From cc86857601da5685a30da76665914af0cd744530 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 16 Nov 2015 08:12:08 +0100 Subject: [PATCH 01/61] libpng: security and maintenance 1.6.18 -> 1.6.19 Fixes #11030, CVE-2015-{7981,8126}. --- pkgs/development/libraries/libpng/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/libpng/default.nix b/pkgs/development/libraries/libpng/default.nix index 53777a0c56f0..a2454aa02f04 100644 --- a/pkgs/development/libraries/libpng/default.nix +++ b/pkgs/development/libraries/libpng/default.nix @@ -3,11 +3,11 @@ assert zlib != null; let - version = "1.6.18"; - sha256 = "0qq96rf31483kxz32h6l6921hy6p2v2pfqfvc74km229g4xw241f"; + version = "1.6.19"; + sha256 = "1s1mmkl79ghiczi2x2rbnp6y70v4c5pr8g3icxn9h5imymbmc71i"; patch_src = fetchurl { url = "mirror://sourceforge/libpng-apng/libpng-${version}-apng.patch.gz"; - sha256 = "0g2ljh2vhclas1hacys1c4gk6l6hyy6sngb2yvdsnjz50nyq16kv"; + sha256 = "0bgqkac16yhl0zwjzq2zwkixg2l2x3a6blbk3k0wqz0lza2a6jrh"; }; whenPatched = stdenv.lib.optionalString apngSupport; From d50d14d55f1e5a53633f8a18bc55fe4d42361f93 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 21 Dec 2013 13:48:06 +0100 Subject: [PATCH 02/61] Use the nix provided shell. This is guaranteed to be bash, SmartOS has ksh by default and doesn't work. --- pkgs/build-support/fetchgit/builder.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/build-support/fetchgit/builder.sh b/pkgs/build-support/fetchgit/builder.sh index 64eea4ae1000..4bbef1d6e62a 100644 --- a/pkgs/build-support/fetchgit/builder.sh +++ b/pkgs/build-support/fetchgit/builder.sh @@ -6,7 +6,7 @@ source $stdenv/setup header "exporting $url (rev $rev) into $out" -$fetcher --builder --url "$url" --out "$out" --rev "$rev" \ +$SHELL $fetcher --builder --url "$url" --out "$out" --rev "$rev" \ ${leaveDotGit:+--leave-dotGit} \ ${deepClone:+--deepClone} \ ${fetchSubmodules:+--fetch-submodules} \ From 546601cf4b02a9c0c9d47a577d7be9d285590c2d Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 21 Dec 2013 13:48:11 +0100 Subject: [PATCH 03/61] SmartOS: Fix w3m build --- pkgs/applications/networking/browsers/w3m/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index d8c421af46a8..c9d8f626c8c6 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { sha256 = "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"; }; + NIX_LDFLAGS = "-lsocket -lnsl"; + patches = [ ./glibc214.patch ] # Patch for the newer unstable boehm-gc 7.2alpha. Not all platforms use that # alpha. At the time of writing this, boehm-gc-7.1 is the last stable. From fdb534f06e4614bab25f38c48db7c99ae13c2b15 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Thu, 3 Apr 2014 19:01:43 +0200 Subject: [PATCH 04/61] GCC 4.8 compiles on Illumos. - Disable profiled bootstrap. - Add illumos meta platform. --- lib/platforms.nix | 5 +++-- pkgs/development/compilers/gcc/4.8/default.nix | 1 + pkgs/top-level/all-packages.nix | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/platforms.nix b/lib/platforms.nix index 825cc4136a19..750829da3751 100644 --- a/lib/platforms.nix +++ b/lib/platforms.nix @@ -8,8 +8,9 @@ rec { openbsd = ["i686-openbsd" "x86_64-openbsd"]; netbsd = ["i686-netbsd" "x86_64-netbsd"]; cygwin = ["i686-cygwin" "x86_64-cygwin"]; - unix = linux ++ darwin ++ freebsd ++ openbsd; - all = linux ++ darwin ++ cygwin ++ freebsd ++ openbsd; + illumos = ["x86_64-solaris"]; + unix = linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos; + all = linux ++ darwin ++ cygwin ++ freebsd ++ openbsd ++ netbsd ++ illumos; none = []; allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all; mesaPlatforms = ["i686-linux" "x86_64-linux" "x86_64-darwin" "armv5tel-linux" "armv6l-linux"]; diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index ff1d388b6e23..22c4fc22c020 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -519,6 +519,7 @@ stdenv.mkDerivation ({ platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.freebsd ++ + stdenv.lib.platforms.illumos ++ optionals (langAda == false) stdenv.lib.platforms.darwin; }; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 38b954fdd1c2..8134b08f5f7b 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3890,7 +3890,7 @@ let inherit noSysDirs; # PGO seems to speed up compilation by gcc by ~10%, see #445 discussion - profiledCompiler = with stdenv; (!isDarwin && (isi686 || isx86_64)); + profiledCompiler = with stdenv; (!isSunOS && !isDarwin && (isi686 || isx86_64)); # When building `gcc.crossDrv' (a "Canadian cross", with host == target # and host != build), `cross' must be null but the cross-libc must still From a93f8835560ae7f601156b42deca870cdfbda443 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Thu, 3 Apr 2014 19:11:07 +0200 Subject: [PATCH 05/61] Fix bison build on Illumos. --- pkgs/development/tools/parsing/bison/3.x.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix index b38751ba99e4..8e7d65b81ff0 100644 --- a/pkgs/development/tools/parsing/bison/3.x.nix +++ b/pkgs/development/tools/parsing/bison/3.x.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, m4, perl }: +{ stdenv, fetchurl, m4, perl, help2man }: stdenv.mkDerivation rec { name = "bison-3.0.4"; @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "b67fd2daae7a64b5ba862c66c07c1addb9e6b1b05c5f2049392cfd8a2172952e"; }; - nativeBuildInputs = [ m4 perl ]; + nativeBuildInputs = [ m4 perl help2man ]; propagatedBuildInputs = [ m4 ]; meta = { From f046f7bad3f337c9ad070ace9208bd8406d3f827 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Thu, 3 Apr 2014 19:11:48 +0200 Subject: [PATCH 06/61] Fix libelf build on Illumos --- pkgs/development/libraries/libelf/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix index 4a34ac6bdec7..048902f4fc49 100644 --- a/pkgs/development/libraries/libelf/default.nix +++ b/pkgs/development/libraries/libelf/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation (rec { nativeBuildInputs = [ glibc ]; }; + buildInputs = [ gettext ]; + meta = { description = "ELF object file access library"; From 450d6aff9c05b5deec58ab31cb8bf0521af89dfb Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Fri, 4 Apr 2014 01:10:51 +0200 Subject: [PATCH 07/61] Less builds fine on Illumos. --- pkgs/tools/misc/less/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/misc/less/default.nix b/pkgs/tools/misc/less/default.nix index af8a0dd7d81b..75e00635320a 100644 --- a/pkgs/tools/misc/less/default.nix +++ b/pkgs/tools/misc/less/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { meta = { homepage = http://www.greenwoodsoftware.com/less/; description = "A more advanced file pager than ‘more’"; - platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin; + platforms = stdenv.lib.platforms.unix; maintainers = [ stdenv.lib.maintainers.eelco ]; }; } From 6a2b723a8b349ce38b064e7f948ea0c28eafd2e1 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Fri, 4 Apr 2014 22:08:10 +0200 Subject: [PATCH 08/61] Fix build of gccgo-wrapper on Illumos. When compiling GCC with NIX_ENFORCE_PURITY, linking libgcc fails because crti.o and friends aren't part of the nix store. --- pkgs/build-support/gcc-wrapper-old/utils.sh | 2 ++ pkgs/development/compilers/gcc/4.8/default.nix | 1 - pkgs/top-level/all-packages.nix | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/build-support/gcc-wrapper-old/utils.sh b/pkgs/build-support/gcc-wrapper-old/utils.sh index 753b3772e956..fa19f91bf5d2 100644 --- a/pkgs/build-support/gcc-wrapper-old/utils.sh +++ b/pkgs/build-support/gcc-wrapper-old/utils.sh @@ -14,6 +14,8 @@ badPath() { # the temporary build directory). if test "${p:0:1}" != "/"; then return 1; fi + @extraPathTests@ + # Otherwise, the path should refer to the store or some temporary # directory (including the build directory). test \ diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index 22c4fc22c020..fd80f4ec8c5f 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -294,7 +294,6 @@ stdenv.mkDerivation ({ ++ (optional stdenv.isDarwin gnused) ; - NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isSunOS "-lm -ldl"; preConfigure = stdenv.lib.optionalString (stdenv.isSunOS && stdenv.is64bit) '' export NIX_LDFLAGS=`echo $NIX_LDFLAGS | sed -e s~$prefix/lib~$prefix/lib/amd64~g` diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 8134b08f5f7b..329e28f0c20a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -16,6 +16,7 @@ # outside of the store. Thus, GCC, GFortran, & co. must always look for # files in standard system directories (/usr/include, etc.) noSysDirs ? (system != "x86_64-freebsd" && system != "i686-freebsd" + && system != "x86_64-solaris" && system != "x86_64-kfreebsd-gnu") # More flags for the bootstrapping of stdenv. From f72bdba42035b51a9d5e6a1a6936436d7368b12e Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 17 May 2014 11:19:32 +0200 Subject: [PATCH 09/61] Fix dbus-tools build on SmartOS `ld` on illumos does not understand `--as-needed` --- pkgs/development/libraries/dbus/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/dbus/default.nix b/pkgs/development/libraries/dbus/default.nix index 4a0f98d262a0..97eecf78a1a1 100644 --- a/pkgs/development/libraries/dbus/default.nix +++ b/pkgs/development/libraries/dbus/default.nix @@ -93,7 +93,7 @@ let preBuild = makeInternalLib; buildInputs = buildInputsX ++ systemdOrEmpty ++ [ libs ]; NIX_CFLAGS_LINK = - stdenv.lib.optionalString (!stdenv.isDarwin) "-Wl,--as-needed " + stdenv.lib.optionalString (!stdenv.isDarwin && !stdenv.isSunOS) "-Wl,--as-needed " + "-ldbus-1"; # don't provide another dbus-1.pc (with incorrect include and link dirs), From 15c676fd30c52dc93009ec09ed069746f11d1743 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Wed, 27 Aug 2014 12:42:39 +0200 Subject: [PATCH 10/61] SmartOS: Make pkgconfig use proper i18n. --- pkgs/development/tools/misc/pkgconfig/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/misc/pkgconfig/default.nix b/pkgs/development/tools/misc/pkgconfig/default.nix index 6eea0a6d5d6b..eabcebad31d0 100644 --- a/pkgs/development/tools/misc/pkgconfig/default.nix +++ b/pkgs/development/tools/misc/pkgconfig/default.nix @@ -10,9 +10,10 @@ stdenv.mkDerivation (rec { sha256 = "0sq09a39wj4cxf8l2jvkq067g08ywfma4v6nhprnf351s82pfl68"; }; - buildInputs = stdenv.lib.optional (stdenv.isCygwin || stdenv.isDarwin) libiconv; + buildInputs = stdenv.lib.optional (stdenv.isCygwin || stdenv.isDarwin || stdenv.isSunOS) libiconv; - configureFlags = [ "--with-internal-glib" ]; + configureFlags = [ "--with-internal-glib" ] + ++ stdenv.lib.optional (stdenv.isSunOS) "--with-libiconv=gnu"; patches = (if vanilla then [] else [ # Process Requires.private properly, see From e9d6da77cdda475d225e6b23f558005c7cc1ca20 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 23 Aug 2014 04:26:04 +0200 Subject: [PATCH 11/61] =?UTF-8?q?Fix=20non-chrooted=20(stdenv-native)=20bu?= =?UTF-8?q?ilds=20that=20have=20`man`=20on=20path=20enabling=20building=20?= =?UTF-8?q?of=20built-in=20manual,=20while=20chrooted=20builds=20(hydra)?= =?UTF-8?q?=20will=20not=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pkgs/tools/networking/curl/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index 14687817835a..3c77d2a6c8d6 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -47,6 +47,7 @@ stdenv.mkDerivation rec { ''; configureFlags = [ + "--disable-manual" ( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" ) ( if scpSupport then "--with-libssh2=${libssh2}" else "--without-libssh2" ) ( if ldapSupport then "--enable-ldap" else "--disable-ldap" ) From bb3d083d63bfc1b5a92a741a7911682085d6e626 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Mon, 16 Nov 2015 17:04:34 +0100 Subject: [PATCH 12/61] Fix hardcoded target platform. --- pkgs/tools/networking/haproxy/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/networking/haproxy/default.nix b/pkgs/tools/networking/haproxy/default.nix index de8488ab3a8e..6f02648f6661 100644 --- a/pkgs/tools/networking/haproxy/default.nix +++ b/pkgs/tools/networking/haproxy/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { # TODO: make it work on darwin/bsd as well preConfigure = '' - export makeFlags="TARGET=linux2628 PREFIX=$out USE_OPENSSL=yes" + export makeFlags="TARGET=${if stdenv.isSunOS then "solaris" else "linux2628"} PREFIX=$out USE_OPENSSL=yes" ''; meta = { From e0f732415ffc274b42d872ca9f4d5d3bdb35dfda Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Fri, 29 Aug 2014 17:03:56 +0200 Subject: [PATCH 13/61] Fix glib build on SmartOS --- pkgs/development/libraries/glib/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/glib/default.nix b/pkgs/development/libraries/glib/default.nix index bafe8949e93c..e53775464e03 100644 --- a/pkgs/development/libraries/glib/default.nix +++ b/pkgs/development/libraries/glib/default.nix @@ -65,7 +65,7 @@ stdenv.mkDerivation rec { configureFlags = optional stdenv.isDarwin "--disable-compile-warnings" - ++ optional stdenv.isSunOS "--disable-modular-tests"; + ++ optional stdenv.isSunOS ["--disable-modular-tests" "--with-libiconv"]; NIX_CFLAGS_COMPILE = optionalString stdenv.isDarwin " -lintl" + optionalString stdenv.isSunOS " -DBSD_COMP"; From ee56b6aa245b4111389db58f6dd0a9d8e0e887bc Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Fri, 29 Aug 2014 23:28:57 +0200 Subject: [PATCH 14/61] Doxygen: fix build on SmartOS --- pkgs/development/tools/documentation/doxygen/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/tools/documentation/doxygen/default.nix b/pkgs/development/tools/documentation/doxygen/default.nix index 78669dfdce7a..82bbab5ff87e 100644 --- a/pkgs/development/tools/documentation/doxygen/default.nix +++ b/pkgs/development/tools/documentation/doxygen/default.nix @@ -20,12 +20,14 @@ stdenv.mkDerivation { buildInputs = [ perl python flex bison ] ++ stdenv.lib.optional (qt4 != null) qt4 + ++ stdenv.lib.optional stdenv.isSunOS libiconv ++ stdenv.lib.optionals stdenv.isDarwin [ CoreServices libiconv ]; prefixKey = "--prefix "; configureFlags = [ "--dot dot" ] + ++ stdenv.lib.optional stdenv.isSunOS "--install install" ++ stdenv.lib.optional (qt4 != null) "--with-doxywizard"; preConfigure = From 2c80e12e96cc738264e74839ced61967ca3736fa Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Mon, 16 Nov 2015 17:05:49 +0100 Subject: [PATCH 15/61] Add support for gzip compression --- pkgs/tools/networking/haproxy/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/networking/haproxy/default.nix b/pkgs/tools/networking/haproxy/default.nix index 6f02648f6661..f6201b44b3ea 100644 --- a/pkgs/tools/networking/haproxy/default.nix +++ b/pkgs/tools/networking/haproxy/default.nix @@ -1,4 +1,4 @@ -{ stdenv, pkgs, fetchurl, openssl }: +{ stdenv, pkgs, fetchurl, openssl, zlib }: stdenv.mkDerivation rec { majorVersion = "1.5"; @@ -10,11 +10,11 @@ stdenv.mkDerivation rec { sha256 = "16cg1jmy2d8mq2ypwifsvhbyp4pyrj0zm0r818sx0r4hchwdsrcm"; }; - buildInputs = [ openssl ]; + buildInputs = [ openssl zlib ]; # TODO: make it work on darwin/bsd as well preConfigure = '' - export makeFlags="TARGET=${if stdenv.isSunOS then "solaris" else "linux2628"} PREFIX=$out USE_OPENSSL=yes" + export makeFlags="TARGET=${if stdenv.isSunOS then "solaris" else "linux2628"} PREFIX=$out USE_OPENSSL=yes USE_ZLIB=yes" ''; meta = { From b19116f688b9444eb25ade4142be780b53febc93 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 7 Nov 2015 04:44:30 +0100 Subject: [PATCH 16/61] Fix Perl build on SmartOS --- .../interpreters/perl/5.20/default.nix | 1 + .../interpreters/perl/5.20/ld-shared.patch | 33 +++++++++++++------ .../interpreters/perl/5.22/default.nix | 1 + .../interpreters/perl/5.22/ld-shared.patch | 33 +++++++++++++------ 4 files changed, 48 insertions(+), 20 deletions(-) diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index 141484814ea3..81f4f946ea71 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -64,6 +64,7 @@ stdenv.mkDerivation rec { "-Dlocincpth=${libc}/include" "-Dloclibpth=${libc}/lib" ] + ++ optional stdenv.isSunOS "-Dcc=gcc" ++ optional enableThreading "-Dusethreads"; configureScript = "${stdenv.shell} ./Configure"; diff --git a/pkgs/development/interpreters/perl/5.20/ld-shared.patch b/pkgs/development/interpreters/perl/5.20/ld-shared.patch index be45230c8a73..9f92368df687 100644 --- a/pkgs/development/interpreters/perl/5.20/ld-shared.patch +++ b/pkgs/development/interpreters/perl/5.20/ld-shared.patch @@ -1,11 +1,24 @@ ---- perl-5.16.2/hints/solaris_2.sh.orig 2013-02-14 19:29:49.453988140 +0000 -+++ perl-5.16.2/hints/solaris_2.sh 2013-02-14 19:30:31.681631019 +0000 -@@ -568,7 +568,7 @@ - # ccflags="$ccflags -Wa,`getconf XBS5_LP64_OFF64_CFLAGS 2>/dev/null`" - # fi - ldflags="$ldflags -m64" -- lddlflags="$lddlflags -G -m64" -+ lddlflags="$lddlflags -shared -m64" +$NetBSD: patch-hints_solaris__2.sh,v 1.2 2015/10/27 09:10:44 jperkin Exp $ + +Redo PR pkg/44999. + +--- perl-5.20.2/hints/solaris_2.sh.orig 2015-05-13 20:19:29.000000000 +0000 ++++ perl-5.20.2/hints/solaris_2.sh +@@ -585,7 +585,7 @@ EOM + fi + fi + case "${cc:-cc} -v 2>/dev/null" in +- *gcc*) ++ *gcc*|clang*) + echo 'int main() { return 0; }' > try.c + case "`${cc:-cc} $ccflags -mcpu=v9 -m64 -S try.c 2>&1 | grep 'm64 is not supported by this configuration'`" in + *"m64 is not supported"*) +@@ -622,7 +622,7 @@ EOM + # use that with Solaris 11 and later, but keep + # the old behavior for older Solaris versions. + case "$osvers" in +- 2.?|2.10) lddlflags="$lddlflags -G -m64" ;; ++ 2.?