/NixOS/nixpkgs/pull/317636, which
is now in our channel, so we update nixpkgs compared to the original
iteration of this to simply get that.
We originally had a regression related to some reorganization of the
nixpkgs lib test suite in which there was broken parameter passing.
This, too, we got quickfixed in nixpkgs, so we don't need any changes
for it: https://github.com/NixOS/nixpkgs/pull/317772
Related: https://gerrit.lix.systems/c/lix/+/1428
Fixes: https://git.lix.systems/lix-project/lix/issues/385
Change-Id: I26d41ea826fec900ebcad0f82a727feb6bcd28f3
2024-06-08 14:57:08 +00:00
|
|
|
skopeo,
|
|
|
|
xonsh,
|
2024-06-08 14:57:08 +00:00
|
|
|
|
|
|
|
# Lix specific packages
|
|
|
|
pre-commit-checks,
|
|
|
|
contribNotice,
|
libstore/build: use an allowlist approach to syscall filtering
Previously, system call filtering (to prevent builders from storing files with
setuid/setgid permission bits or extended attributes) was performed using a
blocklist. While this looks simple at first, it actually carries significant
security and maintainability risks: after all, the kernel may add new syscalls
to achieve the same functionality one is trying to block, and it can even be
hard to actually add the syscall to the blocklist when building against a C
library that doesn't know about it yet. For a recent demonstration of this
happening in practice to Nix, see the introduction of fchmodat2 [0] [1].
The allowlist approach does not share the same drawback. While it does require
a rather large list of harmless syscalls to be maintained in the codebase,
failing to update this list (and roll out the update to all users) in time has
rather benign effects; at worst, very recent programs that already rely on new
syscalls will fail with an error the same way they would on a slightly older
kernel that doesn't support them yet. Most importantly, no unintended new ways
of performing dangerous operations will be silently allowed.
Another possible drawback is reduced system call performance due to the larger
filter created by the allowlist requiring more computation [2]. However, this
issue has not convincingly been demonstrated yet in practice, for example in
systemd or various browsers. To the contrary, it has been measured that the the
actual filter constructed here has approximately the same overhead as a very
simple filter blocking only one system call.
This commit tries to keep the behavior as close to unchanged as possible. The
system call list is in line with libseccomp 2.5.5 and glibc 2.39, which are the
latest versions at the point of writing. Since libseccomp 2.5.5 is already a
requirement and the distributions shipping this together with older versions of
glibc are mostly not a thing any more, this should not lead to more build
failures any more.
[0] https://github.com/NixOS/nixpkgs/issues/300635
[1] https://github.com/NixOS/nix/issues/10424
[2] https://github.com/flatpak/flatpak/pull/4462#issuecomment-1061690607
Change-Id: I541be3ea9b249bcceddfed6a5a13ac10b11e16ad
2024-05-26 08:35:03 +00:00
|
|
|
check-syscalls,
|
2024-08-24 10:46:13 +00:00
|
|
|
|
|
|
|
# debuggers
|
|
|
|
gdb,
|
|
|
|
rr,
|
2024-05-07 21:25:08 +00:00
|
|
|
}:
|
|
|
|
let
|
2024-05-30 01:40:25 +00:00
|
|
|
glibcFix = lib.optionalAttrs (buildPlatform.isLinux && glibcLocales != null) {
|
2024-05-07 21:25:08 +00:00
|
|
|
# Required to make non-NixOS Linux not complain about missing locale files during configure in a dev shell
|
|
|
|
LOCALE_ARCHIVE = "${lib.getLib pkgs.glibcLocales}/lib/locale/locale-archive";
|
|
|
|
};
|
|
|
|
|
2024-06-06 04:24:14 +00:00
|
|
|
pythonPackages = (
|
|
|
|
p: [
|
2024-10-05 04:00:30 +00:00
|
|
|
# FIXME: these have to be added twice due to the nix shell using a
|
|
|
|
# wrapped python instead of build inputs for its python inputs
|
|
|
|
p.pytest
|
|
|
|
|
2024-06-06 04:24:14 +00:00
|
|
|
p.yapf
|
|
|
|
p.python-frontmatter
|
2024-06-09 07:27:06 +00:00
|
|
|
p.requests
|
|
|
|
p.xdg-base-dirs
|
2024-08-08 03:14:45 +00:00
|
|
|
p.packaging
|
[resubmit] flake: update nixpkgs pin 23.11->24.05 (+ boehmgc compat changes)
-- message from cl/1418 --
The boehmgc changes are bundled into this commit because doing otherwise
would require an annoying dance of "adding compatibility for < 8.2.6 and
>= 8.2.6" then updating the pin then removing the (now unneeded)
compatibility. It doesn't seem worth the trouble to me given the low
complexity of said changes.
