From 812e39313c2bcf8909b83e1e8bc548a85dcd626c Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 7 Nov 2018 17:08:28 +0100 Subject: [PATCH] Enable sandboxing by default Closes #179. --- doc/manual/release-notes/release-notes.xml | 1 + doc/manual/release-notes/rl-2.3.xml | 19 +++++++++++++++++++ src/libstore/globals.hh | 8 +++++++- tests/common.sh.in | 15 ++++++--------- tests/init.sh | 1 + 5 files changed, 34 insertions(+), 10 deletions(-) create mode 100644 doc/manual/release-notes/rl-2.3.xml diff --git a/doc/manual/release-notes/release-notes.xml b/doc/manual/release-notes/release-notes.xml index e8ff586fa..2655d68e3 100644 --- a/doc/manual/release-notes/release-notes.xml +++ b/doc/manual/release-notes/release-notes.xml @@ -12,6 +12,7 @@ --> + diff --git a/doc/manual/release-notes/rl-2.3.xml b/doc/manual/release-notes/rl-2.3.xml new file mode 100644 index 000000000..6b68fbfd7 --- /dev/null +++ b/doc/manual/release-notes/rl-2.3.xml @@ -0,0 +1,19 @@ +
+ +Release 2.3 (2019-??-??) + +This release has the following changes: + + + + + Sandbox builds are now enabled by default on Linux. + + + + +
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 6b3e20453..53efc6a90 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -195,7 +195,13 @@ public: Setting showTrace{this, false, "show-trace", "Whether to show a stack trace on evaluation errors."}; - Setting sandboxMode{this, smDisabled, "sandbox", + Setting sandboxMode{this, + #if __linux__ + smEnabled + #else + smDisabled + #endif + , "sandbox", "Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".", {"build-use-chroot", "build-use-sandbox"}}; diff --git a/tests/common.sh.in b/tests/common.sh.in index 2ee2f589d..6a523ca9d 100644 --- a/tests/common.sh.in +++ b/tests/common.sh.in @@ -85,16 +85,13 @@ killDaemon() { trap "" EXIT } +if [[ $(uname) == Linux ]] && [[ -L /proc/self/ns/user ]] && unshare --user true; then + _canUseSandbox=1 +fi + canUseSandbox() { - if [[ $(uname) != Linux ]]; then return 1; fi - - if [ ! -L /proc/self/ns/user ]; then - echo "Kernel doesn't support user namespaces, skipping this test..." - return 1 - fi - - if ! unshare --user true ; then - echo "Unprivileged user namespaces disabled by sysctl, skipping this test..." + if [[ ! $_canUseSandbox ]]; then + echo "Sandboxing not supported, skipping this test..." return 1 fi diff --git a/tests/init.sh b/tests/init.sh index e5353598b..19a12c1e2 100644 --- a/tests/init.sh +++ b/tests/init.sh @@ -16,6 +16,7 @@ mkdir "$NIX_CONF_DIR" cat > "$NIX_CONF_DIR"/nix.conf <