|2.10) lddlflags="$lddlflags -shared -m64" ;; + *) lddlflags="$lddlflags -shared -m64" ;; + esac ;; - *) - getconfccflags="`getconf XBS5_LP64_OFF64_CFLAGS 2>/dev/null`" diff --git a/pkgs/development/interpreters/perl/5.22/default.nix b/pkgs/development/interpreters/perl/5.22/default.nix index 4b0f4364ea22..53e777c19a11 100644 --- a/pkgs/development/interpreters/perl/5.22/default.nix +++ b/pkgs/development/interpreters/perl/5.22/default.nix @@ -51,6 +51,7 @@ stdenv.mkDerivation rec { "-Dlocincpth=${libc}/include" "-Dloclibpth=${libc}/lib" ] + ++ optional stdenv.isSunOS "-Dcc=gcc" ++ optional enableThreading "-Dusethreads"; configureScript = "${stdenv.shell} ./Configure"; diff --git a/pkgs/development/interpreters/perl/5.22/ld-shared.patch b/pkgs/development/interpreters/perl/5.22/ld-shared.patch index be45230c8a73..140af9af40ed 100644 --- a/pkgs/development/interpreters/perl/5.22/ld-shared.patch +++ b/pkgs/development/interpreters/perl/5.22/ld-shared.patch @@ -1,11 +1,24 @@ ---- perl-5.16.2/hints/solaris_2.sh.orig 2013-02-14 19:29:49.453988140 +0000 -+++ perl-5.16.2/hints/solaris_2.sh 2013-02-14 19:30:31.681631019 +0000 -@@ -568,7 +568,7 @@ - # ccflags="$ccflags -Wa,`getconf XBS5_LP64_OFF64_CFLAGS 2>/dev/null`" - # fi - ldflags="$ldflags -m64" -- lddlflags="$lddlflags -G -m64" -+ lddlflags="$lddlflags -shared -m64" +$NetBSD: patch-hints_solaris__2.sh,v 1.2 2015/10/27 09:10:44 jperkin Exp $ + +Redo PR pkg/44999. + +--- perl-5.22.0/hints/solaris_2.sh.orig 2015-05-13 20:19:29.000000000 +0000 ++++ perl-5.22.0/hints/solaris_2.sh +@@ -585,7 +585,7 @@ EOM + fi + fi + case "${cc:-cc} -v 2>/dev/null" in +- *gcc*) ++ *gcc*|clang*) + echo 'int main() { return 0; }' > try.c + case "`${cc:-cc} $ccflags -mcpu=v9 -m64 -S try.c 2>&1 | grep 'm64 is not supported by this configuration'`" in + *"m64 is not supported"*) +@@ -622,7 +622,7 @@ EOM + # use that with Solaris 11 and later, but keep + # the old behavior for older Solaris versions. + case "$osvers" in +- 2.?|2.10) lddlflags="$lddlflags -G -m64" ;; ++ 2.?|2.10) lddlflags="$lddlflags -shared -m64" ;; + *) lddlflags="$lddlflags -shared -m64" ;; + esac ;; - *) - getconfccflags="`getconf XBS5_LP64_OFF64_CFLAGS 2>/dev/null`" From f9134ca9df7281765ec1fcefc7636632b9ef11fb Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 7 Nov 2015 04:45:26 +0100 Subject: [PATCH 17/61] Fix patchShebangs on SmartOS Tail is very picky about the space after -c when compiled by Nix on Illumos (no idea why). --- pkgs/build-support/setup-hooks/patch-shebangs.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/build-support/setup-hooks/patch-shebangs.sh b/pkgs/build-support/setup-hooks/patch-shebangs.sh index 9d8cd0217a53..38660718d0e2 100644 --- a/pkgs/build-support/setup-hooks/patch-shebangs.sh +++ b/pkgs/build-support/setup-hooks/patch-shebangs.sh @@ -19,12 +19,12 @@ patchShebangs() { local newInterpreterLine find "$dir" -type f -perm -0100 | while read f; do - if [ "$(head -1 "$f" | head -c +2)" != '#!' ]; then + if [ "$(head -1 "$f" | head -c+2)" != '#!' ]; then # missing shebang => not a script continue fi - oldInterpreterLine=$(head -1 "$f" | tail -c +3) + oldInterpreterLine=$(head -1 "$f" | tail -c+3) read -r oldPath arg0 args <<< "$oldInterpreterLine" if $(echo "$oldPath" | grep -q "/bin/env$"); then From 340375f42111310a5401a644d12f987fe0a61252 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 7 Nov 2015 05:03:28 +0100 Subject: [PATCH 18/61] Make sure optionalAttrs are set before actually building a derivation. --- pkgs/tools/misc/coreutils/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 35e9e3828d93..bd0d1b928570 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -11,7 +11,7 @@ assert selinuxSupport -> libselinux != null && libsepol != null; with { inherit (stdenv.lib) optional optionals optionalString optionalAttrs; }; let - self = stdenv.mkDerivation rec { + self = rec { name = "coreutils-8.24"; src = fetchurl { @@ -102,7 +102,7 @@ let }; }; in - self + stdenv.mkDerivation (self // stdenv.lib.optionalAttrs (stdenv.system == "armv7l-linux" || stdenv.isSunOS) { FORCE_UNSAFE_CONFIGURE = 1; - } + }) From caaded37135131d9a282d66fd44591caf5b169c7 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 7 Nov 2015 05:14:15 +0100 Subject: [PATCH 19/61] =?UTF-8?q?Disable=20inotify=20support=20on=20SunOS:?= =?UTF-8?q?=20it=E2=80=99s=20Linux-specific.=20This=20amazingly=20fixes=20?= =?UTF-8?q?the=20coreutils=20build=20on=20SmartOS.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pkgs/tools/misc/coreutils/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index bd0d1b928570..9f763115f9a9 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -36,6 +36,8 @@ let touch -r src/stat.c src/tail.c ''; + configureFlags = optionalString stdenv.isSunOS "ac_cv_func_inotify_init=no"; + nativeBuildInputs = [ perl ]; buildInputs = [ gmp ] ++ optional aclSupport acl From e4b305ca703488204058b3a628ece974cf5befbd Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 7 Nov 2015 05:59:34 +0100 Subject: [PATCH 20/61] Fix MPFR build again on SmartOS. --- pkgs/development/libraries/mpfr/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix index e1809d544d1f..581f956b0afd 100644 --- a/pkgs/development/libraries/mpfr/default.nix +++ b/pkgs/development/libraries/mpfr/default.nix @@ -14,6 +14,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ gmp ]; configureFlags = + stdenv.lib.optional stdenv.isSunOS "--disable-thread-safe" ++ stdenv.lib.optional stdenv.is64bit "--with-pic"; doCheck = true; From 46c4981e297e5345eda92528e408b874dfeca16b Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:35:00 +0100 Subject: [PATCH 21/61] Perl works fine on Illumos (and Solaris) --- pkgs/top-level/perl-packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 6292fa457f70..2f9d743dcb7e 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -6495,7 +6495,7 @@ let self = _self // overrides; _self = with self; { meta = { description = "The World-Wide Web library for Perl"; license = with stdenv.lib.licenses; [ artistic1 gpl1Plus ]; - platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin; + platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin ++ stdenv.lib.platforms.illumos; }; }; From 11be480df492ae8bd0b9fc12c91577e3be027710 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:35:29 +0100 Subject: [PATCH 22/61] Skip failing tests on SmartOS --- pkgs/tools/text/gawk/default.nix | 1 + pkgs/tools/text/gnugrep/default.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/text/gawk/default.nix b/pkgs/tools/text/gawk/default.nix index 001a50458e29..f865b69cfeda 100644 --- a/pkgs/tools/text/gawk/default.nix +++ b/pkgs/tools/text/gawk/default.nix @@ -12,6 +12,7 @@ stdenv.mkDerivation rec { doCheck = !( stdenv.isCygwin # XXX: `test-dup2' segfaults on Cygwin 6.1 || stdenv.isDarwin # XXX: `locale' segfaults + || stdenv.isSunOS # XXX: `_backsmalls1' fails, locale stuff? ); buildInputs = stdenv.lib.optional (stdenv.system != "x86_64-cygwin") libsigsegv diff --git a/pkgs/tools/text/gnugrep/default.nix b/pkgs/tools/text/gnugrep/default.nix index e8352e318b9b..242ce36780d1 100644 --- a/pkgs/tools/text/gnugrep/default.nix +++ b/pkgs/tools/text/gnugrep/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { buildInputs = [ pcre libiconv ]; # cygwin: FAIL: multibyte-white-space - doCheck = !stdenv.isDarwin && !stdenv.isCygwin; + doCheck = !stdenv.isDarwin && !stdenv.isSunOS && !stdenv.isCygwin; # On Mac OS X, force use of mkdir -p, since Grep's fallback # (./install-sh) is broken. From bcc7d8add92fe584915fa063a0b60ed87b153719 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:39:05 +0100 Subject: [PATCH 23/61] Texinfo requires GNU awk, mainly during make check. This fixes build on SmartOS. --- pkgs/development/tools/misc/texinfo/6.0.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix index 5099676f32ba..3aa77fd2e5fa 100644 --- a/pkgs/development/tools/misc/texinfo/6.0.nix +++ b/pkgs/development/tools/misc/texinfo/6.0.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, ncurses, perl, xz, interactive ? false }: +{ stdenv, fetchurl, ncurses, perl, xz, libiconv, gawk, interactive ? false }: stdenv.mkDerivation rec { name = "texinfo-6.0"; @@ -9,8 +9,11 @@ stdenv.mkDerivation rec { }; buildInputs = [ perl xz ] + ++ stdenv.lib.optional stdenv.isSunOS libiconv ++ stdenv.lib.optional interactive ncurses; + configureFlags = "AWK=${gawk}/bin/awk"; + preInstall = '' installFlags="TEXMF=$out/texmf-dist"; installTargets="install install-tex"; From bab0a82983d9b230ababcb6501f1b58a8541fbbf Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:40:49 +0100 Subject: [PATCH 24/61] Dummy SBCL property to allow other derivations to build. --- pkgs/development/compilers/sbcl/bootstrap.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/compilers/sbcl/bootstrap.nix b/pkgs/development/compilers/sbcl/bootstrap.nix index 43002aa72f57..c68189bd8c6b 100644 --- a/pkgs/development/compilers/sbcl/bootstrap.nix +++ b/pkgs/development/compilers/sbcl/bootstrap.nix @@ -23,6 +23,7 @@ let sha256 = "0sp5445rbvms6qvzhld0kwwvydw51vq5iaf4kdqsf2d9jvaz3yx5"; }; armv6l-linux = armv7l-linux; + x86_64-solaris = x86_64-linux; }; cfg = options.${stdenv.system}; in From f17dea3b3dcae065c6ddb187111bef2975ad2eba Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:44:38 +0100 Subject: [PATCH 25/61] Fix compilation of GCC 4.9 on SmartOS. Fix ld-solaris-wrapper never calling ld (since gcc->cc-wrapper refactor). --- pkgs/build-support/cc-wrapper/default.nix | 2 +- pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh | 2 +- pkgs/development/compilers/gcc/4.9/default.nix | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 9822b1a026a1..bea7e07a2029 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -145,7 +145,7 @@ stdenv.mkDerivation { + optionalString (stdenv.isSunOS && nativePrefix != "") '' # Solaris needs an additional ld wrapper. ldPath="${nativePrefix}/bin" - ld="$out/bin/ld-solaris" + exec="$ldPath/ld" wrap ld-solaris ${./ld-solaris-wrapper.sh} '') diff --git a/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh index 9216ea3198dd..5a7b92b5ad7d 100644 --- a/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh @@ -6,7 +6,7 @@ set -u # I've also tried adding -z direct and -z lazyload, but it gave too many problems with C++ exceptions :'( # Also made sure libgcc would not be lazy-loaded, as suggested here: https://www.illumos.org/issues/2534#note-3 # but still no success. -cmd="@prog@ -z ignore" +cmd="@ld@ -z ignore" args=("$@"); diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index 13154ddd27a6..fecdd85cd415 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -293,9 +293,8 @@ stdenv.mkDerivation ({ ++ (optional stdenv.isDarwin gnused) ; - NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isSunOS "-lm -ldl"; - preConfigure = stdenv.lib.optionalString (stdenv.isSunOS && stdenv.is64bit) '' + sed -i -e "s/-lrt//g" libstdc++-v3/configure export NIX_LDFLAGS=`echo $NIX_LDFLAGS | sed -e s~$prefix/lib~$prefix/lib/amd64~g` export LDFLAGS_FOR_TARGET="-Wl,-rpath,$prefix/lib/amd64 $LDFLAGS_FOR_TARGET" export CXXFLAGS_FOR_TARGET="-Wl,-rpath,$prefix/lib/amd64 $CXXFLAGS_FOR_TARGET" @@ -518,6 +517,7 @@ stdenv.mkDerivation ({ platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.freebsd ++ + stdenv.lib.platforms.illumos ++ optionals (langAda == false) stdenv.lib.platforms.darwin; }; } From 98180e3bb29388508ec1f8a6c2c2f8f4d3c40c8e Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:47:17 +0100 Subject: [PATCH 26/61] Fix ncurses 5.9 build on SmartOS. Has been fixed before, but now includes C++ support. --- pkgs/development/libraries/ncurses/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/development/libraries/ncurses/default.nix b/pkgs/development/libraries/ncurses/default.nix index c505d89a6d8f..8817e2c5523b 100644 --- a/pkgs/development/libraries/ncurses/default.nix +++ b/pkgs/development/libraries/ncurses/default.nix @@ -27,12 +27,21 @@ stdenv.mkDerivation rec { "--enable-symlinks" ] ++ lib.optional unicode "--enable-widec"; + # Only the C compiler, and explicitly not C++ compiler needs this flag on solaris: + CFLAGS = lib.optionalString stdenv.isSunOS "-D_XOPEN_SOURCE_EXTENDED"; + buildInputs = lib.optional (mouseSupport && stdenv.isLinux) gpm; preConfigure = '' configureFlagsArray+=("--includedir=$out/include") export PKG_CONFIG_LIBDIR="$out/lib/pkgconfig" mkdir -p "$PKG_CONFIG_LIBDIR" + '' + + lib.optionalString stdenv.isSunOS '' + sed -i -e '/-D__EXTENSIONS__/ s/-D_XOPEN_SOURCE=\$cf_XOPEN_SOURCE//' \ + -e '/CPPFLAGS="$CPPFLAGS/s/ -D_XOPEN_SOURCE_EXTENDED//' \ + configure + CFLAGS=-D_XOPEN_SOURCE_EXTENDED '' + lib.optionalString stdenv.isCygwin '' sed -i -e 's,LIB_SUFFIX="t,LIB_SUFFIX=",' configure ''; From 62ff7367d533da02b92427997f5d2beb525fd61a Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Tue, 17 Nov 2015 11:20:33 +0100 Subject: [PATCH 27/61] LDFLAGS hack is only required for SmartOS builds --- pkgs/applications/networking/browsers/w3m/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index c9d8f626c8c6..32deafffe907 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"; }; - NIX_LDFLAGS = "-lsocket -lnsl"; + NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isSunOS "-lsocket -lnsl"; patches = [ ./glibc214.patch ] # Patch for the newer unstable boehm-gc 7.2alpha. Not all platforms use that From 96648a8526e8e9a8dc7d56a1572cea717ec20403 Mon Sep 17 00:00:00 2001 From: aszlig Date: Tue, 17 Nov 2015 16:16:14 +0100 Subject: [PATCH 28/61] bzip2: Get rid of the custom builder.sh. Everything the builder.sh did can be done with the generic builder which makes it easier to override attributes and also easier to read. The reason I've done this is because of #10820, which tries to override the preBuild hook, but the latter is hardcoded in the builder.sh of bzip2. I have compared the output of this against the previous version and the only things that were different were timestamps in libbz2.a. Signed-off-by: aszlig --- pkgs/tools/compression/bzip2/builder.sh | 24 -------------- pkgs/tools/compression/bzip2/default.nix | 42 +++++++++++++++++++----- 2 files changed, 33 insertions(+), 33 deletions(-) delete mode 100644 pkgs/tools/compression/bzip2/builder.sh diff --git a/pkgs/tools/compression/bzip2/builder.sh b/pkgs/tools/compression/bzip2/builder.sh deleted file mode 100644 index a598dfcf808c..000000000000 --- a/pkgs/tools/compression/bzip2/builder.sh +++ /dev/null @@ -1,24 +0,0 @@ -source $stdenv/setup -installFlags="PREFIX=$out" - -if test -n "$sharedLibrary"; then - - preBuild() { - make -f Makefile-libbz2_so - } - - preInstall() { - mkdir -p $out/lib - mv libbz2.so* $out/lib - (cd $out/lib && ln -s libbz2.so.1.0.? libbz2.so && ln -s libbz2.so.1.0.? libbz2.so.1); - } - -fi - -postInstall() { - rm $out/bin/bunzip2* $out/bin/bzcat* - ln -s bzip2 $out/bin/bunzip2 - ln -s bzip2 $out/bin/bzcat -} - -genericBuild diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index 74da91431a43..a485bf5eab68 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -1,12 +1,14 @@ { stdenv, fetchurl, linkStatic ? false }: -let version = "1.0.6"; in +let + version = "1.0.6"; -stdenv.mkDerivation { + sharedLibrary = !stdenv.isDarwin && !(stdenv ? isStatic) + && stdenv.system != "i686-cygwin" && !linkStatic; + +in stdenv.mkDerivation { name = "bzip2-${version}"; - builder = ./builder.sh; - src = fetchurl { url = "http://www.bzip.org/${version}/bzip2-${version}.tar.gz"; sha256 = "1kfrc7f0ja9fdn6j1y6yir6li818npy6217hvr3wzmnmzhs8z152"; @@ -23,14 +25,36 @@ stdenv.mkDerivation { ''; }; - sharedLibrary = - !stdenv.isDarwin && !(stdenv ? isStatic) && stdenv.system != "i686-cygwin" && !linkStatic; + preBuild = stdenv.lib.optionalString sharedLibrary '' + make -f Makefile-libbz2_so + ''; - patchPhase = stdenv.lib.optionalString stdenv.isDarwin "substituteInPlace Makefile --replace 'CC=gcc' 'CC=clang'"; + preInstall = stdenv.lib.optionalString sharedLibrary '' + mkdir -p $out/lib + mv libbz2.so* $out/lib + ( cd $out/lib && + ln -s libbz2.so.1.0.? libbz2.so && + ln -s libbz2.so.1.0.? libbz2.so.1 + ) + ''; - preConfigure = "substituteInPlace Makefile --replace '$(PREFIX)/man' '$(PREFIX)/share/man'"; + installFlags = [ "PREFIX=$(out)" ]; - makeFlags = if linkStatic then "LDFLAGS=-static" else ""; + postInstall = '' + rm $out/bin/bunzip2* $out/bin/bzcat* + ln -s bzip2 $out/bin/bunzip2 + ln -s bzip2 $out/bin/bzcat + ''; + + patchPhase = stdenv.lib.optionalString stdenv.isDarwin '' + substituteInPlace Makefile --replace 'CC=gcc' 'CC=clang' + ''; + + preConfigure = '' + substituteInPlace Makefile --replace '$(PREFIX)/man' '$(PREFIX)/share/man' + ''; + + makeFlags = stdenv.lib.optional linkStatic "LDFLAGS=-static"; inherit linkStatic; From 590eec7945f7718c9f9ea96ad0828624a7e7c190 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Tue, 17 Nov 2015 18:28:51 +0100 Subject: [PATCH 29/61] Simplify FORCE_UNSAFE_CONFIGURE by making it an optional string. postInstall references ${self} and requires self to be a derivation. --- pkgs/tools/misc/coreutils/default.