Rebased coroutine-sp-fallback.diff patch taken from https://github.com/NixOS/nixpkgs/pull/317227
-- jade resubmit changes --
This is a resubmission of https://gerrit.lix.systems/c/lix/+/1418, which
was reverted in https://gerrit.lix.systems/c/lix/+/1432 for breaking CI
evaluation without being detected.
I have run `nix flake check -Lv` on this one before submission and it
passes on my machine and crucially without eval errors, so the CI result
should be accurate.
It seems like someone renamed forbiddenDependenciesRegex to
forbiddenDependenciesRegexes in nixpkgs and also changed the type
incompatibly. That's pretty silly, but at least it's just an eval error.
Also, `xonsh` regressed the availability of `xonsh-unwrapped`, but it
was fixed by us in https://github.com/NixOS/nixpkgs/pull/317636, which
is now in our channel, so we update nixpkgs compared to the original
iteration of this to simply get that.
We originally had a regression related to some reorganization of the
nixpkgs lib test suite in which there was broken parameter passing.
This, too, we got quickfixed in nixpkgs, so we don't need any changes
for it: https://github.com/NixOS/nixpkgs/pull/317772
Related: https://gerrit.lix.systems/c/lix/+/1428
Fixes: https://git.lix.systems/lix-project/lix/issues/385
Change-Id: I26d41ea826fec900ebcad0f82a727feb6bcd28f3
2024-06-08 14:57:08 +00:00
|
|
|
(p.toPythonModule xonsh.passthru.unwrapped)
|
2024-06-06 04:24:14 +00:00
|
|
|
]
|
|
|
|
);
|
|
|
|
pythonEnv = python3.withPackages pythonPackages;
|
|
|
|
|
2024-05-07 21:25:08 +00:00
|
|
|
# pkgs.mkShell uses pkgs.stdenv by default, regardless of inputsFrom.
|
|
|
|
actualMkShell = mkShell.override { inherit stdenv; };
|
|
|
|
in
|
|
|
|
actualMkShell (
|
|
|
|
glibcFix
|
|
|
|
// {
|
|
|
|
|
2024-05-27 20:09:57 +00:00
|
|
|
name = "lix-shell-env";
|
|
|
|
|
2024-05-30 02:11:12 +00:00
|
|
|
# finalPackage is necessary to propagate stuff that is set by mkDerivation itself,
|
|
|
|
# like doCheck.
|
|
|
|
inputsFrom = [ finalAttrs.finalPackage ];
|
2024-05-07 21:25:08 +00:00
|
|
|
|
|
|
|
# For Meson to find Boost.
|
|
|
|
env = finalAttrs.env;
|
|
|
|
|
2024-06-06 18:48:13 +00:00
|
|
|
mesonFlags =
|
|
|
|
# I guess this is necessary because mesonFlags to mkDerivation doesn't propagate in inputsFrom,
|
|
|
|
# which only propagates stuff set in hooks? idk.
|
|
|
|
finalAttrs.mesonFlags
|
|
|
|
# Clangd breaks when GCC is using precompiled headers, so for the devshell specifically
|
|
|
|
# we make precompiled C++ stdlib conditional on using Clang.
|
|
|
|
# https://git.lix.systems/lix-project/lix/issues/374
|
|
|
|
++ [ (lib.mesonBool "enable-pch-std" stdenv.cc.isClang) ];
|
2024-05-30 02:11:12 +00:00
|
|
|
|
2024-05-07 21:25:08 +00:00
|
|
|
packages =
|
2024-08-01 22:02:28 +00:00
|
|
|
lib.optional (stdenv.cc.isClang && hostPlatform == buildPlatform) llvmPackages.clang-tools
|
2024-05-07 21:25:08 +00:00
|
|
|
++ [
|
2024-06-08 14:57:08 +00:00
|
|
|
# Why are we providing a bashInteractive? Well, when you run
|
|
|
|
# `bash` from inside `nix develop`, say, because you are using it
|
|
|
|
# via direnv, you will by default get bash (unusable edition).
|
|
|
|
bashInteractive
|
libstore/build: use an allowlist approach to syscall filtering
Previously, system call filtering (to prevent builders from storing files with
setuid/setgid permission bits or extended attributes) was performed using a
blocklist. While this looks simple at first, it actually carries significant
security and maintainability risks: after all, the kernel may add new syscalls
to achieve the same functionality one is trying to block, and it can even be
hard to actually add the syscall to the blocklist when building against a C
library that doesn't know about it yet. For a recent demonstration of this
happening in practice to Nix, see the introduction of fchmodat2 [0] [1].
