diff options
Diffstat (limited to 'pkgs/applications/virtualization/singularity/generic.nix')
-rw-r--r-- | pkgs/applications/virtualization/singularity/generic.nix | 42 |
1 files changed, 38 insertions, 4 deletions
diff --git a/pkgs/applications/virtualization/singularity/generic.nix b/pkgs/applications/virtualization/singularity/generic.nix index da7c8accf873a..f27f58fda4876 100644 --- a/pkgs/applications/virtualization/singularity/generic.nix +++ b/pkgs/applications/virtualization/singularity/generic.nix @@ -44,6 +44,7 @@ in gpgme, libseccomp, libuuid, + mount, # This is for nvidia-container-cli nvidia-docker, openssl, @@ -79,6 +80,20 @@ in externalLocalStateDir ? null, # Remove the symlinks to `singularity*` when projectName != "singularity" removeCompat ? false, + # The defaultPath values to substitute in each source files. + # + # `defaultPath` are PATH variables hard-coded inside Apptainer/Singularity + # binaries to search for third-party utilities, as a hardening for + # `$out/bin/starter-suid`. + # + # The upstream provided values are suitable for FHS-conformant environment. + # We substitute them and insert Nixpkgs-specific values. + # + # Example: + # { + # "path/to/source/file1" = [ "<originalDefaultPath11>" "<originalDefaultPath12>" ... ]; + # } + sourceFilesWithDefaultPaths ? { }, # Workaround #86349 # should be removed when the issue is resolved vendorHash ? _defaultGoVendorArgs.vendorHash, @@ -87,7 +102,6 @@ in }: let - defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin"; privileged-un-utils = if ((newuidmapPath == null) && (newgidmapPath == null)) then null @@ -97,6 +111,12 @@ let ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap" ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap" ''); + + concatMapStringAttrsSep = + sep: f: attrs: + lib.concatMapStringsSep sep (name: f name attrs.${name}) (lib.attrNames attrs); + + addShellDoubleQuotes = s: lib.escapeShellArg ''"'' + s + lib.escapeShellArg ''"''; in (buildGoModule { inherit pname version src; @@ -185,6 +205,7 @@ in fakeroot fuse2fs # Mount ext3 filesystems go + mount # mount privileged-un-utils squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges @@ -199,8 +220,19 @@ in patchShebangs --build "$configureScript" makeit e2e scripts mlocal/scripts # Patching the hard-coded defaultPath by prefixing the packages in defaultPathInputs - substituteInPlace cmd/internal/cli/actions.go \ - --replace "defaultPath = \"${defaultPathOriginal}\"" "defaultPath = \"''${defaultPathInputs// /\/bin:}''${defaultPathInputs:+/bin:}${defaultPathOriginal}\"" + ${concatMapStringAttrsSep "\n" (fileName: originalDefaultPaths: '' + substituteInPlace ${lib.escapeShellArg fileName} \ + ${ + lib.concatMapStringsSep " \\\n " ( + originalDefaultPath: + lib.concatStringsSep " " [ + "--replace-fail" + (addShellDoubleQuotes (lib.escapeShellArg originalDefaultPath)) + (addShellDoubleQuotes ''$inputsDefaultPath''${inputsDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}'') + ] + ) originalDefaultPaths + } + '') sourceFilesWithDefaultPaths} substituteInPlace internal/pkg/util/gpu/nvidia.go \ --replace \ @@ -236,7 +268,7 @@ in substituteInPlace "$out/bin/run-singularity" \ --replace "/usr/bin/env ${projectName}" "$out/bin/${projectName}" wrapProgram "$out/bin/${projectName}" \ - --prefix PATH : "''${defaultPathInputs// /\/bin:}''${defaultPathInputs:+/bin:}" + --prefix PATH : "$inputsDefaultPath" # Make changes in the config file ${lib.optionalString forceNvcCli '' substituteInPlace "$out/etc/${projectName}/${projectName}.conf" \ @@ -294,7 +326,9 @@ in }).overrideAttrs ( finalAttrs: prevAttrs: { + inputsDefaultPath = lib.makeBinPath finalAttrs.defaultPathInputs; passthru = prevAttrs.passthru or { } // { + inherit sourceFilesWithDefaultPaths; tests = { image-hello-cowsay = singularity-tools.buildImage { name = "hello-cowsay"; |