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 9f763115f9a9..c9aacd0ba6b8 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -11,7 +11,7 @@ assert selinuxSupport -> libselinux != null && libsepol != null; with { inherit (stdenv.lib) optional optionals optionalString optionalAttrs; }; let - self = rec { + self = stdenv.mkDerivation rec { name = "coreutils-8.24"; src = fetchurl { @@ -82,6 +82,7 @@ let enableParallelBuilding = false; NIX_LDFLAGS = optionalString selinuxSupport "-lsepol"; + FORCE_UNSAFE_CONFIGURE = stdenv.lib.optionalString (stdenv.system == "armv7l-linux" || stdenv.isSunOS) "1"; makeFlags = optionalString stdenv.isDarwin "CFLAGS=-D_FORTIFY_SOURCE=0"; @@ -104,7 +105,4 @@ let }; }; in - stdenv.mkDerivation (self - // stdenv.lib.optionalAttrs (stdenv.system == "armv7l-linux" || stdenv.isSunOS) { - FORCE_UNSAFE_CONFIGURE = 1; - }) + self; From 6e9f0df8bdde24bee4a18235ed64f47c580c45d7 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 17 Nov 2015 21:09:52 -0800 Subject: [PATCH 30/61] gtk: 3.18.4 -> 3.18.5 --- pkgs/development/libraries/gtk+/3.x.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gtk+/3.x.nix b/pkgs/development/libraries/gtk+/3.x.nix index 174f12fc68ca..248c4fa385e1 100644 --- a/pkgs/development/libraries/gtk+/3.x.nix +++ b/pkgs/development/libraries/gtk+/3.x.nix @@ -10,7 +10,7 @@ assert cupsSupport -> cups != null; let ver_maj = "3.18"; - ver_min = "4"; + ver_min = "5"; version = "${ver_maj}.${ver_min}"; in stdenv.mkDerivation rec { @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "mirror://gnome/sources/gtk+/${ver_maj}/gtk+-${version}.tar.xz"; - sha256 = "5400dcf280d28d24606f33d59ed48c717f7d3db425d4b6fb52e8002f0c76c7eb"; + sha256 = "107aeb9a4244ce3c044becdd6dffc32d83202595181597180d4c736302a71852"; }; nativeBuildInputs = [ pkgconfig gettext gobjectIntrospection perl ]; From b809f886c0bdbd4665fc65a4c308d38a30c368d8 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 17 Nov 2015 21:10:13 -0800 Subject: [PATCH 31/61] libinput: 1.0.1 -> 1.1.1 --- pkgs/development/libraries/libinput/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libinput/default.nix b/pkgs/development/libraries/libinput/default.nix index ed97952940a9..430743af96ad 100644 --- a/pkgs/development/libraries/libinput/default.nix +++ b/pkgs/development/libraries/libinput/default.nix @@ -15,11 +15,11 @@ in with stdenv.lib; stdenv.mkDerivation rec { - name = "libinput-1.0.2"; + name = "libinput-1.1.1"; src = fetchurl { url = "http://www.freedesktop.org/software/libinput/${name}.tar.xz"; - sha256 = "1fggbi8w8r7mayyk7zwqrqf3ni95y2703vcpggxqq7yjdgw0bld3"; + sha256 = "05yxz3cds65zmzj98yhsrwvnkv8c7n3zs2fksjzs2fy7vlrv9qid"; }; configureFlags = [ From 020f6cfadc0d95a91e441d9f24851e3a53c6a428 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 17 Nov 2015 21:10:52 -0800 Subject: [PATCH 32/61] xorg-server: 1.17.2 -> 1.18.0 --- pkgs/servers/x11/xorg/default.nix | 6 +-- pkgs/servers/x11/xorg/fix_segfault.patch | 63 ------------------------ pkgs/servers/x11/xorg/overrides.nix | 2 +- 3 files changed, 4 insertions(+), 67 deletions(-) delete mode 100644 pkgs/servers/x11/xorg/fix_segfault.patch diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix index c64a0fd86b51..c1e0ab6a8f67 100644 --- a/pkgs/servers/x11/xorg/default.nix +++ b/pkgs/servers/x11/xorg/default.nix @@ -2108,11 +2108,11 @@ let }) // {inherit ;}; xorgserver = (mkDerivation "xorgserver" { - name = "xorg-server-1.17.2"; + name = "xorg-server-1.18.0"; builder = ./builder.sh; src = fetchurl { - url = mirror://xorg/individual/xserver/xorg-server-1.17.2.tar.bz2; - sha256 = "14vr4mm0x94a9bd3sfx9mdh8qhvk48zcml3i8q1wbwi84xhj04gn"; + url = mirror://xorg/individual/xserver/xorg-server-1.18.0.tar.bz2; + sha256 = "0biimwnp17wz80nplybpi940y3dyd7hgp5fyipfwxncmjs0p0mhr"; }; buildInputs = [pkgconfig dri2proto dri3proto renderproto libdrm openssl libX11 libXau libXaw libxcb xcbutil xcbutilwm xcbutilimage xcbutilkeysyms xcbutilrenderutil libXdmcp libXfixes libxkbfile libXmu libXpm libXrender libXres libXt ]; }) // {inherit dri2proto dri3proto renderproto libdrm openssl libX11 libXau libXaw libxcb xcbutil xcbutilwm xcbutilimage xcbutilkeysyms xcbutilrenderutil libXdmcp libXfixes libxkbfile libXmu libXpm libXrender libXres libXt ;}; diff --git a/pkgs/servers/x11/xorg/fix_segfault.patch b/pkgs/servers/x11/xorg/fix_segfault.patch deleted file mode 100644 index b3a7d2ed5e00..000000000000 --- a/pkgs/servers/x11/xorg/fix_segfault.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 7cc7ffd25d5e50b54cb942d07d4cb160f20ff9c5 Mon Sep 17 00:00:00 2001 -From: Martin Peres -Date: Fri, 17 Jul 2015 17:21:26 +0300 -Subject: [PATCH] os: make sure the clientsWritable fd_set is initialized - before use - -In WaitForSomething(), the fd_set clientsWritable may be used unitialized when -the boolean AnyClientsWriteBlocked is set in the WakeupHandler(). This leads to -a crash in FlushAllOutput() after x11proto's commit -2c94cdb453bc641246cc8b9a876da9799bee1ce7. - -The problem did not manifest before because both the XFD_SIZE and the maximum -number of clients were set to 256. As the connectionTranslation table was -initalized for the 256 clients to 0, the test on the index not being 0 was -aborting before dereferencing the client #0. - -As of commit 2c94cdb453bc641246cc8b9a876da9799bee1ce7 in x11proto, the XFD_SIZE -got bumped to 512. This lead the OutputPending fd_set to have any fd above 256 -to be uninitialized which in turns lead to reading an index after the end of -the ConnectionTranslation table. This index would then be used to find the -client corresponding to the fd marked as pending writes and would also result -to an out-of-bound access which would usually be the fatal one. - -Fix this by zeroing the clientsWritable fd_set at the beginning of -WaitForSomething(). In this case, the bottom part of the loop, which would -indirectly call FlushAllOutput, will not do any work but the next call to -select will result in the execution of the right codepath. This is exactly what -we want because we need to know the writable clients before handling them. In -the end, it also makes sure that the fds above MaxClient are initialized, -preventing the crash in FlushAllOutput(). - -Thanks to everyone involved in tracking this one down! - -Reported-by: Karol Herbst -Reported-by: Tobias Klausmann -Signed-off-by: Martin Peres -Tested-by: Martin Peres -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91316 -Cc: Ilia Mirkin -Cc: Martin Peres -Cc: Olivier Fourdan -Cc: Alan Coopersmith ---- - os/WaitFor.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/os/WaitFor.c b/os/WaitFor.c -index 431f1a6..993c14e 100644 ---- a/os/WaitFor.c -+++ b/os/WaitFor.c -@@ -158,6 +158,7 @@ WaitForSomething(int *pClientsReady) - Bool someReady = FALSE; - - FD_ZERO(&clientsReadable); -+ FD_ZERO(&clientsWritable); - - if (nready) - SmartScheduleStopTimer(); --- -2.4.5 - diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix index 1339e51eb232..78be046366db 100644 --- a/pkgs/servers/x11/xorg/overrides.nix +++ b/pkgs/servers/x11/xorg/overrides.nix @@ -291,7 +291,7 @@ in dri2proto dri3proto kbproto xineramaproto resourceproto scrnsaverproto videoproto ]; # fix_segfault: https://bugs.freedesktop.org/show_bug.cgi?id=91316 - commonPatches = [ ./xorgserver-xkbcomp-path.patch ./fix_segfault.patch ]; + commonPatches = [ ./xorgserver-xkbcomp-path.patch ]; # XQuartz requires two compilations: the first to get X / XQuartz, # and the second to get Xvfb, Xnest, etc. darwinOtherX = overrideDerivation xorgserver (oldAttrs: { From b52f2f64013dcc206cac1986f7bc9f9b1badc798 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 18 Nov 2015 02:34:22 -0800 Subject: [PATCH 33/61] xorg-server: 1.18.0 -> 1.17.4 There were lots of issues with the proprietary nvidia driver on 352.63 and we don't yet have a proprietary AMD driver. --- pkgs/servers/x11/xorg/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix index c1e0ab6a8f67..39acc25c4536 100644 --- a/pkgs/servers/x11/xorg/default.nix +++ b/pkgs/servers/x11/xorg/default.nix @@ -2108,11 +2108,11 @@ let }) // {inherit ;}; xorgserver = (mkDerivation "xorgserver" { - name = "xorg-server-1.18.0"; + name = "xorg-server-1.17.4"; builder = ./builder.sh; src = fetchurl { - url = mirror://xorg/individual/xserver/xorg-server-1.18.0.tar.bz2; - sha256 = "0biimwnp17wz80nplybpi940y3dyd7hgp5fyipfwxncmjs0p0mhr"; + url = mirror://xorg/individual/xserver/xorg-server-1.17.4.tar.bz2; + sha256 = "0mv4ilpqi5hpg182mzqn766frhi6rw48aba3xfbaj4m82v0lajqc"; }; buildInputs = [pkgconfig dri2proto dri3proto renderproto libdrm openssl libX11 libXau libXaw libxcb xcbutil xcbutilwm xcbutilimage xcbutilkeysyms xcbutilrenderutil libXdmcp libXfixes libxkbfile libXmu libXpm libXrender libXres libXt ]; }) // {inherit dri2proto dri3proto renderproto libdrm openssl libX11 libXau libXaw libxcb xcbutil xcbutilwm xcbutilimage xcbutilkeysyms xcbutilrenderutil libXdmcp libXfixes libxkbfile libXmu libXpm libXrender libXres libXt ;}; From 094c374941e68bf667719da15c655f148840ebab Mon Sep 17 00:00:00 2001 From: "Matthias C. M. Troffaes" Date: Wed, 4 Nov 2015 08:26:11 +0000 Subject: [PATCH 34/61] bzip2: fix cross build on mingw by using autoconf patch --- pkgs/tools/compression/bzip2/default.nix | 64 ++++++++---------------- 1 file changed, 20 insertions(+), 44 deletions(-) diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index a485bf5eab68..286ad16cc861 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -1,11 +1,7 @@ -{ stdenv, fetchurl, linkStatic ? false }: +{ stdenv, fetchurl, libtool, autoconf, automake, pkgconfig, gnum4 }: let version = "1.0.6"; - - sharedLibrary = !stdenv.isDarwin && !(stdenv ? isStatic) - && stdenv.system != "i686-cygwin" && !linkStatic; - in stdenv.mkDerivation { name = "bzip2-${version}"; @@ -14,50 +10,30 @@ in stdenv.mkDerivation { sha256 = "1kfrc7f0ja9fdn6j1y6yir6li818npy6217hvr3wzmnmzhs8z152"; }; + patches = [ + # original upstream for the autoconf patch is here: + # http://ftp.suse.com/pub/people/sbrabec/bzip2/for_downstream/bzip2-1.0.6-autoconfiscated.patch + # but we get the mingw-builds version of the patch, which fixes + # a few more issues + (fetchurl { + url = "https://raw.githubusercontent.com/niXman/mingw-builds/17ae841dcf6e72badad7941a06d631edaf687436/patches/bzip2/bzip2-1.0.6-autoconfiscated.patch"; + sha256 = "1flbd3i8vg9kzq0a712qcg9j2c4ymnqvgd0ldyafpzvbqj1iicnp"; + }) + ]; + + patchFlags = "-p0"; + + nativeBuildInputs = [ libtool autoconf automake gnum4 pkgconfig ]; + + preConfigure = "sh ./autogen.sh"; + crossAttrs = { - patchPhase = '' + # https://github.com/niXman/mingw-builds/blob/master/patches/bzip2/bzip2-1.0.5-slash.patch + postPatch = '' sed -i -e '//s|\\|/|' bzip2.c - sed -i -e 's/CC=gcc/CC=${stdenv.cross.config}-gcc/' \ - -e 's/AR=ar/AR=${stdenv.cross.config}-ar/' \ - -e 's/RANLIB=ranlib/RANLIB=${stdenv.cross.config}-ranlib/' \ - -e 's/bzip2recover test/bzip2recover/' \ - Makefile* ''; }; - preBuild = stdenv.lib.optionalString sharedLibrary '' - make -f Makefile-libbz2_so - ''; - - preInstall = stdenv.lib.optionalString sharedLibrary '' - mkdir -p $out/lib - mv libbz2.so* $out/lib - ( cd $out/lib && - ln -s libbz2.so.1.0.? libbz2.so && - ln -s libbz2.so.1.0.? libbz2.so.1 - ) - ''; - - installFlags = [ "PREFIX=$(out)" ]; - - postInstall = '' - rm $out/bin/bunzip2* $out/bin/bzcat* - ln -s bzip2 $out/bin/bunzip2 - ln -s bzip2 $out/bin/bzcat - ''; - - patchPhase = stdenv.lib.optionalString stdenv.isDarwin '' - substituteInPlace Makefile --replace 'CC=gcc' 'CC=clang' - ''; - - preConfigure = '' - substituteInPlace Makefile --replace '$(PREFIX)/man' '$(PREFIX)/share/man' - ''; - - makeFlags = stdenv.lib.optional linkStatic "LDFLAGS=-static"; - - inherit linkStatic; - meta = { homepage = "http://www.bzip.org"; description = "high-quality data compression program"; From 22bf2d0bf3a5f80f3c6c2bd6fd4212672e107351 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 18 Nov 2015 17:49:54 -0800 Subject: [PATCH 35/61] flex: 2.5.39 -> 2.6.0 --- .../tools/parsing/flex/{2.5.39.nix => default.nix} | 8 ++++---- pkgs/top-level/all-packages.nix | 3 +-- 2 files changed, 5 insertions(+), 6 deletions(-) rename pkgs/development/tools/parsing/flex/{2.5.39.nix => default.nix} (75%) diff --git a/pkgs/development/tools/parsing/flex/2.5.39.nix b/pkgs/development/tools/parsing/flex/default.nix similarity index 75% rename from pkgs/development/tools/parsing/flex/2.5.39.nix rename to pkgs/development/tools/parsing/flex/default.nix index 93d54803e7c7..57ce29f51753 100644 --- a/pkgs/development/tools/parsing/flex/2.5.39.nix +++ b/pkgs/development/tools/parsing/flex/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, bison, m4 }: -stdenv.mkDerivation { - name = "flex-2.5.39"; +stdenv.mkDerivation rec { + name = "flex-2.6.0"; src = fetchurl { - url = mirror://sourceforge/flex/flex-2.5.39.tar.bz2; - sha256 = "0zv15giw3gma03y2bzw78hjfy49vyir7vbcgnh9bb3637dgvblmd"; + url = "mirror://sourceforge/flex/${name}.tar.bz2"; + sha256 = "1sdqx63yadindzafrq1w31ajblf9gl1c301g068s20s7bbpi3ri4"; }; buildInputs = [ bison ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 8fcc8a6b4193..e1d494c8abc0 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5613,8 +5613,7 @@ let jdepend = callPackage ../development/tools/analysis/jdepend { }; flex_2_5_35 = callPackage ../development/tools/parsing/flex/2.5.35.nix { }; - flex_2_5_39 = callPackage ../development/tools/parsing/flex/2.5.39.nix { }; - flex = flex_2_5_39; + flex = callPackage ../development/tools/parsing/flex/default.nix { }; flexcpp = callPackage ../development/tools/parsing/flexc++ { }; From 914e9baefe9b606ed331ba427af50c41715f973d Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Fri, 6 Nov 2015 17:44:02 -0800 Subject: [PATCH 36/61] start on sandbox stuff --- lib/default.nix | 3 +- lib/sandbox.nix | 40 ++++++++++++ pkgs/build-support/fetchurl/default.nix | 4 ++ .../interpreters/perl/5.16/default.nix | 2 + .../interpreters/perl/5.20/default.nix | 6 +- .../CoreOSMakefiles/default.nix | 2 +- .../adv_cmds/default.nix | 65 +++++++++++++------ .../apple-source-releases/bsdmake/default.nix | 45 +++++++++++++ .../darwin/apple-source-releases/default.nix | 7 +- pkgs/stdenv/generic/default.nix | 26 ++++---- pkgs/stdenv/pure-darwin/default.nix | 46 ++++++------- pkgs/stdenv/pure-darwin/standard-sandbox.sb | 65 +++++++++++++++++++ pkgs/top-level/all-packages.nix | 4 +- 13 files changed, 251 insertions(+), 64 deletions(-) create mode 100644 lib/sandbox.nix create mode 100644 pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix create mode 100644 pkgs/stdenv/pure-darwin/standard-sandbox.sb diff --git a/lib/default.nix b/lib/default.nix index cd0d8161c8cb..32ac0c58af6c 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -17,10 +17,11 @@ let systems = import ./systems.nix; customisation = import ./customisation.nix; licenses = import ./licenses.nix; + sandbox = import ./sandbox.nix; in { inherit trivial lists strings stringsWithDeps attrsets sources options - modules types meta debug maintainers licenses platforms systems; + modules types meta debug maintainers licenses platforms systems sandbox; } # !!! don't include everything at top-level; perhaps only the most # commonly used functions. diff --git a/lib/sandbox.nix b/lib/sandbox.nix new file mode 100644 index 000000000000..2deee89e12c4 --- /dev/null +++ b/lib/sandbox.nix @@ -0,0 +1,40 @@ +with import ./strings.nix; + +/* Helpers for creating lisp S-exprs for the Apple sandbox + +lib.sandbox.allowFileRead [ "/usr/bin/file" ]; + # => "(allow file-read* (literal \"/usr/bin/file\"))"; + +lib.sandbox.allowFileRead { + literal = [ "/usr/bin/file" ]; + subpath = [ "/usr/lib/system" ]; +} + # => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))" +*/ + +let + +sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")"; +generateFileList = files: + if builtins.isList files + then concatMapStringsSep " " (x: sexp [ "literal" x ]) files + else concatStringsSep " " ( + (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++ + (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or [])) + ); +applyToFiles = f: act: files: f "${act} ${generateFileList files}"; +genActions = actionName: let + action = feature: sexp [ actionName feature ]; + self = { + "${actionName}" = action; + "${actionName}File" = applyToFiles action "file*"; + "${actionName}FileRead" = applyToFiles action "file-read*"; + "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata"; + "${actionName}FileWrite" = applyToFiles action "file-write*"; + "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata"; + }; + in self; + +in + +genActions "allow" // genActions "deny" diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index b1dc6e7be31b..96ad0c2864bb 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -118,6 +118,10 @@ if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${s outputHashMode = if recursiveHash then "recursive" else "flat"; + __sandboxProfile = '' + (allow network-outbound) + ''; + inherit curlOpts showURLs mirrorsFile impureEnvVars postFetch downloadToTemp; # Doing the download on a remote machine just duplicates network diff --git a/pkgs/development/interpreters/perl/5.16/default.nix b/pkgs/development/interpreters/perl/5.16/default.nix index 568025edfd4c..8a89d97a100e 100644 --- a/pkgs/development/interpreters/perl/5.16/default.nix +++ b/pkgs/development/interpreters/perl/5.16/default.nix @@ -33,6 +33,8 @@ stdenv.mkDerivation rec { pwd="$(type -P pwd)" substituteInPlace dist/Cwd/Cwd.pm \ --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'" + grep -R /bin/pwd . + exit 1 ''; # Build a thread-safe Perl with a dynamic libperls.o. We need the diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index 141484814ea3..b2f43d176e81 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -44,12 +44,14 @@ stdenv.mkDerivation rec { # while at the same time erasing the PATH environment variable so it unconditionally # fails. The code in question is guarded by a check for Mac OS, but the patch below # doesn't have any runtime effect on other platforms. - postPatch = stdenv.lib.optional (stdenv.isDarwin && !stdenv.cc.nativeLibc) '' + postPatch = stdenv.lib.optional stdenv.isDarwin '' pwd="$(type -P pwd)" substituteInPlace dist/PathTools/Cwd.pm \ - --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'" + --replace "/bin/pwd" "$pwd" ''; + __sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under # $out/lib/perl5 - this is the general default, but because $out diff --git a/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix index 9f6031771c2d..203ca010d62a 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix @@ -1,7 +1,7 @@ { stdenv, appleDerivation, unifdef }: appleDerivation { - buildinputs = [ unifdef ]; + buildInputs = [ unifdef ]; phases = [ "unpackPhase" "installPhase" ]; diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index 4bc3a7a7fa42..baeca0f6fe3b 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -1,32 +1,55 @@ -{ stdenv, appleDerivation, version }: +{ stdenv, appleDerivation, fetchzip, version, bsdmake, perl, flex, yacc, writeScriptBin +}: + +let recentAdvCmds = fetchzip { + url = "http://opensource.apple.com/tarballs/adv_cmds/adv_cmds-158.tar.gz"; + sha256 = "0z081kcprzg5jcvqivfnwvvv6wfxzkjg2jc2lagsf8c7j7vgm8nn"; +}; + +in appleDerivation { + buildInputs = [ bsdmake perl yacc flex (writeScriptBin "lex" "exec ${flex}/bin/flex $@") ]; + + patchPhase = '' + substituteInPlace BSDMakefile \ + --replace chgrp true \ + --replace /Developer/Makefiles/bin/compress-man-pages.pl true \ + --replace "ps.tproj" "" --replace "gencat.tproj" "" --replace "md.tproj" "" \ + --replace "tabs.tproj" "" --replace "cap_mkdb.tproj" "" \ + --replace "!