| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
The way store paths are queried has changed significantly in Nix 2.4, so
we need to completely refactor nix-query.cc. However, I currently have a
lot of other things to do and the store protocol is compatible so let's
pin Nix to version 2.3 for the sandbox implementation for now.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is another alias which got introduced in 2018, because the actual
command is "pkg-config" and so the package name containing a dash is
more reasonable.
The reason why I'm doing this is because NixOS VM tests now disallow
aliases and while the evaluation error in question only affected the
"gnupg" test, I decided to change all occurences in the event that we
might want to disallow aliases for things other than VM tests.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @sternenseemann for "opam-env"
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While the sandbox was initially written for games, I now use the
implementation for other things, such as sandboxing database management
systems inside "nix develop".
However, both MariaDB and PostgreSQL do not like it very much if for
example IPC is too restricted and if the PID file contains the PID of
the process inside the namespace.
Additionally I always wanted to have a way to enable network namespaces
for games as well, so this is a good occasion to make them configurable.
Of course, since we need the mount and user namespaces to implement our
sandbox in the first place, we can't allow users to disable these
namespaces, but for everything else, we now have a new "namespaces"
attribute.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A while ago[1], @Profpatsch added this comment above the definition of
the $runtimeDeps variable:
# Reads the dependency closures and does ? something? TODO: explain
I just recently (yesterday as of the date of this commit) found out
about that comment by accident.
While this should probably be better of as an issue instead, the comment
does have a point, since not everybody enjoys reading/writing sed
expressions.
In a nutshell, what the implementation actually does is parsing the
output of the files generated by exportReferencesGraph.
At the time of writing the implementation, we didn't have a JSON-based
interface in Nix for doing the same, nor did we have something like
pkgs.closureInfo. There was only a small Perl script[2], which did
something like this, but given that it can be easily done via sed, I
opted to instead use the latter.
Nevertheless however, using closureInfo is not only more concise in its
implementation, it also makes our implementation much more concise as
well and also obvious on what we're doing here.
[1]: 09dc1d8ad625b9a1d5b89593b184d316837ba1cc
[2]: https://github.com/NixOS/nixpkgs/blob/8747190024205a5a3534b4e9a18dbaf3f3ee7b39/pkgs/build-support/kernel/paths-from-graph.pl
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
| |
Enables us to run nix *inside* of a sandbox.
We have to mount the whole store, because otherwise realized store
paths built inside of the sandbox are not accessible.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far I mostly used this implementation for the games we have packaged,
where we pretty much patch out all commands that execute external
programs.
However in order to be useful in a more generic way, it makes sense to
provide a /bin/sh implementation, especially when you have to deal with
scripting languages.
I'm using dash here, because it's a more minimal implementation rather
than the default shell (bash) we use in nixpkgs and it practically only
needs to be able to run constructs like "/bin/sh -c foo".
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're not directly using Boost but some headers are included in the
headers we use, which causes the build to fail on newer Nix versions.
In theory, this should be propagated by the Nix derivation. See also
this comment:
https://github.com/NixOS/nixpkgs/issues/39001#issuecomment-381949306
However, when looking at the Nix derivation, it already contains code
that takes care of not propagating the boost dependency.
Nevertheless, adding the dependency on our end even though it could
become redundant some day certainly won't hurt.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
While the Nix store should be read-only by default, we can't guarantee
this as the Nix store could be mounted read-write (for example on
non-NixOS systems).
For paths other than store directories, I took a conservative approach
here where only /etc is mounted read-only, for all the pseudo-
filesystems such as /proc, /sys or /dev write access might still be
needed, for example to write to a hardware device exposed via /dev (eg.
a gamepad with rumble support).
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the introduction and move of a few packages to use the sandbox, we
no longer have XDG desktop entries, because the sandbox only creates
wrappers for all programs in $drv/bin.
This now also copies the XDG desktop files and replaces absolute paths
to binaries to refer to the sandboxed binaries.
I also modified the test to go through the XDG desktop file by default
so we can ensure that this works properly.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
This is not only useful for packaging games, so let's make it available
from the vuizvui scope, so we can use it from other packages as well.
Signed-off-by: aszlig <aszlig@nix.build>
|
