| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
The way store paths are queried has changed significantly in Nix 2.4, so
we need to completely refactor nix-query.cc. However, I currently have a
lot of other things to do and the store protocol is compatible so let's
pin Nix to version 2.3 for the sandbox implementation for now.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is another alias which got introduced in 2018, because the actual
command is "pkg-config" and so the package name containing a dash is
more reasonable.
The reason why I'm doing this is because NixOS VM tests now disallow
aliases and while the evaluation error in question only affected the
"gnupg" test, I decided to change all occurences in the event that we
might want to disallow aliases for things other than VM tests.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @sternenseemann for "opam-env"
|
|
|
|
|
|
|
|
|
|
| |
If we don't have a PID namespace, we're not allowed to mount a new
procfs instance and subsequently get an error (EPERM).
To cope with this, we're now bind-mounting /proc just like the other
pseudo file systems IFF we're not using the CLONE_NEWPID flag.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While the sandbox was initially written for games, I now use the
implementation for other things, such as sandboxing database management
systems inside "nix develop".
However, both MariaDB and PostgreSQL do not like it very much if for
example IPC is too restricted and if the PID file contains the PID of
the process inside the namespace.
Additionally I always wanted to have a way to enable network namespaces
for games as well, so this is a good occasion to make them configurable.
Of course, since we need the mount and user namespaces to implement our
sandbox in the first place, we can't allow users to disable these
namespaces, but for everything else, we now have a new "namespaces"
attribute.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A while ago[1], @Profpatsch added this comment above the definition of
the $runtimeDeps variable:
# Reads the dependency closures and does ? something? TODO: explain
I just recently (yesterday as of the date of this commit) found out
about that comment by accident.
While this should probably be better of as an issue instead, the comment
does have a point, since not everybody enjoys reading/writing sed
expressions.
In a nutshell, what the implementation actually does is parsing the
output of the files generated by exportReferencesGraph.
At the time of writing the implementation, we didn't have a JSON-based
interface in Nix for doing the same, nor did we have something like
pkgs.closureInfo. There was only a small Perl script[2], which did
something like this, but given that it can be easily done via sed, I
opted to instead use the latter.
Nevertheless however, using closureInfo is not only more concise in its
implementation, it also makes our implementation much more concise as
well and also obvious on what we're doing here.
[1]: 09dc1d8ad625b9a1d5b89593b184d316837ba1cc
[2]: https://github.com/NixOS/nixpkgs/blob/8747190024205a5a3534b4e9a18dbaf3f3ee7b39/pkgs/build-support/kernel/paths-from-graph.pl
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
| |
The standard functins in `malloc.h` are exported by `stdlib.h`, and
`malloc.h` is highly linux-specific.
See
https://stackoverflow.com/questions/56463049/should-mac-osx-have-a-malloc-h-file/56463133#56463133
and
https://stackoverflow.com/questions/12973311/difference-between-stdlib-h-and-malloc-h
|
|
|
|
|
|
| |
Enables us to run nix *inside* of a sandbox.
We have to mount the whole store, because otherwise realized store
paths built inside of the sandbox are not accessible.
|
|
|
|
|
| |
Since we want to create a transparent sandbox, returning the same exit
code as the wrapped process is very important.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far I mostly used this implementation for the games we have packaged,
where we pretty much patch out all commands that execute external
programs.
However in order to be useful in a more generic way, it makes sense to
provide a /bin/sh implementation, especially when you have to deal with
scripting languages.
I'm using dash here, because it's a more minimal implementation rather
than the default shell (bash) we use in nixpkgs and it practically only
needs to be able to run constructs like "/bin/sh -c foo".
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since add_DT_NEEDED_for_dynamic is no longer the default for ld[1],
we'll get a linking error like this:
nix-query.o: undefined reference to symbol '_ZNK3nix5Store22followLinksToStorePathERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE'
Unfortunately, the only way to work around this without re-enabling the
same flag is directly specify dependencies we really *should* not need
to specify because they're a transient dependency of libnixmain.
So for now I'm reverting back to the previous behaviour with
--copy-dt-needed-entries until I got time to look into it in detail.
From the ld(1) manual page:
--copy-dt-needed-entries
--no-copy-dt-needed-entries
This option affects the treatment of dynamic libraries referred to
by DT_NEEDED tags inside ELF dynamic libraries mentioned on the
command line. Normally the linker will add a DT_NEEDED tag to the
output binary for each library mentioned in a DT_NEEDED tag in an
input dynamic library. With --no-copy-dt-needed-entries specified on
the command line however any dynamic libraries that follow it will
have their DT_NEEDED entries ignored. The default behaviour can be
restored with --copy-dt-needed-entries.
This option also has an effect on the resolution of symbols in
dynamic libraries. With the default setting dynamic libraries
mentioned on the command line will be recursively searched,
following their DT_NEEDED tags to other libraries, in order to
resolve symbols required by the output binary. With
--no-copy-dt-needed-entries specified however the searching of
dynamic libraries that follow it will stop with the dynamic library
itself. No DT_NEEDED links will be traversed to resolve symbols.