The allowlist approach does not share the same drawback. While it does require
a rather large list of harmless syscalls to be maintained in the codebase,
failing to update this list (and roll out the update to all users) in time has
rather benign effects; at worst, very recent programs that already rely on new
syscalls will fail with an error the same way they would on a slightly older
kernel that doesn't support them yet. Most importantly, no unintended new ways
of performing dangerous operations will be silently allowed.
Another possible drawback is reduced system call performance due to the larger
filter created by the allowlist requiring more computation [2]. However, this
issue has not convincingly been demonstrated yet in practice, for example in
systemd or various browsers. To the contrary, it has been measured that the the
actual filter constructed here has approximately the same overhead as a very
simple filter blocking only one system call.
This commit tries to keep the behavior as close to unchanged as possible. The
system call list is in line with libseccomp 2.5.5 and glibc 2.39, which are the
latest versions at the point of writing. Since libseccomp 2.5.5 is already a
requirement and the distributions shipping this together with older versions of
glibc are mostly not a thing any more, this should not lead to more build
failures any more.
[0] https://github.com/NixOS/nixpkgs/issues/300635
[1] https://github.com/NixOS/nix/issues/10424
[2] https://github.com/flatpak/flatpak/pull/4462#issuecomment-1061690607
Change-Id: I541be3ea9b249bcceddfed6a5a13ac10b11e16ad
2024-05-26 08:35:03 +00:00
|
|
|
check-syscalls
|
2024-06-06 04:24:14 +00:00
|
|
|
pythonEnv
|
2024-06-07 05:28:49 +00:00
|
|
|
# docker image tool
|
|
|
|
skopeo
|
2024-05-07 21:25:08 +00:00
|
|
|
just
|
2024-07-22 17:09:58 +00:00
|
|
|
nixfmt-rfc-style
|
2024-06-24 22:57:38 +00:00
|
|
|
# Included above when internalApiDocs is true, but we set that to
|
|
|
|
# false intentionally to save dev build time.
|
|
|
|
# To build them in a dev shell, you can set -Dinternal-api-docs=enabled when configuring.
|
|
|
|
doxygen
|
2024-05-07 21:25:08 +00:00
|
|
|
# Load-bearing order. Must come before clang-unwrapped below, but after clang_tools above.
|
|
|
|
stdenv.cc
|
|
|
|
]
|
2024-06-18 22:24:49 +00:00
|
|
|
++ [
|
|
|
|
pkgs.rust-analyzer
|
|
|
|
pkgs.cargo
|
|
|
|
pkgs.rustc
|
|
|
|
pkgs.rustfmt
|
|
|
|
pkgs.rustPlatform.rustLibSrc
|
|
|
|
pkgs.rustPlatform.rustcSrc
|
|
|
|
]
|
2024-05-07 21:25:08 +00:00
|
|
|
++ lib.optionals stdenv.cc.isClang [
|
|
|
|
# Required for clang-tidy checks.
|
|
|
|
llvmPackages.llvm
|
|
|
|
llvmPackages.clang-unwrapped.dev
|
|
|
|
]
|
|
|
|
++ lib.optional (pre-commit-checks ? enabledPackages) pre-commit-checks.enabledPackages
|
2024-05-30 01:40:25 +00:00
|
|
|
++ lib.optional (lib.meta.availableOn buildPlatform clangbuildanalyzer) clangbuildanalyzer
|
2024-08-24 10:46:13 +00:00
|
|
|
++ lib.optional (!stdenv.isDarwin) gdb
|
|
|
|
++ lib.optional (lib.meta.availableOn buildPlatform rr) rr
|
2024-05-07 21:25:08 +00:00
|
|
|
++ finalAttrs.checkInputs;
|
|
|
|
|
|
|
|
shellHook = ''
|
2024-05-27 20:09:57 +00:00
|
|
|
# don't re-run the hook in (other) nested nix-shells
|
2024-05-30 01:57:58 +00:00
|
|
|
function lixShellHook() {
|
2024-05-30 20:41:31 +00:00
|
|
|
# n.b. how the heck does this become -env-env? well, `nix develop` does it:
|
|
|
|
# https://git.lix.systems/lix-project/lix/src/commit/7575db522e9008685c4009423398f6900a16bcce/src/nix/develop.cc#L240-L241