= tconf --test TARGET_OS_EMBEDDED" "= NO" + + substituteInPlace Makefile --replace perl true + + substituteInPlace colldef.tproj/BSDmakefile --replace "-ll" "-lfl" + + for subproject in colldef mklocale monetdef msgdef numericdef timedef; do + substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \ + --replace /usr/share/locale "" \ + --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \ + --replace "rsync -a" "cp -r" + done + ''; -appleDerivation { - # Will override the name until we provide all of adv_cmds buildPhase = '' - pushd ps - cc -Os -Wall -I. -c -o fmt.o fmt.c - cc -Os -Wall -I. -c -o keyword.o keyword.c - cc -Os -Wall -I. -c -o nlist.o nlist.c - cc -Os -Wall -I. -c -o print.o print.c - cc -Os -Wall -I. -c -o ps.o ps.c - cc -Os -Wall -I. -c -o tasks.o tasks.c - cc -o ps fmt.o keyword.o nlist.o print.o ps.o tasks.o - popd + bsdmake -C colldef.tproj + bsdmake -C mklocale.tproj + bsdmake -C usr-share-locale.tproj - pushd locale - c++ -o locale locale.cc - popd + clang ${recentAdvCmds}/ps/*.c -o ps ''; installPhase = '' - mkdir -p $out/bin $out/share/man/man1 - - cp ps/ps $out/bin/ps - cp ps/ps.1 $out/share/man/man1 - cp locale/locale $out/bin/locale - cp locale/locale.1 $out/share/man/man1 + bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale" + install -d 0755 $ps/bin + install ps $ps/bin/ps ''; + outputs = [ + "ps" + "locale" + ]; + + # ps uses this syscall to get process info + __propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix b/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix new file mode 100644 index 000000000000..dcbf8b433088 --- /dev/null +++ b/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix @@ -0,0 +1,45 @@ +{ stdenv, appleDerivation, fetchurl, fetchpatch, makeWrapper }: + +appleDerivation { + buildInputs = [ makeWrapper ]; + + patchPhase = '' + substituteInPlace mk/bsd.prog.mk \ + --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \ + --replace '-o ''${SCRIPTSOWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${SCRIPTSGRP_''${.ALLSRC:T}}' "" + substituteInPlace mk/bsd.lib.mk --replace '-o ''${LIBOWN} -g ''${LIBGRP}' "" + substituteInPlace mk/bsd.info.mk --replace '-o ''${INFOOWN} -g ''${INFOGRP}' "" + substituteInPlace mk/bsd.doc.mk --replace '-o ''${BINOWN} -g ''${BINGRP}' "" + substituteInPlace mk/bsd.man.mk --replace '-o ''${MANOWN} -g ''${MANGRP}' "" + substituteInPlace mk/bsd.files.mk \ + --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \ + --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' "" + substituteInPlace mk/bsd.incs.mk \ + --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \ + --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' "" + ''; + + buildPhase = '' + objs=() + for file in $(find . -name '*.c'); do + obj="$(basename "$file" .c).o" + objs+=("$obj") + cc -c "$file" -o "$obj" -DDEFSHELLNAME='"sh"' -D__FBSDID=__RCSID -mdynamic-no-pic -g + done + cc "''${objs[@]}" -o bsdmake + ''; + + installPhase = '' + install -d 0644 $out/bin + install -m 0755 bsdmake $out/bin + install -d 0644 $out/share/mk + install -m 0755 mk/* $out/share/mk + ''; + + preFixup = '' + wrapProgram "$out/bin/bsdmake" --add-flags "-m $out/share/mk" + ''; +} diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index 906e0ad2d544..b494f5ae3466 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -48,16 +48,19 @@ let IOKitSrcs = stdenv.lib.mapAttrs (name: value: if builtins.isFunction value then value name else value) IOKitSpecs; + adv_cmds = applePackage "adv_cmds" "119" "102ssayxbg9wb35mdmhswbnw0bg7js3pfd8fcbic83c5q3bqa6c6" {}; + packages = { - adv_cmds = applePackage "adv_cmds" "153" "174v6a4zkcm2pafzgdm6kvs48z5f911zl7k49hv7kjq6gm58w99v" {}; + inherit (adv_cmds) ps locale; architecture = applePackage "architecture" "265" "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {}; bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; + bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; - CoreOSMakefiles = applePackage "CoreOSMakefiles" "76" "0sw3w3sjil0kvxz8y86b81sz82rcd1nijayki1a1bsnsf0hz6qbf" {}; + CoreOSMakefiles = applePackage "CoreOSMakefiles" "40" "0kxp53spbn7109l7cvhi88pmfsi81lwmbws819b6wr3hm16v84f4" {}; Csu = applePackage "Csu" "79" "1hif4dz23isgx85sgh11yg8amvp2ksvvhz3y5v07zppml7df2lnh" {}; dtrace = applePackage "dtrace" "118.1" "0pp5x8dgvzmg9vvg32hpy2brm17dpmbwrcr4prsmdmfvd4767wcf" {}; dyld = applePackage "dyld" "239.4" "07z7lyv6x0f6gllb5hymccl31zisrdhz4gqp722xcs9nhsqaqvn7" {}; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 246ca3696d58..c2324c86eb5a 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,6 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] +, __stdenvSandboxProfile ? "" +, __extraSandboxProfile ? "" }: let @@ -100,6 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] + , __sandboxProfile ? "" + , __propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -149,13 +153,14 @@ let lib.addPassthru (derivation ( (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" - "__impureHostDeps" "__propagatedImpureHostDeps"]) + "__impureHostDeps" "__propagatedImpureHostDeps" + "__sandboxProfile" "__propagatedSandboxProfile"]) // (let # TODO: remove lib.unique once nix has a list canonicalization primitive - computedImpureHostDeps = - lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs)); - computedPropagatedImpureHostDeps = - lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs)); + computedSandboxProfile = + lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (extraBuildInputs ++ buildInputs ++ nativeBuildInputs))); + computedPropagatedSandboxProfile = + lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (propagatedBuildInputs ++ propagatedNativeBuildInputs))); in { builder = attrs.realBuilder or shell; @@ -173,13 +178,8 @@ let propagatedNativeBuildInputs = propagatedNativeBuildInputs ++ (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { - __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [ - "/dev/zero" - "/dev/random" - "/dev/urandom" - "/bin/sh" - ]; - __propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps; + __sandboxProfile = computedSandboxProfile + computedPropagatedSandboxProfile + __propagatedSandboxProfile + __sandboxProfile + __extraSandboxProfile; + __propagatedSandboxProfile = computedPropagatedSandboxProfile + __propagatedSandboxProfile; } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -216,7 +216,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - __impureHostDeps = __stdenvImpureHostDeps; + __sandboxProfile = __stdenvSandboxProfile; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index d13dc98cd742..fb3559659e59 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -5,18 +5,7 @@ }: let - # libSystem and its transitive dependencies. Get used to this; it's a recurring theme in darwin land - libSystemClosure = [ - "/usr/lib/libSystem.dylib" - "/usr/lib/libSystem.B.dylib" - "/usr/lib/libobjc.A.dylib" - "/usr/lib/libobjc.dylib" - "/usr/lib/libauto.dylib" - "/usr/lib/libc++abi.dylib" - "/usr/lib/libc++.1.dylib" - "/usr/lib/libDiagnosticMessagesClient.dylib" - "/usr/lib/system" - ]; + libSystemProfile = builtins.readFile ./standard-sandbox.sb; fetch = { file, sha256, executable ? true }: import { url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}"; @@ -46,7 +35,9 @@ in rec { ''; # The one dependency of /bin/sh :( - binShClosure = [ "/usr/lib/libncurses.5.4.dylib" ]; + binShClosure = '' + (allow file-read* (literal "/usr/lib/libncurses.5.4.dylib")) + ''; bootstrapTools = derivation rec { inherit system tarball; @@ -57,7 +48,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - __impureHostDeps = binShClosure ++ libSystemClosure; + __sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -100,8 +91,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - __stdenvImpureHostDeps = binShClosure ++ libSystemClosure; - __extraImpureHostDeps = binShClosure ++ libSystemClosure; + __stdenvSandboxProfile = binShClosure + libSystemProfile; + __extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -178,10 +169,14 @@ in rec { }; stage2 = with stage1; stageFun 2 stage1 { + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + allowedRequisites = [ bootstrapTools ] ++ (with pkgs; [ xz libcxx libcxxabi icu ]) ++ - (with pkgs.darwin; [ dyld Libsystem CF ]); + (with pkgs.darwin; [ dyld Libsystem CF locale ]); overrides = persistent1; }; @@ -196,7 +191,7 @@ in rec { darwin = orig.darwin // { inherit (darwin) - dyld Libsystem xnu configd libdispatch libclosure launchd libiconv; + dyld Libsystem xnu configd libdispatch libclosure launchd libiconv locale; }; }; @@ -209,10 +204,14 @@ in rec { # patches our shebangs back to point at bootstrapTools. This makes sure bash comes first. extraInitialPath = [ pkgs.bash ]; + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + allowedRequisites = [ bootstrapTools ] ++ (with pkgs; [ icu bash libcxx libcxxabi ]) ++ - (with pkgs.darwin; [ dyld Libsystem ]); + (with pkgs.darwin; [ dyld Libsystem locale ]); overrides = persistent2; }; @@ -230,13 +229,16 @@ in rec { }; darwin = orig.darwin // { - inherit (darwin) dyld Libsystem libiconv; + inherit (darwin) dyld Libsystem libiconv locale; }; }; stage4 = with stage3; stageFun 4 stage3 { shell = "${pkgs.bash}/bin/bash"; extraInitialPath = [ pkgs.bash ]; + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; overrides = persistent3; }; @@ -263,8 +265,8 @@ in rec { preHook = commonPreHook; - __stdenvImpureHostDeps = binShClosure ++ libSystemClosure; - __extraImpureHostDeps = binShClosure ++ libSystemClosure; + __stdenvSandboxProfile = binShClosure + libSystemProfile; + __extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb new file mode 100644 index 000000000000..670ab01f3477 --- /dev/null +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -0,0 +1,65 @@ +(define TMPDIR (param "_GLOBAL_TMP_DIR")) + +; obvious +(allow process-fork) + +; allow reading system information like #CPUs, etc. +(allow sysctl-read) + +; IPC +(allow ipc-posix-sem) + +; Unix sockets +(allow system-socket) + +; all runtime dependencies of libSystem.dylib +(allow file-read* + (literal "/usr/lib/libSystem.dylib") + (literal "/usr/lib/libSystem.B.dylib") + (literal "/usr/lib/libobjc.A.dylib") + (literal "/usr/lib/libobjc.dylib") + (literal "/usr/lib/libauto.dylib") + (literal "/usr/lib/libc++abi.dylib") + (literal "/usr/lib/libc++.1.dylib") + (literal "/usr/lib/libDiagnosticMessagesClient.dylib") + (subpath "/usr/lib/system")) + +; tmp +(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) + +; clang likes to read the system version +(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) + +; used for bootstrap builders +(allow process-exec* (literal "/bin/sh")) + +; standard devices +(allow file* + (literal "/dev/null") + (literal "/dev/random") + (literal "/dev/stdin") + (literal "/dev/stdout") + (literal "/dev/tty") + (literal "/dev/urandom") + (literal "/dev/zero") + (subpath "/dev/fd")) + +; does nothing, but reduces build noise +(allow file* (literal "/dev/dtracehelper")) + +; ICU data and zoneinfo data are hardcoded +; both are in libicucore and zoneinfo is in libsystem_c as well +(allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo")) + +; lots of autoconf projects want to list this directory +(allow file-read-metadata (literal "/var") (literal "/private/var/tmp")) + +; mute annoying failures +(deny file-read-metadata (with no-log) + (literal "/etc") + (subpath "/usr/bin")) + +(deny process-exec* (with no-log) + (literal "/usr/bin/arch") + (literal "/usr/bin/hostinfo") + (literal "/usr/bin/uname")) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index fe750870f57e..4531fbcc183b 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1553,7 +1553,7 @@ let garmintools = callPackage ../development/libraries/garmintools {}; gawk = callPackage ../tools/text/gawk { - locale = darwin.adv_cmds; + inherit (darwin) locale; }; gawkInteractive = appendToName "interactive" @@ -5486,7 +5486,7 @@ let cmake = callPackage ../development/tools/build-managers/cmake { wantPS = stdenv.isDarwin; - ps = if stdenv.isDarwin then darwin.adv_cmds else null; + inherit (darwin) ps; }; cmakeCurses = cmake.override { useNcurses = true; }; From df80090d092a9dec4393060bb1ab8f278aba11f2 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Thu, 12 Nov 2015 18:59:17 -0800 Subject: [PATCH 37/61] use per-derivation sandbox profiles --- lib/sandbox.nix | 26 ++++++-- .../applications/editors/emacs-24/default.nix | 4 +- pkgs/applications/editors/vim/default.nix | 2 + .../git-and-tools/git/default.nix | 3 + pkgs/build-support/fetchurl/default.nix | 4 +- .../haskell-modules/configuration-common.nix | 4 ++ .../interpreters/python/2.7/default.nix | 8 ++- pkgs/os-specific/darwin/apple-sdk/default.nix | 17 ++++- .../apple-sdk/generate-framework-profile.nix | 64 +++++++++++++++++++ .../apple-source-releases/CF/default.nix | 12 ++-- .../adv_cmds/default.nix | 42 ++++++++++-- .../apple-source-releases/configd/default.nix | 4 ++ .../darwin/apple-source-releases/default.nix | 4 +- .../libsecurity_generic/default.nix | 3 + .../libsecurity_utilities/default.nix | 3 + pkgs/stdenv/generic/default.nix | 13 ++-- pkgs/stdenv/pure-darwin/default.nix | 12 ++-- pkgs/stdenv/pure-darwin/standard-sandbox.sb | 27 +++++--- pkgs/top-level/all-packages.nix | 2 +- pkgs/top-level/perl-packages.nix | 1 + pkgs/top-level/python-packages.nix | 4 ++ 21 files changed, 209 insertions(+), 50 deletions(-) create mode 100644 pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix diff --git a/lib/sandbox.nix b/lib/sandbox.nix index 2deee89e12c4..9a429cf2ae66 100644 --- a/lib/sandbox.nix +++ b/lib/sandbox.nix @@ -17,11 +17,13 @@ let sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")"; generateFileList = files: if builtins.isList files - then concatMapStringsSep " " (x: sexp [ "literal" x ]) files - else concatStringsSep " " ( - (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++ - (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or [])) - ); + then concatMapStringsSep " " (x: sexp [ "literal" ''"${x}"'' ]) files + else if builtins.isString files + then generateFileList [ files ] + else concatStringsSep " " ( + (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++ + (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or [])) + ); applyToFiles = f: act: files: f "${act} ${generateFileList files}"; genActions = actionName: let action = feature: sexp [ actionName feature ]; @@ -30,11 +32,23 @@ genActions = actionName: let "${actionName}File" = applyToFiles action "file*"; "${actionName}FileRead" = applyToFiles action "file-read*"; "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata"; + "${actionName}DirectoryList" = self."