[1]: https://github.com/NixOS/nixpkgs/commit/bcfe7af84b3628a31bfcc43dde30fc553a73adac
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're not directly using Boost but some headers are included in the
headers we use, which causes the build to fail on newer Nix versions.
In theory, this should be propagated by the Nix derivation. See also
this comment:
https://github.com/NixOS/nixpkgs/issues/39001#issuecomment-381949306
However, when looking at the Nix derivation, it already contains code
that takes care of not propagating the boost dependency.
Nevertheless, adding the dependency on our end even though it could
become redundant some day certainly won't hurt.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to isolate processes even further it's a good idea to not let
them access information about other PIDs, eg. by enumerating /proc.
However, this still bind-mounts /sys from the root namespace, so we
might want to restrict /sys further. For our games however we will need
/sys because it is used to enumerate gamepads and other input devices.
Currently the processes will now be PID 1. I've tested this against a
few games and none of them had problems with that so far, so let's keep
it that way.
Another thing we might want to add and which currently isn't there is a
subreaper, which is useful if we have a process that leaves zombie
processes around.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces a new environment variable called
NIX_SANDBOX_DEBUG_INJECT_FILES. The name is intentionally very long so
that people hopefully *only* use it for debugging.
What this does is to just bind-mount the given source file to a given
destination file in the chroot.
For example:
NIX_SANDBOX_DEBUG_INJECT_FILES=/foo/bar=/bar/foo somethingSandboxed
The file /foo/bar outside of the sandbox will be bind-mounted to
/bar/foo within the sandbox. Several files can be separated via colon.
Of course the most interesting use case here (and the reason for this
feature) is that we can overlay files in the Nix store without the need
to rebuild anything, so we can quickly patch specific files.
In my case I'm using this so I can use radare2 to patch the assembly of
some binaries quickly for debugging/reverse engineering.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
| |
I'm going to use the sandboxing implementation as the basis for
something else where I'm going to do additional mounts on top of the
existing ones. This is just to make it easier to find the mount target.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using MS_BIND the mount flags aren't actually applied, so we need
to remount the bind mount with the flags we wanted if additional flags
are desired for the mount.
I've also removed the MS_NOATIME, because this doesn't work for kernel
4.14 (returns -EPERM) and it's really not necessary to change the atime
flags for our bind mounts.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While the Nix store should be read-only by default, we can't guarantee
this as the Nix store could be mounted read-write (for example on
non-NixOS systems).
For paths other than store directories, I took a conservative approach
here where only /etc is mounted read-only, for all the pseudo-
filesystems such as /proc, /sys or /dev write access might still be
needed, for example to write to a hardware device exposed via /dev (eg.
a gamepad with rumble support).
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example the store path of libGL-1.0.0 is a symlink pointing to
libglvnd-1.0.0 right now on my machine.
If we have such a symlink the sandbox would just silently skip it and
only mount the *resolved* path instead of creating the symlink leading
to the target.
Now whenever bind_mount() with the resolve argument being true is used,
we create all the symlinks leading to the target path determined by
realpath().
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the introduction and move of a few packages to use the sandbox, we
no longer have XDG desktop entries, because the sandbox only creates
wrappers for all programs in $drv/bin.
This now also copies the XDG desktop files and replaces absolute paths
to binaries to refer to the sandboxed binaries.
I also modified the test to go through the XDG desktop file by default
so we can ensure that this works properly.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
| |
In order to do integer comparisons on the Nix version, we need to
zero-pad the minor version, so that we always have two digits.
Since the change of Nix version 1.12 to 2.0 the minor version no longer
has two digits, so we get 20 instead of 112 and when compared the former
is smaller than the latter but it has to be the opposite.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
| |
Though we're already checking the realpath() let's actually make sure
that the path begins with a slash, otherwise we'll run into a segfault
later when we try to access the second byte of path.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We only handle XDG_DATA_HOME and XDG_CONFIG_HOME, but we've missed
XDG_CACHE_HOME. While the latter is used very rarely as it doesn't
matter a lot if it ends up within a tmpfs anyway. However if the cache
directory gets pretty large we might run out of space.
Not only do we now have proper fallbacks but this also adds tests for
all of the XDG environment variables we're using.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While we already have support for mounting plain files, this is done on
a very specific basis, mainly the .Xauthority file.
Whenever we use bind_mount() and the file is a regular file, mounting
that file will fail. So let's actually do a stat on the file and decide
whether we want to do bind_file() or bind_mount().
I've stumbled on this because one of the store paths of the run time
dependency graph was a plain file and thus the sandbox wrapper was
unable to mount it.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
This is not only useful for packaging games, so let's make it available
from the vuizvui scope, so we can use it from other packages as well.
Signed-off-by: aszlig <aszlig@nix.build>
|