forked from lix-project/lix
Add --with-sandbox-shell configure flag
And add a 116 KiB ash shell from busybox to the release build. This helps to make sandbox builds work out of the box on non-NixOS systems and with diverted stores.
This commit is contained in:
parent
b30f5784d0
commit
a2d92bb20e
7 changed files with 38 additions and 12 deletions
|
@ -28,6 +28,7 @@ localstatedir = @localstatedir@
|
||||||
mandir = @mandir@
|
mandir = @mandir@
|
||||||
pkglibdir = $(libdir)/$(PACKAGE_NAME)
|
pkglibdir = $(libdir)/$(PACKAGE_NAME)
|
||||||
prefix = @prefix@
|
prefix = @prefix@
|
||||||
|
sandbox_shell = @sandbox_shell@
|
||||||
storedir = @storedir@
|
storedir = @storedir@
|
||||||
sysconfdir = @sysconfdir@
|
sysconfdir = @sysconfdir@
|
||||||
doc_generate = @doc_generate@
|
doc_generate = @doc_generate@
|
||||||
|
|
|
@ -240,6 +240,12 @@ fi
|
||||||
AC_SUBST(tarFlags)
|
AC_SUBST(tarFlags)
|
||||||
|
|
||||||
|
|
||||||
|
AC_ARG_WITH(sandbox-shell, AC_HELP_STRING([--with-sandbox-shell=PATH],
|
||||||
|
[path of a statically-linked shell to use as /bin/sh in sandboxes]),
|
||||||
|
sandbox_shell=$withval)
|
||||||
|
AC_SUBST(sandbox_shell)
|
||||||
|
|
||||||
|
|
||||||
# Expand all variables in config.status.
|
# Expand all variables in config.status.
|
||||||
test "$prefix" = NONE && prefix=$ac_default_prefix
|
test "$prefix" = NONE && prefix=$ac_default_prefix
|
||||||
test "$exec_prefix" = NONE && exec_prefix='${prefix}'
|
test "$exec_prefix" = NONE && exec_prefix='${prefix}'
|
||||||
|
|
21
release-common.nix
Normal file
21
release-common.nix
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
{ pkgs }:
|
||||||
|
|
||||||
|
rec {
|
||||||
|
sh = pkgs.busybox.override {
|
||||||
|
useMusl = true;
|
||||||
|
enableStatic = true;
|
||||||
|
enableMinimal = true;
|
||||||
|
extraConfig = ''
|
||||||
|
CONFIG_ASH y
|
||||||
|
CONFIG_ASH_BUILTIN_ECHO y
|
||||||
|
CONFIG_ASH_BUILTIN_TEST y
|
||||||
|
CONFIG_ASH_OPTIMIZE_FOR_SIZE y
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
configureFlags =
|
||||||
|
[ "--disable-init-state"
|
||||||
|
"--enable-gc"
|
||||||
|
"--with-sandbox-shell=${sh}/bin/busybox"
|
||||||
|
];
|
||||||
|
}
|
|
@ -66,6 +66,8 @@ let
|
||||||
|
|
||||||
with import <nixpkgs> { inherit system; };
|
with import <nixpkgs> { inherit system; };
|
||||||
|
|
||||||
|
with import ./release-common.nix { inherit pkgs; };
|
||||||
|
|
||||||
releaseTools.nixBuild {
|
releaseTools.nixBuild {
|
||||||
name = "nix";
|
name = "nix";
|
||||||
src = tarball;
|
src = tarball;
|
||||||
|
@ -83,11 +85,8 @@ let
|
||||||
customMemoryManagement = false;
|
customMemoryManagement = false;
|
||||||
});
|
});
|
||||||
|
|
||||||
configureFlags = ''
|
configureFlags = configureFlags ++
|
||||||
--disable-init-state
|
[ "--sysconfdir=/etc" ];
|
||||||
--enable-gc
|
|
||||||
--sysconfdir=/etc
|
|
||||||
'';
|
|
||||||
|
|
||||||
enableParallelBuilding = true;
|
enableParallelBuilding = true;
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,8 @@
|
||||||
|
|
||||||
with import <nixpkgs> {};
|
with import <nixpkgs> {};
|
||||||
|
|
||||||
|
with import ./release-common.nix { inherit pkgs; };
|
||||||
|
|
||||||
(if useClang then clangStdenv else stdenv).mkDerivation {
|
(if useClang then clangStdenv else stdenv).mkDerivation {
|
||||||
name = "nix";
|
name = "nix";
|
||||||
|
|
||||||
|
@ -22,10 +24,7 @@ with import <nixpkgs> {};
|
||||||
perlPackages.DBDSQLite
|
perlPackages.DBDSQLite
|
||||||
];
|
];
|
||||||
|
|
||||||
configureFlags =
|
inherit configureFlags;
|
||||||
[ "--disable-init-state"
|
|
||||||
"--enable-gc"
|
|
||||||
];
|
|
||||||
|
|
||||||
enableParallelBuilding = true;
|
enableParallelBuilding = true;
|
||||||
|
|
||||||
|
|
|
@ -47,8 +47,8 @@ Settings::Settings()
|
||||||
auto s = getEnv("NIX_REMOTE_SYSTEMS");
|
auto s = getEnv("NIX_REMOTE_SYSTEMS");
|
||||||
if (s != "") builderFiles = tokenizeString<Strings>(s, ":");
|
if (s != "") builderFiles = tokenizeString<Strings>(s, ":");
|
||||||
|
|
||||||
#if __linux__
|
#if defined(__linux__) && defined(SANDBOX_SHELL)
|
||||||
sandboxPaths = tokenizeString<StringSet>("/bin/sh=" BASH_PATH);
|
sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES);
|
allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES);
|
||||||
|
|
|
@ -27,7 +27,7 @@ libstore_CXXFLAGS = \
|
||||||
-DNIX_CONF_DIR=\"$(sysconfdir)/nix\" \
|
-DNIX_CONF_DIR=\"$(sysconfdir)/nix\" \
|
||||||
-DNIX_LIBEXEC_DIR=\"$(libexecdir)\" \
|
-DNIX_LIBEXEC_DIR=\"$(libexecdir)\" \
|
||||||
-DNIX_BIN_DIR=\"$(bindir)\" \
|
-DNIX_BIN_DIR=\"$(bindir)\" \
|
||||||
-DBASH_PATH="\"$(bash)\"" \
|
-DSANDBOX_SHELL="\"$(sandbox_shell)\"" \
|
||||||
-DLSOF=\"$(lsof)\"
|
-DLSOF=\"$(lsof)\"
|
||||||
|
|
||||||
$(d)/local-store.cc: $(d)/schema.sql.hh
|
$(d)/local-store.cc: $(d)/schema.sql.hh
|
||||||
|
|
Loading…
Reference in a new issue