${actionName}FileReadMetadata"; "${actionName}FileWrite" = applyToFiles action "file-write*"; "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata"; + "${actionName}Network" = sexp [ actionName "network*" ]; + "${actionName}NetworkBind" = sexp [ actionName "network-bind" ]; + "${actionName}NetworkInbound" = sexp [ actionName "network-inbound" ]; + "${actionName}NetworkOutbound" = sexp [ actionName "network-outbound" ]; + "${actionName}NetworkLocal" = sexp [ actionName "network*" (sexp [ "local" "ip" ]) ]; + "${actionName}NetworkInboundLocal" = sexp [ actionName "network-inbound" (sexp [ "local" "ip" ]) ]; + "${actionName}NetworkOutboundLocal" = sexp [ actionName "network-outbound" (sexp [ "local" "ip" ]) ]; }; in self; in -genActions "allow" // genActions "deny" +genActions "allow" // genActions "deny" // { + importProfile = derivation: '' + (import "${derivation}") + ''; +} diff --git a/pkgs/applications/editors/emacs-24/default.nix b/pkgs/applications/editors/emacs-24/default.nix index 59f9f7110043..c2956006fb40 100644 --- a/pkgs/applications/editors/emacs-24/default.nix +++ b/pkgs/applications/editors/emacs-24/default.nix @@ -1,7 +1,7 @@ { stdenv, fetchurl, ncurses, xlibsWrapper, libXaw, libXpm, Xaw3d , pkgconfig, gettext, libXft, dbus, libpng, libjpeg, libungif , libtiff, librsvg, texinfo, gconf, libxml2, imagemagick, gnutls -, alsaLib, cairo, acl, gpm, AppKit +, alsaLib, cairo, acl, gpm, AppKit, CoreWLAN, Kerberos, GSS, ImageIO , withX ? !stdenv.isDarwin , withGTK3 ? false, gtk3 ? null , withGTK2 ? true, gtk2 @@ -49,7 +49,7 @@ stdenv.mkDerivation rec { ++ stdenv.lib.optional (withX && withGTK3) gtk3 ++ stdenv.lib.optional (stdenv.isDarwin && withX) cairo; - propagatedBuildInputs = stdenv.lib.optional stdenv.isDarwin AppKit; + propagatedBuildInputs = stdenv.lib.optionals stdenv.isDarwin [ AppKit GSS ImageIO ]; configureFlags = if stdenv.isDarwin diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index ab7b08d8186a..08e0e05590f3 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,6 +43,8 @@ stdenv.mkDerivation rec { ]; }; + __sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. # http://groups.google.com/group/vim_dev/browse_thread/thread/66c02efd1523554b?pli=1 diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 0f0793149594..57ebb7397bc6 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -36,6 +36,9 @@ stdenv.mkDerivation { # required to support pthread_cancel() NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; + # without this, git fails when trying to check for /etc/gitconfig existence + __propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") + (if stdenv.isSunOS then " INSTALL=install NO_INET_NTOP= NO_INET_PTON=" else "") diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index 96ad0c2864bb..bcd279380a36 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -118,9 +118,7 @@ if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${s outputHashMode = if recursiveHash then "recursive" else "flat"; - __sandboxProfile = '' - (allow network-outbound) - ''; + __sandboxProfile = stdenv.lib.sandbox.allowNetworkOutbound; inherit curlOpts showURLs mirrorsFile impureEnvVars postFetch downloadToTemp; diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index edafbe5eab6e..2dac800bace9 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -924,4 +924,8 @@ self: super: { librarySystemDepends = (drv.librarySystemDepends or []) ++ [ pkgs.ncurses ]; }); + streaming-commons = pkgs.stdenv.lib.overrideDerivation super.streaming-commons (drv: { + __sandboxProfile = drv.__sandboxProfile + + pkgs.stdenv.lib.sandbox.allowNetworkLocal; + }); } diff --git a/pkgs/development/interpreters/python/2.7/default.nix b/pkgs/development/interpreters/python/2.7/default.nix index e08fde3c8bfc..f624bd5d85e2 100644 --- a/pkgs/development/interpreters/python/2.7/default.nix +++ b/pkgs/development/interpreters/python/2.7/default.nix @@ -97,7 +97,9 @@ let ] ++ optionals x11Support [ tcl tk xlibsWrapper libX11 ] ) ++ optional zlibSupport zlib - ++ optionals stdenv.isDarwin [ CF configd ]; + ++ optional stdenv.isDarwin CF; + + propagatedBuildInputs = optional stdenv.isDarwin configd; # Build the basic Python interpreter without modules that have # external dependencies. @@ -105,8 +107,8 @@ let name = "python-${version}"; pythonVersion = majorVersion; - inherit majorVersion version src patches buildInputs preConfigure - configureFlags; + inherit majorVersion version src patches buildInputs propagatedBuildInputs + preConfigure configureFlags; LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; C_INCLUDE_PATH = concatStringsSep ":" (map (p: "${p}/include") buildInputs); diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index 24083060e546..b31e5d043ef2 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -1,6 +1,7 @@ { stdenv, fetchurl, xar, gzip, cpio, pkgs }: let + generateFrameworkProfile = pkgs.callPackage ./generate-framework-profile.nix {}; # sadly needs to be exported because security_tool needs it sdk = stdenv.mkDerivation rec { version = "10.9"; @@ -95,8 +96,12 @@ let propagatedBuildInputs = deps; - # Not going to bother being more precise than this... - __propagatedImpureHostDeps = (import ./impure-deps.nix).${name}; + # allows building the symlink tree + __sandboxProfile = '' + (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) + ''; + + __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -159,6 +164,12 @@ in rec { ''; }); + CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: { + __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ ['' + (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd")) + '']; + }); + Security = stdenv.lib.overrideDerivation super.Security (drv: { setupHook = ./security-setup-hook.sh; }); @@ -171,5 +182,5 @@ in rec { frameworks = bareFrameworks // overrides bareFrameworks; - inherit sdk; + inherit sdk generateFrameworkProfile; } diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix new file mode 100644 index 000000000000..eb6228db14dd --- /dev/null +++ b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix @@ -0,0 +1,64 @@ +{ runCommand }: + +# In a normal programming language, one might store a hashmap +# { library name -> runtime dependencies }. +# associative arrays were only recently added to bash, and even then, bash arrays cannot +# be multidimensional. instead, the filesystem is the hash table! +# once every dependency in the tree has been visited, a comprehensive list of libraries +# will exist inside ./build. then `find ./build -type f` will give you the +# dependency tree you need! + +frameworkName: + +let path = "/System/Library/Frameworks/${frameworkName}.framework"; + +in runCommand "${frameworkName}-profile.sb" { + # __noChroot lite + __sandboxProfile = '' + (allow file* (subpath "/")) + ''; + + # inconsistencies may exist between self and hydra + allowSubstitutes = false; +} '' + if [ ! -f "${path}/${frameworkName}" ]; then + touch $out + exit + fi + base=./build + find_deps () { + if [ -f "$base/$1" ]; then + return + fi + dependencies=$(otool -l -arch x86_64 $1 \ + | grep 'LC_\w*_DYLIB' -A 2 \ + | grep name \ + | sed 's/^ *//' \ + | cut -d' ' -f2) + mkdir -p $base/"$(dirname "$1")" + touch $base/"$1" + for dep in $dependencies; do + find_deps "$dep" + done + } + find_deps "${path}/${frameworkName}" "$out" + set -o noglob + profile="(allow file-read*" + for file in $(find $base -type f); do + filename=''${file/$base/} + case $filename in + /usr/lib/system*) ;; + /usr/lib/libSystem.dylib) ;; + /usr/lib/libSystem.B.dylib) ;; + /usr/lib/libobjc.A.dylib) ;; + /usr/lib/libobjc.dylib) ;; + /usr/lib/libauto.dylib) ;; + /usr/lib/libc++abi.dylib) ;; + /usr/lib/libDiagnosticMessagesClient.dylib) ;; + *) profile+=" (literal \"$filename\")" ;; + esac + done + profile+=" (literal \"${path}/${frameworkName}\")" + profile+=" (literal \"${path}/Versions/Current\")" + echo "$profile)" > $out +'' diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index 55c8279340b7..0eac8fcae398 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -1,4 +1,4 @@ -{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure }: +{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure, generateFrameworkProfile }: # this project uses blocks, a clang-only extension assert stdenv.cc.isClang; @@ -8,13 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedImpureHostDeps = [ - "/System/Library/Frameworks/CoreFoundation.framework" - "/usr/lib/libc++.1.dylib" - "/usr/lib/libc++abi.dylib" - "/usr/lib/libicucore.A.dylib" - "/usr/lib/libz.1.dylib" - ]; + __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); preBuild = '' substituteInPlace Makefile \ @@ -52,5 +46,7 @@ appleDerivation { postInstall = '' mv $out/System/* $out rmdir $out/System + mv $out/Library/Frameworks/CoreFoundation.framework/Versions/A/PrivateHeaders/* \ + $out/Library/Frameworks/CoreFoundation.framework/Versions/A/Headers ''; } diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index baeca0f6fe3b..d465fa71ff02 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -1,13 +1,22 @@ { stdenv, appleDerivation, fetchzip, version, bsdmake, perl, flex, yacc, writeScriptBin }: +# this derivation sucks +# locale data was removed after adv_cmds-118, so our base is that because it's easier than +# replicating the bizarre bsdmake file structure +# +# sadly adv_cmds-118 builds a mklocale and colldef that generate files that our libc can no +# longer understand +# +# the more recent adv_cmds release is used for everything else in this package + let recentAdvCmds = fetchzip { url = "http://opensource.apple.com/tarballs/adv_cmds/adv_cmds-158.tar.gz"; sha256 = "0z081kcprzg5jcvqivfnwvvv6wfxzkjg2jc2lagsf8c7j7vgm8nn"; }; in appleDerivation { - buildInputs = [ bsdmake perl yacc flex (writeScriptBin "lex" "exec ${flex}/bin/flex $@") ]; + buildInputs = [ bsdmake perl yacc flex ]; patchPhase = '' substituteInPlace BSDMakefile \ @@ -19,8 +28,6 @@ in appleDerivation { substituteInPlace Makefile --replace perl true - substituteInPlace colldef.tproj/BSDmakefile --replace "-ll" "-lfl" - for subproject in colldef mklocale monetdef msgdef numericdef timedef; do substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \ --replace /usr/share/locale "" \ @@ -29,9 +36,28 @@ in appleDerivation { done ''; + preBuild = '' + cp -r --no-preserve=all ${recentAdvCmds}/colldef . + pushd colldef + mv locale/collate.h . + flex -t -8 -i scan.l > scan.c + yacc -d parse.y + clang *.c -o colldef -lfl + popd + mv colldef/colldef colldef.tproj/colldef + + cp -r --no-preserve=all ${recentAdvCmds}/mklocale . + pushd mklocale + flex -t -8 -i lex.l > lex.c + yacc -d yacc.y + clang *.c -o mklocale -lfl + popd + mv mklocale/mklocale mklocale.tproj/mklocale + ''; + buildPhase = '' - bsdmake -C colldef.tproj - bsdmake -C mklocale.tproj + runHook preBuild + bsdmake -C usr-share-locale.tproj clang ${recentAdvCmds}/ps/*.c -o ps @@ -39,6 +65,12 @@ in appleDerivation { installPhase = '' bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale" + + # need to get rid of runtime dependency on flex + # install -d 0755 $locale/bin + # install -m 0755 colldef.tproj/colldef $locale/bin + # install -m 0755 mklocale.tproj/mklocale $locale/bin + install -d 0755 $ps/bin install ps $ps/bin/ps ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index 8687f3fe532e..c730a409609f 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,6 +7,10 @@ appleDerivation { propagatedBuildInputs = [ Security ]; + __propagatedSandboxProfile = '' + (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) + ''; + patchPhase = '' substituteInPlace SystemConfiguration.fproj/SCNetworkReachabilityInternal.h \ --replace '#include ' "" diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index b494f5ae3466..6b7858d374a0 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -56,7 +56,9 @@ let bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; - CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; + CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" { + inherit (pkgs.darwin.apple_sdk) generateFrameworkProfile; + }; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; diff --git a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix index 4a739032e2ae..ccce7448e5db 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix @@ -30,6 +30,9 @@ name: version: sha256: args: let ''; buildInputs = [ pkgs.gnustep-make + pkgs.darwin.apple_sdk.frameworks.AppKit + pkgs.darwin.apple_sdk.frameworks.Foundation + pkgs.darwin.cf-private ]; makeFlags = [ "-f${makeFile}" diff --git a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix index 23ac246b4afa..9de1d120cc94 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix @@ -14,6 +14,9 @@ appleDerivation { substituteInPlace lib/debugging.cpp --replace PATH_MAX 1024 substituteInPlace lib/superblob.h --replace 'result->at' 'result->template at' substituteInPlace lib/ccaudit.cpp --replace '' '"bsm/libbsm.h"' + substituteInPlace lib/powerwatch.h --replace \ + '' \ + '"${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/System/Library/Frameworks/IOKit.framework/Versions/A/PrivateHeaders/pwr_mgt/IOPMLibPrivate.h"' cp ${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/usr/include/security_utilities/utilities_dtrace.h lib cp -R ${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/usr/local/include/bsm lib diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index c2324c86eb5a..196c8618c918 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -156,11 +156,10 @@ let "__impureHostDeps" "__propagatedImpureHostDeps" "__sandboxProfile" "__propagatedSandboxProfile"]) // (let - # TODO: remove lib.unique once nix has a list canonicalization primitive computedSandboxProfile = - lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (extraBuildInputs ++ buildInputs ++ nativeBuildInputs))); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (propagatedBuildInputs ++ propagatedNativeBuildInputs))); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,8 +177,12 @@ let propagatedNativeBuildInputs = propagatedNativeBuildInputs ++ (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { - __sandboxProfile = computedSandboxProfile + computedPropagatedSandboxProfile + __propagatedSandboxProfile + __sandboxProfile + __extraSandboxProfile; - __propagatedSandboxProfile = computedPropagatedSandboxProfile + __propagatedSandboxProfile; + # TODO: remove lib.unique once nix has a list canonicalization primitive + __sandboxProfile = + let profiles = [ __extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile __sandboxProfile ]; + final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); + in final; + __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index fb3559659e59..1770d48278d9 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -5,7 +5,9 @@ }: let - libSystemProfile = builtins.readFile ./standard-sandbox.sb; + libSystemProfile = '' + (import "${./standard-sandbox.sb}") + ''; fetch = { file, sha256, executable ? true }: import { url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}"; @@ -253,7 +255,7 @@ in rec { }; darwin = orig.darwin // { - inherit (darwin) dyld Libsystem cctools CF libiconv; + inherit (darwin) dyld Libsystem cctools libiconv; }; }; @@ -263,7 +265,9 @@ in rec { name = "stdenv-darwin"; - preHook = commonPreHook; + preHook = commonPreHook + '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; __stdenvSandboxProfile = binShClosure + libSystemProfile; __extraSandboxProfile = binShClosure + libSystemProfile; @@ -294,7 +298,7 @@ in rec { coreutils ed diffutils gnutar gzip ncurses gnused bash gawk gnugrep llvmPackages.clang-unwrapped patch pcre binutils-raw binutils gettext ]) ++ (with pkgs.darwin; [ - dyld Libsystem CF cctools libiconv + dyld Libsystem CF cctools libiconv locale ]); overrides = orig: persistent4 orig // { diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb index 670ab01f3477..37a9b736e53e 100644 --- a/pkgs/stdenv/pure-darwin/standard-sandbox.sb +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -7,7 +7,7 @@ (allow sysctl-read) ; IPC -(allow ipc-posix-sem) +(allow ipc-posix*) ; Unix sockets (allow system-socket) @@ -33,6 +33,9 @@ ; used for bootstrap builders (allow process-exec* (literal "/bin/sh")) +; without this line clang cannot write to /dev/null, breaking some configure tests +(allow file-read-metadata (literal "/dev")) + ; standard devices (allow file* (literal "/dev/null") @@ -51,15 +54,21 @@ ; both are in libicucore and zoneinfo is in libsystem_c as well (allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo")) +; no idea what this is +(allow file-read-data (literal "/dev/autofs_nowait")) + ; lots of autoconf projects want to list this directory (allow file-read-metadata (literal "/var") (literal "/private/var/tmp")) -; mute annoying failures -(deny file-read-metadata (with no-log) - (literal "/etc") - (subpath "/usr/bin")) +; send signals +(allow signal (target same-sandbox)) -(deny process-exec* (with no-log) - (literal "/usr/bin/arch") - (literal "/usr/bin/hostinfo") - (literal "/usr/bin/uname")) +; allow getpwuid (for git and other packages) +(allow mach-lookup + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.opendirectoryd.libinfo")) + +; mute annoying failures +(deny (with no-log) file-read-metadata (literal "/etc") (subpath "/usr/bin")) + +(deny process-exec* (literal "/usr/bin/arch") (literal "/usr/bin/hostinfo") (literal "/usr/bin/uname")) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 4531fbcc183b..cdbb03bd0e5f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11349,7 +11349,7 @@ let imagemagick = null; acl = null; gpm = null; - inherit (darwin.apple_sdk.frameworks) AppKit; + inherit (darwin.apple_sdk.frameworks) AppKit CoreWLAN GSS Kerberos ImageIO; }; emacs24-nox = lowPrio (appendToName "nox" (emacs24.override { diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index ed00e4ea66d3..4937a00bad92 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -8266,6 +8266,7 @@ let self = _self // overrides; _self = with self; { url = mirror://cpan/authors/id/E/ET/ETHER/Net-HTTP-6.09.tar.gz; sha256 = "52762b939d84806908ba544581c5708375f7938c3c0e496c128ca3fbc425e58d"; }; + __sandboxProfile = stdenv.lib.sandbox.allowNetworkLocal; propagatedBuildInputs = [ URI ]; meta = { description = "Low-level HTTP connection (client)"; diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 22cdc99fcefc..dbd991d82050 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -3759,6 +3759,8 @@ let substituteInPlace test-requirements.txt --replace 'nose==1.3' 'nose' ''; + __sandboxProfile = pkgs.lib.sandbox.allowNetwork; + doCheck = !isPy3k; # lots of transient failures checkPhase = '' # Not worth the trouble @@ -6548,6 +6550,8 @@ let sha256 = "02rknqarwy7p50693cqswbibqwgxzrfzdq4yhwqxbdmhbsmh0rk6"; }; + __sandboxProfile = pkgs.lib.sandbox.allowNetwork; + # Only test dependencies buildInputs = with self; [ pkgs.git gevent geventhttpclient mock fastimport ]; From 163acc0efa2a378b8f3fe74a6350e1a0e179d5f2 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Thu, 12 Nov 2015 22:35:15 -0800 Subject: [PATCH 38/61] remove useless muting lines; they interfere with debugging --- pkgs/stdenv/pure-darwin/standard-sandbox.sb | 5 ----- 1 file changed, 5 deletions(-) diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb index 37a9b736e53e..32a911621527 100644 --- a/pkgs/stdenv/pure-darwin/standard-sandbox.sb +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -67,8 +67,3 @@ (allow mach-lookup (global-name "com.apple.system.notification_center") (global-name "com.apple.system.opendirectoryd.libinfo")) - -; mute annoying failures -(deny (with no-log) file-read-metadata (literal "/etc") (subpath "/usr/bin")) - -(deny process-exec* (literal "/usr/bin/arch") (literal "/usr/bin/hostinfo") (literal "/usr/bin/uname")) From 131e831cb97c9762c3b10b35ae3c2094366a5886 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 14 Nov 2015 13:51:50 -0800 Subject: [PATCH 39/61] allow networking by default and remove it from derivations --- lib/sandbox.nix | 7 ------- pkgs/build-support/fetchurl/default.nix | 2 -- pkgs/development/haskell-modules/configuration-common.nix | 5 ----- pkgs/stdenv/pure-darwin/standard-sandbox.sb | 3 +++ pkgs/top-level/perl-packages.nix | 1 - pkgs/top-level/python-packages.nix | 4 ---- 6 files changed, 3 insertions(+), 19 deletions(-) diff --git a/lib/sandbox.nix b/lib/sandbox.nix index 9a429cf2ae66..414bf36f779f 100644 --- a/lib/sandbox.nix +++ b/lib/sandbox.nix @@ -35,13 +35,6 @@ genActions = actionName: let "${actionName}DirectoryList" = self."