|
|
|
|
# this is, of course, absurd.
|
|
|
|
if [[ $name != lix-shell-env && $name != lix-shell-env-env ]]; then
|
2024-06-24 20:37:41 +00:00
|
|
|
return
|
2024-05-30 01:57:58 +00:00
|
|
|
fi
|
|
|
|
|
2024-07-10 07:23:00 +00:00
|
|
|
PATH=$prefix/bin''${PATH:+:''${PATH}}
|
2024-05-30 01:57:58 +00:00
|
|
|
unset PYTHONPATH
|
2024-08-06 15:13:06 +00:00
|
|
|
export MANPATH=$out/share/man:''${MANPATH:-}
|
2024-05-30 01:57:58 +00:00
|
|
|
|
|
|
|
# Make bash completion work.
|
|
|
|
XDG_DATA_DIRS+=:$out/share
|
|
|
|
|
2024-06-24 20:37:41 +00:00
|
|
|
if [[ ! -f ./.this-is-lix ]]; then
|
|
|
|
echo "Dev shell not started from inside a Lix repo, skipping repo setup" >&2
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
2024-05-30 01:57:58 +00:00
|
|
|
${lib.optionalString (pre-commit-checks ? shellHook) pre-commit-checks.shellHook}
|
|
|
|
# Allow `touch .nocontribmsg` to turn this notice off.
|
|
|
|
if ! [[ -f .nocontribmsg ]]; then
|
|
|
|
cat ${contribNotice}
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Install the Gerrit commit-msg hook.
|
|
|
|
# (git common dir is the main .git, including for worktrees)
|
|
|
|
if gitcommondir=$(git rev-parse --git-common-dir 2>/dev/null) && [[ ! -f "$gitcommondir/hooks/commit-msg" ]]; then
|
|
|
|
echo 'Installing Gerrit commit-msg hook (adds Change-Id to commit messages)' >&2
|
|
|
|
mkdir -p "$gitcommondir/hooks"
|
|
|
|
curl -s -Lo "$gitcommondir/hooks/commit-msg" https://gerrit.lix.systems/tools/hooks/commit-msg
|
|
|
|
chmod u+x "$gitcommondir/hooks/commit-msg"
|
|
|
|
fi
|
|
|
|
unset gitcommondir
|
|
|
|
}
|
|
|
|
|
|
|
|
lixShellHook
|
2024-05-07 21:25:08 +00:00
|
|
|
'';
|
|
|
|
}
|
|
|
|
);
|
2024-06-13 22:11:28 +00:00
|
|
|
|
|
|
|
perl-bindings = pkgs.callPackage ./perl { inherit fileset stdenv; };
|
|
|
|
|
|
|
|
binaryTarball = pkgs.callPackage ./nix-support/binary-tarball.nix {
|
|
|
|
nix = finalAttrs.finalPackage;
|
|
|
|
};
|
libstore/local-derivation-goal: prohibit creating setuid/setgid binaries
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that
isn't filtered away by the libseccomp sandbox.
Being able to use this to bypass that restriction has surprising results
for some builds such as lxc[1]:
> With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2,
> which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663.
> The fixupPhase then uses fchmodat, which fails.
> With older kernel or glibc, setting the suid bit fails in the
> install phase, which is not treated as fatal, and then the
> fixup phase does not try to set it again.
Please note that there are still ways to bypass this sandbox[2] and this is
mostly a fix for the breaking builds.
This change works by creating a syscall filter for the `fchmodat2`
syscall (number 452 on most systems). The problem is that glibc 2.39
is needed to have the correct syscall number available via
`__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on
nixpkgs 23.11. To have this change everywhere and not dependent on the
glibc this package is built against, I added a header
"fchmodat2-compat.hh" that sets the syscall number based on the
architecture. On most platforms its 452 according to glibc with a few
exceptions:
$ rg --pcre2 'define __NR_fchmodat2 (?!452)'
sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
58:#define __NR_fchmodat2 1073742276
sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
67:#define __NR_fchmodat2 6452
sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
62:#define __NR_fchmodat2 5452
sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
70:#define __NR_fchmodat2 4452
sysdeps/unix/sysv/linux/alpha/arch-syscall.h
59:#define __NR_fchmodat2 562
I added a small regression-test to the setuid integration-test that
attempts to set the suid bit on a file using the fchmodat2 syscall.
I confirmed that the test fails without the change in
local-derivation-goal.
Additionally, we require libseccomp 2.5.5 or greater now: as it turns
out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Lix against the project's flake.
To work around that
* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
scheduled[3].
* the package now uses libseccomp 2.5.5 on its own already. This is to
provide a quick fix since the correct fix for 23.11 is still a staging cycle
away.
We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷
Relevant PRs in CppNix:
* https://github.com/NixOS/nix/pull/10591
* https://github.com/NixOS/nix/pull/10501
[1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804
[2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251
[3] https://github.com/NixOS/nixpkgs/pull/306070
(cherry picked from commit ba6804518772e6afb403dd55478365d4b863c854)
Change-Id: I6921ab5a363188c6bff617750d00bb517276b7fe
2024-04-14 12:10:23 +00:00
|
|
|
};
|
2024-03-01 20:15:44 +00:00
|
|
|
})
|