about summary refs log tree commit diff
path: root/pkgs/build-support/build-sandbox/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/build-support/build-sandbox/default.nix')
-rw-r--r--pkgs/build-support/build-sandbox/default.nix42
1 files changed, 30 insertions, 12 deletions
diff --git a/pkgs/build-support/build-sandbox/default.nix b/pkgs/build-support/build-sandbox/default.nix
index 66797268..4e5cffe9 100644
--- a/pkgs/build-support/build-sandbox/default.nix
+++ b/pkgs/build-support/build-sandbox/default.nix
@@ -11,6 +11,10 @@ let
   pathsRuntimeVars = paths.runtimeVars or [];
   # Mount a dash shell in /bin/sh inside the chroot.
   allowBinSh       = attrs.allowBinSh or false;
+  # Enable nix builds from within the sandbox.
+  # Has to write the full nix store to make the outputs accessible.
+  # TODO: get rid of nix & pkg-config if this is enabled (in the Makefile)
+  fullNixStore = attrs.fullNixStore or false;
 
   # Create code snippets for params.c to add extra_mount() calls.
   mkExtraMountParams = isRequired: lib.concatMapStringsSep "\n" (extra: let
@@ -26,11 +30,13 @@ in stdenv.mkDerivation ({
 
   inherit drv;
 
+  # writes files "sandbox-*" to the builder (see nix manual)
   exportReferencesGraph =
     [ "sandbox-closure" drv ] ++
     lib.optionals allowBinSh [ "sandbox-binsh" dash ];
 
   configurePhase = ''
+    # Reads the dependency closures and does … something? TODO: explain
     runtimeDeps="$(sed -ne '
       p; n; n
 
@@ -52,25 +58,36 @@ in stdenv.mkDerivation ({
     echo '#include "setup.h"' > params.c
     echo 'bool setup_app_paths(void) {' >> params.c
 
-    for dep in $runtimeDeps; do
-      echo 'if (!bind_mount("'"$dep"'", true, true, true)) return false;' \
+    ${if fullNixStore then ''
+      # /nix/var needs to be writable for nix to work inside the sandbox
+      echo 'if (!bind_mount("/nix/var", false, true, true)) return false;' \
+        >> params.c
+      echo 'if (!bind_mount("/nix/store", true, true, true)) return false;' \
         >> params.c
-    done
+
+    '' else ''
+      for dep in $runtimeDeps; do
+        echo 'if (!bind_mount("'"$dep"'", true, true, true)) return false;' \
+          >> params.c
+      done
+    ''}
 
     ${mkExtraMountParams true  pathsRequired}
     ${mkExtraMountParams false pathsWanted}
 
     echo 'return true; }' >> params.c
 
-    echo 'bool mount_runtime_path_vars(struct query_state *qs) {' >> params.c
+   ${lib.optionalString (!fullNixStore) ''
+      echo 'bool mount_runtime_path_vars(struct query_state *qs) {' >> params.c
 
-    ${lib.concatMapStringsSep "\n" (pathvar: let
-      escaped = lib.escapeShellArg (lib.escape ["\\" "\""] pathvar);
-      fun = "mount_from_path_var";
-      result = "echo 'if (!${fun}(qs, \"'${escaped}'\")) return false;'";
-    in "${result} >> params.c") pathsRuntimeVars}
+      ${lib.concatMapStringsSep "\n" (pathvar: let
+        escaped = lib.escapeShellArg (lib.escape ["\\" "\""] pathvar);
+        fun = "mount_from_path_var";
+        result = "echo 'if (!${fun}(qs, \"'${escaped}'\")) return false;'";
+      in "${result} >> params.c") pathsRuntimeVars}
 
-    echo 'return true; }' >> params.c
+      echo 'return true; }' >> params.c
+    ''}
   '';
 
   postInstall = ''
@@ -82,8 +99,9 @@ in stdenv.mkDerivation ({
   '';
 
   nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ nix boost ];
+  buildInputs = [ boost nix ];
   makeFlags = [ "BINDIR=${drv}/bin" ]
-           ++ lib.optional allowBinSh "BINSH_EXECUTABLE=${dash}/bin/dash";
+           ++ lib.optional allowBinSh "BINSH_EXECUTABLE=${dash}/bin/dash"
+           ++ lib.optional fullNixStore "FULL_NIX_STORE=1";
 
 } // removeAttrs attrs [ "paths" "allowBinSh" ])
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-03 12:52:13 +0000