${actionName}FileReadMetadata"; "${actionName}FileWrite" = applyToFiles action "file-write*"; "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata"; - "${actionName}Network" = sexp [ actionName "network*" ]; - "${actionName}NetworkBind" = sexp [ actionName "network-bind" ]; - "${actionName}NetworkInbound" = sexp [ actionName "network-inbound" ]; - "${actionName}NetworkOutbound" = sexp [ actionName "network-outbound" ]; - "${actionName}NetworkLocal" = sexp [ actionName "network*" (sexp [ "local" "ip" ]) ]; - "${actionName}NetworkInboundLocal" = sexp [ actionName "network-inbound" (sexp [ "local" "ip" ]) ]; - "${actionName}NetworkOutboundLocal" = sexp [ actionName "network-outbound" (sexp [ "local" "ip" ]) ]; }; in self; diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index bcd279380a36..b1dc6e7be31b 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -118,8 +118,6 @@ if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${s outputHashMode = if recursiveHash then "recursive" else "flat"; - __sandboxProfile = stdenv.lib.sandbox.allowNetworkOutbound; - inherit curlOpts showURLs mirrorsFile impureEnvVars postFetch downloadToTemp; # Doing the download on a remote machine just duplicates network diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 2dac800bace9..f57de134b791 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -923,9 +923,4 @@ self: super: { hscurses = overrideCabal super.hscurses (drv: { librarySystemDepends = (drv.librarySystemDepends or []) ++ [ pkgs.ncurses ]; }); - - streaming-commons = pkgs.stdenv.lib.overrideDerivation super.streaming-commons (drv: { - __sandboxProfile = drv.__sandboxProfile + - pkgs.stdenv.lib.sandbox.allowNetworkLocal; - }); } diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb index 32a911621527..b87be89f35f2 100644 --- a/pkgs/stdenv/pure-darwin/standard-sandbox.sb +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -67,3 +67,6 @@ (allow mach-lookup (global-name "com.apple.system.notification_center") (global-name "com.apple.system.opendirectoryd.libinfo")) + +; allow networking on localhost +(allow network* (local ip) (remote unix-socket)) diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 4937a00bad92..ed00e4ea66d3 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -8266,7 +8266,6 @@ let self = _self // overrides; _self = with self; { url = mirror://cpan/authors/id/E/ET/ETHER/Net-HTTP-6.09.tar.gz; sha256 = "52762b939d84806908ba544581c5708375f7938c3c0e496c128ca3fbc425e58d"; }; - __sandboxProfile = stdenv.lib.sandbox.allowNetworkLocal; propagatedBuildInputs = [ URI ]; meta = { description = "Low-level HTTP connection (client)"; diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index dbd991d82050..22cdc99fcefc 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -3759,8 +3759,6 @@ let substituteInPlace test-requirements.txt --replace 'nose==1.3' 'nose' ''; - __sandboxProfile = pkgs.lib.sandbox.allowNetwork; - doCheck = !isPy3k; # lots of transient failures checkPhase = '' # Not worth the trouble @@ -6550,8 +6548,6 @@ let sha256 = "02rknqarwy7p50693cqswbibqwgxzrfzdq4yhwqxbdmhbsmh0rk6"; }; - __sandboxProfile = pkgs.lib.sandbox.allowNetwork; - # Only test dependencies buildInputs = with self; [ pkgs.git gevent geventhttpclient mock fastimport ]; From 4a64687737cbe9deee23d15b431c8a70c804257e Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 14 Nov 2015 14:14:18 -0800 Subject: [PATCH 40/61] remove debugging from perl 5.16 --- pkgs/development/interpreters/perl/5.16/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/development/interpreters/perl/5.16/default.nix b/pkgs/development/interpreters/perl/5.16/default.nix index 8a89d97a100e..568025edfd4c 100644 --- a/pkgs/development/interpreters/perl/5.16/default.nix +++ b/pkgs/development/interpreters/perl/5.16/default.nix @@ -33,8 +33,6 @@ stdenv.mkDerivation rec { pwd="$(type -P pwd)" substituteInPlace dist/Cwd/Cwd.pm \ --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'" - grep -R /bin/pwd . - exit 1 ''; # Build a thread-safe Perl with a dynamic libperls.o. We need the From 815e9f5af288b3d44a7a926469b25cf58663fe40 Mon Sep 17 00:00:00 2001 From: Pascal Wittmann Date: Fri, 20 Nov 2015 17:20:51 +0100 Subject: [PATCH 41/61] help2man: 1.47.2 -> 1.47.3 --- pkgs/development/tools/misc/help2man/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/misc/help2man/default.nix b/pkgs/development/tools/misc/help2man/default.nix index 4386e7eaf741..8f687908017f 100644 --- a/pkgs/development/tools/misc/help2man/default.nix +++ b/pkgs/development/tools/misc/help2man/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, perl, gettext, LocaleGettext, makeWrapper }: stdenv.mkDerivation rec { - name = "help2man-1.47.2"; + name = "help2man-1.47.3"; src = fetchurl { url = "mirror://gnu/help2man/${name}.tar.xz"; - sha256 = "0z1zgw6k1fba59fii6ksfi1g2gci6i4ysa3kdfh3j475fdkn1if4"; + sha256 = "0miqq77ssk5rgsc9xlv7k5n2wk2c5wv2m1kh4zhbwrggfmjaycn2"; }; buildInputs = [ makeWrapper perl gettext LocaleGettext ]; From a63346e33ca05f691e6854b896eac5cef99b4ef8 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 11:17:30 -0800 Subject: [PATCH 42/61] use single underscore for sandboxProfile --- pkgs/applications/editors/vim/default.nix | 2 +- .../git-and-tools/git/default.nix | 2 +- .../interpreters/perl/5.20/default.nix | 2 +- pkgs/os-specific/darwin/apple-sdk/default.nix | 6 ++--- .../apple-sdk/generate-framework-profile.nix | 2 +- .../apple-source-releases/CF/default.nix | 2 +- .../adv_cmds/default.nix | 2 +- .../apple-source-releases/configd/default.nix | 2 +- pkgs/stdenv/generic/default.nix | 22 +++++++++---------- pkgs/stdenv/pure-darwin/default.nix | 10 ++++----- 10 files changed, 26 insertions(+), 26 deletions(-) diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 08e0e05590f3..42010f154214 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - __sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + _sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 57ebb7397bc6..ed963d206e95 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; # without this, git fails when trying to check for /etc/gitconfig existence - __propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + _propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index b2f43d176e81..a85175bf0c3f 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { --replace "/bin/pwd" "$pwd" ''; - __sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + _sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index b31e5d043ef2..a422bfa6452a 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -97,11 +97,11 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - __sandboxProfile = '' + _sandboxProfile = '' (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); + _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -165,7 +165,7 @@ in rec { }); CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: { - __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ ['' + _propagatedSandboxProfile = drv._propagatedSandboxProfile ++ ['' (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd")) '']; }); diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix index eb6228db14dd..a0d37c5db384 100644 --- a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix +++ b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix @@ -14,7 +14,7 @@ let path = "/System/Library/Frameworks/${frameworkName}.framework"; in runCommand "${frameworkName}-profile.sb" { # __noChroot lite - __sandboxProfile = '' + _sandboxProfile = '' (allow file* (subpath "/")) ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index 0eac8fcae398..c02129d2afe8 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); + _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index d465fa71ff02..2b2a9148f226 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -81,7 +81,7 @@ in appleDerivation { ]; # ps uses this syscall to get process info - __propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; + _propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index c730a409609f..5fcb6a242044 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,7 +7,7 @@ appleDerivation { propagatedBuildInputs = [ Security ]; - __propagatedSandboxProfile = '' + _propagatedSandboxProfile = '' (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) ''; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 196c8618c918..e3ba2f27f221 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,8 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] -, __stdenvSandboxProfile ? "" -, __extraSandboxProfile ? "" +, _stdenvSandboxProfile ? "" +, _extraSandboxProfile ? "" }: let @@ -102,8 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] - , __sandboxProfile ? "" - , __propagatedSandboxProfile ? "" + , _sandboxProfile ? "" + , _propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -154,12 +154,12 @@ let (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" "__impureHostDeps" "__propagatedImpureHostDeps" - "__sandboxProfile" "__propagatedSandboxProfile"]) + "_sandboxProfile" "_propagatedSandboxProfile"]) // (let computedSandboxProfile = - lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); + lib.concatMap (input: input._propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + lib.concatMap (input: input._propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,11 +178,11 @@ let (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { # TODO: remove lib.unique once nix has a list canonicalization primitive - __sandboxProfile = - let profiles = [ __extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile __sandboxProfile ]; + _sandboxProfile = + let profiles = [ _extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile _sandboxProfile ]; final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; - __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile ]); + _propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -219,7 +219,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - __sandboxProfile = __stdenvSandboxProfile; + _sandboxProfile = _stdenvSandboxProfile; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index 1770d48278d9..39ff3ebddb1e 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -50,7 +50,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - __sandboxProfile = binShClosure + libSystemProfile; + _sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -93,8 +93,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - __stdenvSandboxProfile = binShClosure + libSystemProfile; - __extraSandboxProfile = binShClosure + libSystemProfile; + _stdenvSandboxProfile = binShClosure + libSystemProfile; + _extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -269,8 +269,8 @@ in rec { export PATH_LOCALE=${pkgs.darwin.locale}/share/locale ''; - __stdenvSandboxProfile = binShClosure + libSystemProfile; - __extraSandboxProfile = binShClosure + libSystemProfile; + _stdenvSandboxProfile = binShClosure + libSystemProfile; + _extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; From 69e7f3bb7405ad4bf81e6d8c1897116c3a4d77dc Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 12:06:41 -0800 Subject: [PATCH 43/61] switch to zero underscores for sandbox profiles; remove generateFrameworkProfile --- pkgs/applications/editors/vim/default.nix | 2 +- .../git-and-tools/git/default.nix | 2 +- .../interpreters/perl/5.20/default.nix | 2 +- pkgs/os-specific/darwin/apple-sdk/default.nix | 9 ++- .../apple-sdk/generate-framework-profile.nix | 64 ------------------- .../apple-source-releases/CF/default.nix | 4 +- .../adv_cmds/default.nix | 2 +- .../apple-source-releases/configd/default.nix | 2 +- .../darwin/apple-source-releases/default.nix | 6 +- pkgs/stdenv/generic/default.nix | 22 +++---- pkgs/stdenv/pure-darwin/default.nix | 10 +-- 11 files changed, 29 insertions(+), 96 deletions(-) delete mode 100644 pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 42010f154214..363413a698e8 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - _sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index ed963d206e95..d060acef53ed 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; # without this, git fails when trying to check for /etc/gitconfig existence - _propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index a85175bf0c3f..aa384683728a 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { --replace "/bin/pwd" "$pwd" ''; - _sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index a422bfa6452a..f1e3556273e5 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -1,7 +1,6 @@ { stdenv, fetchurl, xar, gzip, cpio, pkgs }: let - generateFrameworkProfile = pkgs.callPackage ./generate-framework-profile.nix {}; # sadly needs to be exported because security_tool needs it sdk = stdenv.mkDerivation rec { version = "10.9"; @@ -97,11 +96,11 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - _sandboxProfile = '' + sandboxProfile = '' (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); + __propagatedImpureHostDeps = "/System/Library/Frameworks/${name}.framework/${name}"; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -165,7 +164,7 @@ in rec { }); CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: { - _propagatedSandboxProfile = drv._propagatedSandboxProfile ++ ['' + __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ ['' (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd")) '']; }); @@ -182,5 +181,5 @@ in rec { frameworks = bareFrameworks // overrides bareFrameworks; - inherit sdk generateFrameworkProfile; + inherit sdk; } diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix deleted file mode 100644 index a0d37c5db384..000000000000 --- a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ runCommand }: - -# In a normal programming language, one might store a hashmap -# { library name -> runtime dependencies }. -# associative arrays were only recently added to bash, and even then, bash arrays cannot -# be multidimensional. instead, the filesystem is the hash table! -# once every dependency in the tree has been visited, a comprehensive list of libraries -# will exist inside ./build. then `find ./build -type f` will give you the -# dependency tree you need! - -frameworkName: - -let path = "/System/Library/Frameworks/${frameworkName}.framework"; - -in runCommand "${frameworkName}-profile.sb" { - # __noChroot lite - _sandboxProfile = '' - (allow file* (subpath "/")) - ''; - - # inconsistencies may exist between self and hydra - allowSubstitutes = false; -} '' - if [ ! -f "${path}/${frameworkName}" ]; then - touch $out - exit - fi - base=./build - find_deps () { - if [ -f "$base/$1" ]; then - return - fi - dependencies=$(otool -l -arch x86_64 $1 \ - | grep 'LC_\w*_DYLIB' -A 2 \ - | grep name \ - | sed 's/^ *//' \ - | cut -d' ' -f2) - mkdir -p $base/"$(dirname "$1")" - touch $base/"$1" - for dep in $dependencies; do - find_deps "$dep" - done - } - find_deps "${path}/${frameworkName}" "$out" - set -o noglob - profile="(allow file-read*" - for file in $(find $base -type f); do - filename=''${file/$base/} - case $filename in - /usr/lib/system*) ;; - /usr/lib/libSystem.dylib) ;; - /usr/lib/libSystem.B.dylib) ;; - /usr/lib/libobjc.A.dylib) ;; - /usr/lib/libobjc.dylib) ;; - /usr/lib/libauto.dylib) ;; - /usr/lib/libc++abi.dylib) ;; - /usr/lib/libDiagnosticMessagesClient.dylib) ;; - *) profile+=" (literal \"$filename\")" ;; - esac - done - profile+=" (literal \"${path}/${frameworkName}\")" - profile+=" (literal \"${path}/Versions/Current\")" - echo "$profile)" > $out -'' diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index c02129d2afe8..aededa1a0736 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -1,4 +1,4 @@ -{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure, generateFrameworkProfile }: +{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure }: # this project uses blocks, a clang-only extension assert stdenv.cc.isClang; @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); + __propagatedImpureHostDeps = "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index 2b2a9148f226..a0261875c102 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -81,7 +81,7 @@ in appleDerivation { ]; # ps uses this syscall to get process info - _propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; + propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index 5fcb6a242044..1fbacfb92845 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,7 +7,7 @@ appleDerivation { propagatedBuildInputs = [ Security ]; - _propagatedSandboxProfile = '' + propagatedSandboxProfile = '' (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index 6b7858d374a0..f1b72b4123ff 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -54,11 +54,9 @@ let inherit (adv_cmds) ps locale; architecture = applePackage "architecture" "265" "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {}; bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; - bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; + bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; - CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" { - inherit (pkgs.darwin.apple_sdk) generateFrameworkProfile; - }; + CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index e3ba2f27f221..850a27962590 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,8 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] -, _stdenvSandboxProfile ? "" -, _extraSandboxProfile ? "" +, stdenvSandboxProfile ? "" +, extraSandboxProfile ? "" }: let @@ -102,8 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] - , _sandboxProfile ? "" - , _propagatedSandboxProfile ? "" + , sandboxProfile ? "" + , propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -154,12 +154,12 @@ let (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" "__impureHostDeps" "__propagatedImpureHostDeps" - "_sandboxProfile" "_propagatedSandboxProfile"]) + "sandboxProfile" "propagatedSandboxProfile"]) // (let computedSandboxProfile = - lib.concatMap (input: input._propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatMap (input: input._propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,11 +178,11 @@ let (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { # TODO: remove lib.unique once nix has a list canonicalization primitive - _sandboxProfile = - let profiles = [ _extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile _sandboxProfile ]; + __sandboxProfile = + let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ]; final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; - _propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile ]); + __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -219,7 +219,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - _sandboxProfile = _stdenvSandboxProfile; + __sandboxProfile = stdenvSandboxProfile; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index 39ff3ebddb1e..bc3b433e9226 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -50,7 +50,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - _sandboxProfile = binShClosure + libSystemProfile; + __sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -93,8 +93,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - _stdenvSandboxProfile = binShClosure + libSystemProfile; - _extraSandboxProfile = binShClosure + libSystemProfile; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -269,8 +269,8 @@ in rec { export PATH_LOCALE=${pkgs.darwin.locale}/share/locale ''; - _stdenvSandboxProfile = binShClosure + libSystemProfile; - _extraSandboxProfile = binShClosure + libSystemProfile; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; From f5609a4d2ab02a1a39499e78e65ab2ea1f93ff10 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:51:48 -0800 Subject: [PATCH 44/61] reintroduce impure host deps to all derivations --- pkgs/os-specific/darwin/apple-sdk/default.nix | 2 +- .../darwin/apple-source-releases/CF/default.nix | 2 +- pkgs/stdenv/generic/default.nix | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index f1e3556273e5..7c3d1482f818 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -100,7 +100,7 @@ let (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedImpureHostDeps = "/System/Library/Frameworks/${name}.framework/${name}"; + __propagatedImpureHostDeps = [ "/System/Library/Frameworks/${name}.framework/${name}" ]; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index aededa1a0736..3993a360156a 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedImpureHostDeps = "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"; + __propagatedImpureHostDeps = [ "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation" ]; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 850a27962590..dbb3e25a1472 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -160,6 +160,10 @@ let lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + computedImpureHostDeps = + lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs)); + computedPropagatedImpureHostDeps = + lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs)); in { builder = attrs.realBuilder or shell; @@ -183,6 +187,13 @@ let final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]); + __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [ + "/dev/zero" + "/dev/random" + "/dev/urandom" + "/bin/sh" + ]; + __propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps; } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -220,6 +231,7 @@ let } // ifDarwin { __sandboxProfile = stdenvSandboxProfile; + __impureHostDeps = __stdenvImpureHostDeps; }) // rec { From 4cd86cb068558c68308dfeda47fefd7329dd561c Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:55:19 -0800 Subject: [PATCH 45/61] in cf-private, use correct path to CoreFoundation --- pkgs/os-specific/darwin/cf-private/setup-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/darwin/cf-private/setup-hook.sh b/pkgs/os-specific/darwin/cf-private/setup-hook.sh index a83a1323bf83..7594c07977b9 100644 --- a/pkgs/os-specific/darwin/cf-private/setup-hook.sh +++ b/pkgs/os-specific/darwin/cf-private/setup-hook.sh @@ -6,7 +6,7 @@ linkWithRealCF() { # gross! many symbols (such as _OBJC_CLASS_$_NSArray) are defined in system CF, but not # in the opensource release # if the package needs private headers, we assume they also want to link with system CF - NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation" + NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation" } preConfigureHooks+=(prependSearchPath linkWithRealCF) From 32cb70bb0743b81a011bb3e4e33f26ea0caca1a1 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:59:43 -0800 Subject: [PATCH 46/61] propagate nothing for Kernel.framework since it exposes no library --- pkgs/os-specific/darwin/apple-sdk/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index 7c3d1482f818..847738158dab 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -100,7 +100,7 @@ let (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedImpureHostDeps = [ "/System/Library/Frameworks/${name}.framework/${name}" ]; + __propagatedImpureHostDeps = stdenv.lib.optional (name != "Kernel") "/System/Library/Frameworks/${name}.framework/${name}"; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; From e3a036225d28accbb5f059a6fde0e2d416671bc4 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 22 Nov 2015 13:41:22 +0100 Subject: [PATCH 47/61] Fix: remove trailing ; --- pkgs/tools/misc/coreutils/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index c9aacd0ba6b8..0943c1a026b3 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -105,4 +105,4 @@ let }; }; in - self; + self From 1752268aed984552e0e2b7bcb1f90b61d61ece8b Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 22 Nov 2015 23:58:10 +0100 Subject: [PATCH 48/61] SmartOS: Fix pkgconfig 0.29 build --- pkgs/development/tools/misc/pkgconfig/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/tools/misc/pkgconfig/default.nix b/pkgs/development/tools/misc/pkgconfig/default.nix index eabcebad31d0..c82a626336f6 100644 --- a/pkgs/development/tools/misc/pkgconfig/default.nix +++ b/pkgs/development/tools/misc/pkgconfig/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation (rec { buildInputs = stdenv.lib.optional (stdenv.isCygwin || stdenv.isDarwin || stdenv.isSunOS) libiconv; configureFlags = [ "--with-internal-glib" ] - ++ stdenv.lib.optional (stdenv.isSunOS) "--with-libiconv=gnu"; + ++ stdenv.lib.optional (stdenv.isSunOS) [ "--with-libiconv=gnu" "--with-system-library-path" "--with-system-include-path" "CFLAGS=-DENABLE_NLS" ]; patches = (if vanilla then [] else [ # Process Requires.private properly, see From d510109c54e32137197dd85b84f67c805650f951 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 22 Nov 2015 23:58:37 +0100 Subject: [PATCH 49/61] SmartOS: texinfo: Fix build and make configureFlags target optional. --- pkgs/development/tools/misc/texinfo/6.0.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix index 3aa77fd2e5fa..11e822291e8d 100644 --- a/pkgs/development/tools/misc/texinfo/6.0.nix +++ b/pkgs/development/tools/misc/texinfo/6.0.nix @@ -9,17 +9,17 @@ stdenv.mkDerivation rec { }; buildInputs = [ perl xz ] - ++ stdenv.lib.optional stdenv.isSunOS libiconv + ++ stdenv.lib.optionals stdenv.isSunOS [ libiconv gawk ] ++ stdenv.lib.optional interactive ncurses; - configureFlags = "AWK=${gawk}/bin/awk"; + configureFlags = stdenv.lib.optionalString stdenv.isSunOS "AWK=${gawk}/bin/awk"; preInstall = '' installFlags="TEXMF=$out/texmf-dist"; installTargets="install install-tex"; ''; - doCheck = !stdenv.isDarwin && !interactive; + doCheck = !stdenv.isDarwin && !interactive && !stdenv.isSunOS/*flaky*/; meta = { homepage = "http://www.gnu.org/software/texinfo/"; From baf7fdcb753fc57058ba27fc335b2798fbac804a Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Mon, 23 Nov 2015 00:05:58 +0100 Subject: [PATCH 50/61] SmartOS: bison: make help2man target specific dependency --- pkgs/development/tools/parsing/bison/3.x.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix index 8e7d65b81ff0..ee0074140178 100644 --- a/pkgs/development/tools/parsing/bison/3.x.nix +++ b/pkgs/development/tools/parsing/bison/3.x.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "b67fd2daae7a64b5ba862c66c07c1addb9e6b1b05c5f2049392cfd8a2172952e"; }; - nativeBuildInputs = [ m4 perl help2man ]; + nativeBuildInputs = [ m4 perl ] ++ stdenv.lib.optional stdenv.isSunOS help2man; propagatedBuildInputs = [ m4 ]; meta = { From 5f25c63bfd599228748726b2ba7d43754f5a0b3b Mon Sep 17 00:00:00 2001 From: "Matthias C. M. Troffaes" Date: Mon, 23 Nov 2015 11:23:37 +0000 Subject: [PATCH 51/61] Revert "bzip2: fix cross build on mingw by using autoconf patch" This reverts commit 094c374941e68bf667719da15c655f148840ebab. --- pkgs/tools/compression/bzip2/default.nix | 64 ++++++++++++++++-------- 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index 286ad16cc861..a485bf5eab68 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -1,7 +1,11 @@ -{ stdenv, fetchurl, libtool, autoconf, automake, pkgconfig, gnum4 }: +{ stdenv, fetchurl, linkStatic ? false }: let version = "1.0.6"; + + sharedLibrary = !stdenv.isDarwin && !(stdenv ? isStatic) + && stdenv.system != "i686-cygwin" && !linkStatic; + in stdenv.mkDerivation { name = "bzip2-${version}"; @@ -10,30 +14,50 @@ in stdenv.mkDerivation { sha256 = "1kfrc7f0ja9fdn6j1y6yir6li818npy6217hvr3wzmnmzhs8z152"; }; - patches = [ - # original upstream for the autoconf patch is here: - # http://ftp.suse.com/pub/people/sbrabec/bzip2/for_downstream/bzip2-1.0.6-autoconfiscated.patch - # but we get the mingw-builds version of the patch, which fixes - # a few more issues - (fetchurl { - url = "https://raw.githubusercontent.com/niXman/mingw-builds/17ae841dcf6e72badad7941a06d631edaf687436/patches/bzip2/bzip2-1.0.6-autoconfiscated.patch"; - sha256 = "1flbd3i8vg9kzq0a712qcg9j2c4ymnqvgd0ldyafpzvbqj1iicnp"; - }) - ]; - - patchFlags = "-p0"; - - nativeBuildInputs = [ libtool autoconf automake gnum4 pkgconfig ]; - - preConfigure = "sh ./autogen.sh"; - crossAttrs = { - # https://github.com/niXman/mingw-builds/blob/master/patches/bzip2/bzip2-1.0.5-slash.patch - postPatch = '' + patchPhase = '' sed -i -e '//s|\\|/|' bzip2.c + sed -i -e 's/CC=gcc/CC=${stdenv.cross.config}-gcc/' \ + -e 's/AR=ar/AR=${stdenv.cross.config}-ar/' \ + -e 's/RANLIB=ranlib/RANLIB=${stdenv.cross.config}-ranlib/' \ + -e 's/bzip2recover test/bzip2recover/' \ + Makefile* ''; }; + preBuild = stdenv.lib.optionalString sharedLibrary '' + make -f Makefile-libbz2_so + ''; + + preInstall = stdenv.lib.optionalString sharedLibrary '' + mkdir -p $out/lib + mv libbz2.so* $out/lib + ( cd $out/lib && + ln -s libbz2.so.1.0.? libbz2.so && + ln -s libbz2.so.1.0.? libbz2.so.1 + ) + ''; + + installFlags = [ "PREFIX=$(out)" ]; + + postInstall = '' + rm $out/bin/bunzip2* $out/bin/bzcat* + ln -s bzip2 $out/bin/bunzip2 + ln -s bzip2 $out/bin/bzcat + ''; + + patchPhase = stdenv.lib.optionalString stdenv.isDarwin '' + substituteInPlace Makefile --replace 'CC=gcc' 'CC=clang' + ''; + + preConfigure = '' + substituteInPlace Makefile --replace '$(PREFIX)/man' '$(PREFIX)/share/man' + ''; + + makeFlags = stdenv.lib.optional linkStatic "LDFLAGS=-static"; + + inherit linkStatic; + meta = { homepage = "http://www.bzip.org"; description = "high-quality data compression program"; From aeb3d8ce4c9fcb26e18b96d90f5d4bdb7a1cc230 Mon Sep 17 00:00:00 2001 From: "Matthias C. M. Troffaes" Date: Mon, 23 Nov 2015 11:25:03 +0000 Subject: [PATCH 52/61] bzip2: fix cross build on mingw by using autoconf patch --- pkgs/tools/compression/bzip2/default.nix | 26 +++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index a485bf5eab68..3e835c30e3d7 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, linkStatic ? false }: +{ stdenv, fetchurl, libtool, autoconf, automake, gnum4, linkStatic ? false }: let version = "1.0.6"; @@ -15,14 +15,26 @@ in stdenv.mkDerivation { }; crossAttrs = { - patchPhase = '' + buildInputs = [ libtool autoconf automake gnum4 ]; + patches = [ + # original upstream for the autoconf patch is here: + # http://ftp.suse.com/pub/people/sbrabec/bzip2/for_downstream/bzip2-1.0.6-autoconfiscated.patch + # but we get the mingw-builds version of the patch, which fixes + # a few more issues + (fetchurl { + url = "https://raw.githubusercontent.com/niXman/mingw-builds/17ae841dcf6e72badad7941a06d631edaf687436/patches/bzip2/bzip2-1.0.6-autoconfiscated.patch"; + sha256 = "1flbd3i8vg9kzq0a712qcg9j2c4ymnqvgd0ldyafpzvbqj1iicnp"; + }) + ]; + patchFlags = "-p0"; + postPatch = '' sed -i -e '//s|\\|/|' bzip2.c - sed -i -e 's/CC=gcc/CC=${stdenv.cross.config}-gcc/' \ - -e 's/AR=ar/AR=${stdenv.cross.config}-ar/' \ - -e 's/RANLIB=ranlib/RANLIB=${stdenv.cross.config}-ranlib/' \ - -e 's/bzip2recover test/bzip2recover/' \ - Makefile* ''; + preConfigure = "sh ./autogen.sh"; + # clear native hooks that are not needed with autoconf + preBuild = ""; + preInstall = ""; + postInstall = ""; }; preBuild = stdenv.lib.optionalString sharedLibrary '' From 1a3689b87e82a3f4fe38e8b775b4cd865fef71ab Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Mon, 23 Nov 2015 12:24:04 -0800 Subject: [PATCH 53/61] fix an evaluation issue --- pkgs/top-level/all-packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d7a83d8cb217..9364e2c466cd 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5493,7 +5493,7 @@ let cmake-2_8 = callPackage ../development/tools/build-managers/cmake/2.8.nix { wantPS = stdenv.isDarwin; - ps = if stdenv.isDarwin then darwin.adv_cmds else null; + inherit (darwin) ps; }; cmake = callPackage ../development/tools/build-managers/cmake { From c9f77f2b487de1b627ee367ef17e25332bdf34a1 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Mon, 23 Nov 2015 12:26:50 -0800 Subject: [PATCH 54/61] fix another evaluation issue --- pkgs/top-level/python-packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index b0c5277274d3..9d0b04fb7404 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -9232,7 +9232,7 @@ let meta = { description = "A module for monitoring memory usage of a python program"; homepage = http://pypi.python.org/pypi/memory_profiler; - license = licenses.bsd; + license = licenses.bsd3; }; }; From d539d9c935813a8d71d8c6e660a60f07a5ab15a5 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Wed, 25 Nov 2015 10:09:35 -0800 Subject: [PATCH 55/61] revert to __impureHostDeps where possible --- pkgs/applications/editors/vim/default.nix | 2 +- pkgs/os-specific/darwin/apple-sdk/default.nix | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 363413a698e8..a09eb846e500 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + __impureHostDeps = [ "/dev/ptmx" ]; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index 847738158dab..c18d3f6cc6d3 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -96,9 +96,7 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - sandboxProfile = '' - (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) - ''; + __impureHostDeps = [ "/System/Library/Frameworks/${name}.framework" ]; __propagatedImpureHostDeps = stdenv.lib.optional (name != "Kernel") "/System/Library/Frameworks/${name}.framework/${name}"; From 8a779f345143a3c5451058603ec0e9e22b211c5a Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Wed, 25 Nov 2015 10:09:52 -0800 Subject: [PATCH 56/61] libdevil: fix build in clang stdenvs --- pkgs/development/libraries/libdevil/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/libdevil/default.nix b/pkgs/development/libraries/libdevil/default.nix index 996301988859..3b63ba98f572 100644 --- a/pkgs/development/libraries/libdevil/default.nix +++ b/pkgs/development/libraries/libdevil/default.nix @@ -23,6 +23,8 @@ stdenv.mkDerivation rec { preConfigure = '' sed -i 's, -std=gnu99,,g' configure sed -i 's,malloc.h,stdlib.h,g' src-ILU/ilur/ilur.c + '' + stdenv.lib.optionalString stdenv.cc.isClang '' + sed -i 's/libIL_la_CXXFLAGS = $(AM_CFLAGS)/libIL_la_CXXFLAGS =/g' lib/Makefile.in ''; postConfigure = '' From 2b97070986967bab185af7a5a4f17f67e30af6f7 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Wed, 25 Nov 2015 11:57:55 -0800 Subject: [PATCH 57/61] build python-novaclient on darwin --- pkgs/top-level/python-packages.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 9d0b04fb7404..549faf56fee1 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -9815,6 +9815,8 @@ let monotonic = buildPythonPackage rec { name = "monotonic-0.4"; + __propagatedImpureHostDeps = stdenv.lib.optional stdenv.isDarwin "/usr/lib/libc.dylib"; + src = pkgs.fetchurl { url = "http://pypi.python.org/packages/source/m/monotonic/${name}.tar.gz"; sha256 = "1diab6hfh3jpa1f0scpqaqrawk4g97ss4v7gkn2yw8znvdm6abw5"; @@ -11944,9 +11946,9 @@ let }; propagatedBuildInputs = with self; [ - pbr Babel six iso8601 debtcollector pyinotify + pbr Babel six iso8601 debtcollector oslo-utils oslo-i18n oslo-config oslo-serialization oslo-context - ]; + ] ++ stdenv.lib.optional stdenv.isLinux pyinotify; buildInputs = with self; [ oslotest oslosphinx ]; patchPhase = '' sed -i 's@python@${python.interpreter}@' .testr.conf From caed1528a3beb14b349bdfd76ce1caf7b7f9ea50 Mon Sep 17 00:00:00 2001 From: Jan Malakhovski Date: Tue, 18 Aug 2015 20:37:49 +0000 Subject: [PATCH 58/61] w3m: fix w3mimgdisplay, refactor the expression, make batch and nox versions, use batch version where appropriate --- .../networking/browsers/w3m/default.nix | 36 +++++++++++-------- .../networking/browsers/w3m/no-x11.patch | 15 ++++++++ pkgs/top-level/all-packages.nix | 26 +++++++++++--- 3 files changed, 59 insertions(+), 18 deletions(-) create mode 100644 pkgs/applications/networking/browsers/w3m/no-x11.patch diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index 32deafffe907..e71a733970ee 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -1,16 +1,18 @@ { stdenv, fetchurl -, sslSupport ? true -, graphicsSupport ? false -, mouseSupport ? false -, ncurses, openssl ? null, boehmgc, gettext, zlib -, imlib2 ? null, xlibsWrapper ? null, fbcon ? null -, gpm-ncurses ? null +, ncurses, boehmgc, gettext, zlib +, sslSupport ? true, openssl ? null +, graphicsSupport ? true, imlib2 ? null +, x11Support ? graphicsSupport, libX11 ? null +, mouseSupport ? true, gpm-ncurses ? null }: assert sslSupport -> openssl != null; -assert graphicsSupport -> imlib2 != null && (xlibsWrapper != null || fbcon != null); +assert graphicsSupport -> imlib2 != null; +assert x11Support -> graphicsSupport && libX11 != null; assert mouseSupport -> gpm-ncurses != null; +with stdenv.lib; + stdenv.mkDerivation rec { name = "w3m-0.5.3"; @@ -24,16 +26,19 @@ stdenv.mkDerivation rec { patches = [ ./glibc214.patch ] # Patch for the newer unstable boehm-gc 7.2alpha. Not all platforms use that # alpha. At the time of writing this, boehm-gc-7.1 is the last stable. - ++ stdenv.lib.optional (boehmgc.name != "boehm-gc-7.1") [ ./newgc.patch ] - ++ stdenv.lib.optional stdenv.isCygwin ./cygwin.patch; + ++ optional (boehmgc.name != "boehm-gc-7.1") [ ./newgc.patch ] + ++ optional stdenv.isCygwin ./cygwin.patch + # for frame buffer only version + ++ optional (graphicsSupport && !x11Support) [ ./no-x11.patch ]; buildInputs = [ncurses boehmgc gettext zlib] - ++ stdenv.lib.optional sslSupport openssl - ++ stdenv.lib.optional mouseSupport gpm-ncurses - ++ stdenv.lib.optionals graphicsSupport [imlib2 xlibsWrapper fbcon]; + ++ optional sslSupport openssl + ++ optional mouseSupport gpm-ncurses + ++ optional graphicsSupport imlib2 + ++ optional x11Support libX11; configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" - + stdenv.lib.optionalString graphicsSupport " --enable-image=x11,fb"; + + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; preConfigure = '' substituteInPlace ./configure --replace "/lib /usr/lib /usr/local/lib /usr/ucblib /usr/ccslib /usr/ccs/lib /lib64 /usr/lib64" /no-such-path @@ -42,7 +47,10 @@ stdenv.mkDerivation rec { enableParallelBuilding = false; - meta = with stdenv.lib; { + # for w3mimgdisplay + LIBS = optionalString x11Support "-lX11"; + + meta = { homepage = http://w3m.sourceforge.net/; description = "A text-mode web browser"; maintainers = [ maintainers.mornfall ]; diff --git a/pkgs/applications/networking/browsers/w3m/no-x11.patch b/pkgs/applications/networking/browsers/w3m/no-x11.patch new file mode 100644 index 000000000000..83b3e96821f5 --- /dev/null +++ b/pkgs/applications/networking/browsers/w3m/no-x11.patch @@ -0,0 +1,15 @@ +Forget about X11 in fb module. +This breaks w3mimgdisplay under X11, but removes X11 dependency it in pure fb. +diff --git a/w3mimg/fb/fb_imlib2.c b/w3mimg/fb/fb_imlib2.c +index ea36637..d3d7bc3 100644 +--- a/w3mimg/fb/fb_imlib2.c ++++ b/w3mimg/fb/fb_imlib2.c +@@ -3,7 +3,7 @@ + fb_imlib2.c 0.3 Copyright (C) 2002, hito + **************************************************************************/ + +-#include ++#define X_DISPLAY_MISSING + #include + #include "fb.h" + #include "fb_img.h" diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 71535d831678..f372eaad368e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -924,6 +924,7 @@ let asciidoc = callPackage ../tools/typesetting/asciidoc { inherit (pythonPackages) matplotlib numpy aafigure recursivePthLoader; + w3m = w3m-batch; enableStandardFeatures = false; }; @@ -3143,7 +3144,9 @@ let stricat = callPackage ../tools/security/stricat { }; - privoxy = callPackage ../tools/networking/privoxy { }; + privoxy = callPackage ../tools/networking/privoxy { + w3m = w3m-batch; + }; swaks = callPackage ../tools/networking/swaks { }; @@ -3597,7 +3600,7 @@ let xmlstarlet = callPackage ../tools/text/xml/xmlstarlet { }; xmlto = callPackage ../tools/typesetting/xmlto { - w3m = w3m.override { graphicsSupport = false; }; + w3m = w3m-batch; }; xmltv = callPackage ../tools/misc/xmltv { }; @@ -13388,8 +13391,21 @@ let vym = callPackage ../applications/misc/vym { }; - w3m = callPackage ../applications/networking/browsers/w3m { + w3m = callPackage ../applications/networking/browsers/w3m { }; + + # Should always be the version with the most features + w3m-full = w3m; + + # Version without X11 + w3m-nox = w3m.override { + x11Support = false; + }; + + # Version for batch text processing, not a good browser + w3m-batch = w3m.override { graphicsSupport = false; + x11Support = false; + mouseSupport = false; }; weechat = callPackage ../applications/networking/irc/weechat { @@ -13592,7 +13608,9 @@ let xdg-user-dirs = callPackage ../tools/X11/xdg-user-dirs { }; - xdg_utils = callPackage ../tools/X11/xdg-utils { }; + xdg_utils = callPackage ../tools/X11/xdg-utils { + w3m = w3m-batch; + }; xdotool = callPackage ../tools/X11/xdotool { }; From 244fba351c341dfc76efe3f1e7a7711368e36edd Mon Sep 17 00:00:00 2001 From: Jan Malakhovski Date: Wed, 25 Nov 2015 23:35:36 +0000 Subject: [PATCH 59/61] nixos: use w3m-nox for the manual --- nixos/modules/services/misc/nixos-manual.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix index 7534eb0ae6a3..3e1f53e79f3e 100644 --- a/nixos/modules/services/misc/nixos-manual.nix +++ b/nixos/modules/services/misc/nixos-manual.nix @@ -117,7 +117,7 @@ in services.mingetty.helpLine = mkIf cfg.showManual "\nPress for the NixOS manual."; - services.nixosManual.browser = mkDefault "${pkgs.w3m}/bin/w3m"; + services.nixosManual.browser = mkDefault "${pkgs.w3m-nox}/bin/w3m"; }; From 01eb385346b09f12994c187af835ee72254640d6 Mon Sep 17 00:00:00 2001 From: Philip Potter Date: Tue, 10 Nov 2015 07:20:20 +0000 Subject: [PATCH 60/61] certificate-transparency: init at 2015-11-27 libevhtp: 1.2.10 -> 1.2.11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Package for certificate-transparency This adds openssl support to libevent. Libevent can be compiled without openssl, in which case it just doesn't build the libevent_openssl library. However it seems simpler just to default to including openssl support. This bumps evhtp's version because 1.2.11 provides pkg-config information which makes building certificate-transparency easier. This has been tested with `doCheck = true;`. Signed-off-by: Edward Tjörnhammar --- .../libraries/libevent/default.nix | 4 +- .../libraries/libevhtp/default.nix | 4 +- .../certificate-transparency/default.nix | 57 +++++++++++++++++++ .../protobuf-include-from-env.patch | 14 +++++ pkgs/top-level/all-packages.nix | 2 + 5 files changed, 77 insertions(+), 4 deletions(-) create mode 100644 pkgs/servers/certificate-transparency/default.nix create mode 100644 pkgs/servers/certificate-transparency/protobuf-include-from-env.patch diff --git a/pkgs/development/libraries/libevent/default.nix b/pkgs/development/libraries/libevent/default.nix index 284a09bc9275..bddda9f3eadd 100644 --- a/pkgs/development/libraries/libevent/default.nix +++ b/pkgs/development/libraries/libevent/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, autoreconfHook, python, findutils }: +{ stdenv, fetchurl, autoreconfHook, openssl, python, findutils }: let version = "2.0.22"; in stdenv.mkDerivation { @@ -10,7 +10,7 @@ stdenv.mkDerivation { }; nativeBuildInputs = [ autoreconfHook ]; - buildInputs = [ python ] ++ stdenv.lib.optional stdenv.isCygwin findutils; + buildInputs = [ openssl python ] ++ stdenv.lib.optional stdenv.isCygwin findutils; patchPhase = '' patchShebangs event_rpcgen.py diff --git a/pkgs/development/libraries/libevhtp/default.nix b/pkgs/development/libraries/libevhtp/default.nix index f909d6d8ff2f..4765f0b7d9af 100644 --- a/pkgs/development/libraries/libevhtp/default.nix +++ b/pkgs/development/libraries/libevhtp/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "libevhtp-${version}"; - version = "1.2.10"; + version = "1.2.11"; src = fetchFromGitHub { owner = "ellzey"; repo = "libevhtp"; rev = version; - sha256 = "0z5cxa65zp89vkaj286gp6fpmc5fylr8bmd17g3j1rgc42nysm6a"; + sha256 = "1rlxdp8w4alcy5ryr7pmw5wi6hv7d64885wwbk1zxhvi64s4x4rg"; }; buildInputs = [ cmake openssl libevent ]; diff --git a/pkgs/servers/certificate-transparency/default.nix b/pkgs/servers/certificate-transparency/default.nix new file mode 100644 index 000000000000..ebfa7427fc00 --- /dev/null +++ b/pkgs/servers/certificate-transparency/default.nix @@ -0,0 +1,57 @@ +{ stdenv, pkgs, ...}: + +stdenv.mkDerivation rec { + name = "certificate-transparency-${version}"; + + version = "2015-11-27"; + rev = "dc5a51e55af989ff5871a6647166d00d0de478ab"; + + meta = with stdenv.lib; { + homepage = https://www.certificate-transparency.org/; + description = "Auditing for TLS certificates."; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ philandstuff ]; + }; + + src = pkgs.fetchFromGitHub { + owner = "google"; + repo = "certificate-transparency"; + rev = rev; + sha256 = "14sgc2kcjjsnrykwcjin21h1f3v4kg83w6jqiq9qdm1ha165yhvx"; + }; + + # need to disable regex support in evhtp or building will fail + libevhtp_without_regex = stdenv.lib.overrideDerivation pkgs.libevhtp + (oldAttrs: { + cmakeFlags="-DEVHTP_DISABLE_REGEX:STRING=ON -DCMAKE_C_FLAGS:STRING=-fPIC"; + }); + + buildInputs = with pkgs; [ + autoconf automake clang_34 pkgconfig + glog gmock google-gflags gperftools gtest json_c leveldb + libevent libevhtp_without_regex openssl protobuf sqlite + ]; + + patches = [ + ./protobuf-include-from-env.patch + ]; + + doCheck = false; + + preConfigure = '' + ./autogen.sh + configureFlagsArray=( + CC=clang + CXX=clang++ + GMOCK_DIR=${pkgs.gmock} + GTEST_DIR=${pkgs.gtest} + ) + ''; + + # the default Makefile constructs BUILD_VERSION from `git describe` + # which isn't available in the nix build environment + makeFlags = "BUILD_VERSION=${version}-${rev}"; + + protocFlags = "-I ${pkgs.protobuf}/include"; +} diff --git a/pkgs/servers/certificate-transparency/protobuf-include-from-env.patch b/pkgs/servers/certificate-transparency/protobuf-include-from-env.patch new file mode 100644 index 000000000000..a1f9a1849b63 --- /dev/null +++ b/pkgs/servers/certificate-transparency/protobuf-include-from-env.patch @@ -0,0 +1,14 @@ +Get protobuf include path from environment + +--- a/python/Makefile ++++ b/python/Makefile +@@ -5,7 +5,7 @@ all: ct/proto/client_pb2.py ct/proto/ct_pb2.py ct/proto/tls_options_pb2.py \ + ct/proto/test_message_pb2.py ct/proto/certificate_pb2.py + + ct/proto/%_pb2.py: ct/proto/%.proto +- $(PROTOC) $^ -I/usr/include/ -I/usr/local/include -I$(INSTALL_DIR)/include -I. --python_out=. ++ $(PROTOC) $^ $(protocFlags) -I. --python_out=. + + ct/proto/ct_pb2.py: ../proto/ct.proto + $(PROTOC) --python_out=ct/proto -I../proto ../proto/ct.proto + diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index f372eaad368e..8164085003b3 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -760,6 +760,8 @@ let gcdemu = callPackage ../misc/emulators/cdemu/gui.nix { }; + certificate-transparency = callPackage ../servers/certificate-transparency { }; + image-analyzer = callPackage ../misc/emulators/cdemu/analyzer.nix { }; ccnet = callPackage ../tools/networking/ccnet { }; From c20b6846f2ec4b1fe70d62fe99d165476aed65d0 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Mon, 30 Nov 2015 12:54:04 -0800 Subject: [PATCH 61/61] rustc: build on darwin --- pkgs/development/compilers/llvm/3.7/llvm.nix | 6 ++++-- pkgs/development/compilers/rustc/generic.nix | 13 ++++++++----- pkgs/top-level/all-packages.nix | 6 +++++- 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/pkgs/development/compilers/llvm/3.7/llvm.nix b/pkgs/development/compilers/llvm/3.7/llvm.nix index ff038024d10f..060c0f3e8676 100644 --- a/pkgs/development/compilers/llvm/3.7/llvm.nix +++ b/pkgs/development/compilers/llvm/3.7/llvm.nix @@ -14,6 +14,7 @@ , compiler-rt_src , libcxxabi , debugVersion ? false +, enableSharedLibraries ? !stdenv.isDarwin }: let @@ -46,10 +47,11 @@ in stdenv.mkDerivation rec { "-DLLVM_BUILD_TESTS=ON" "-DLLVM_ENABLE_FFI=ON" "-DLLVM_ENABLE_RTTI=ON" - ] ++ stdenv.lib.optionals (!isDarwin) [ + ] ++ stdenv.lib.optional enableSharedLibraries "-DBUILD_SHARED_LIBS=ON" + ++ stdenv.lib.optional (!isDarwin) "-DLLVM_BINUTILS_INCDIR=${binutils}/include" - ] ++ stdenv.lib.optionals ( isDarwin) [ + ++ stdenv.lib.optionals ( isDarwin) [ "-DLLVM_ENABLE_LIBCXX=ON" "-DCAN_TARGET_i386=false" ]; diff --git a/pkgs/development/compilers/rustc/generic.nix b/pkgs/development/compilers/rustc/generic.nix index 9b3dca42b628..d578facad698 100644 --- a/pkgs/development/compilers/rustc/generic.nix +++ b/pkgs/development/compilers/rustc/generic.nix @@ -37,6 +37,8 @@ let version = if isRelease then name = "rustc-${version}"; + llvmShared = llvmPackages_37.llvm.override { enableSharedLibraries = true; }; + platform = if stdenv.system == "i686-linux" then "linux-i386" else if stdenv.system == "x86_64-linux" @@ -84,6 +86,8 @@ with stdenv.lib; stdenv.mkDerivation { __impureHostDeps = [ "/usr/lib/libedit.3.dylib" ]; + NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isDarwin "-rpath ${llvmShared}/lib"; + src = if isRelease then fetchzip { url = "http://static.rust-lang.org/dist/rustc-${version}-src.tar.gz"; @@ -119,7 +123,7 @@ with stdenv.lib; stdenv.mkDerivation { # ++ [ "--jemalloc-root=${jemalloc}/lib" ++ [ "--default-linker=${stdenv.cc}/bin/cc" "--default-ar=${stdenv.cc.binutils}/bin/ar" ] ++ optional (stdenv.cc.cc ? isClang) "--enable-clang" - ++ optional (!forceBundledLLVM) "--llvm-root=${llvmPackages_37.llvm}"; + ++ optional (!forceBundledLLVM) "--llvm-root=${llvmShared}"; inherit patches; @@ -155,11 +159,10 @@ with stdenv.lib; stdenv.mkDerivation { configureFlagsArray+=("--infodir=$out/share/info") ''; - # Procps is needed for one of the test cases - nativeBuildInputs = [ file python2 ] - ++ optionals stdenv.isLinux [ procps ]; + # ps is needed for one of the test cases + nativeBuildInputs = [ file python2 procps ]; buildInputs = [ ncurses ] - ++ optional (!forceBundledLLVM) llvmPackages_37.llvm; + ++ optional (!forceBundledLLVM) llvmShared; enableParallelBuilding = true; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 8164085003b3..6d14317e4038 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -4775,7 +4775,11 @@ let rtags = callPackage ../development/tools/rtags/default.nix {}; rustcMaster = callPackage ../development/compilers/rustc/head.nix {}; - rustc = callPackage ../development/compilers/rustc {}; + rustc = callPackage ../development/compilers/rustc { + callPackage = newScope ({ + procps = if stdenv.isDarwin then darwin.ps else procps; + }); + }; rustPlatform = rustStable;