Merge branch 'master' of github.com:NixOS/nixpkgs
This commit is contained in:
commit
3feac4fd86
@ -4,10 +4,53 @@ with lib;
|
||||
|
||||
{
|
||||
|
||||
options = {
|
||||
|
||||
security.pki.certificateFiles = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [];
|
||||
example = literalExample "[ \"\${pkgs.cacert}/etc/ca-bundle.crt\" ]";
|
||||
description = ''
|
||||
A list of files containing trusted root certificates in PEM
|
||||
format. These are concatenated to form
|
||||
<filename>/etc/ssl/certs/ca-bundle.crt</filename>, which is
|
||||
used by many programs that use OpenSSL, such as
|
||||
<command>curl</command> and <command>git</command>.
|
||||
'';
|
||||
};
|
||||
|
||||
security.pki.certificates = mkOption {
|
||||
type = types.listOf types.string;
|
||||
default = [];
|
||||
example = singleton ''
|
||||
NixOS.org
|
||||
=========
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
|
||||
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
|
||||
...
|
||||
-----END CERTIFICATE-----
|
||||
'';
|
||||
description = ''
|
||||
A list of trusted root certificates in PEM format.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = {
|
||||
|
||||
security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ca-bundle.crt" ];
|
||||
|
||||
environment.etc =
|
||||
[ { source = "${pkgs.cacert}/etc/ca-bundle.crt";
|
||||
[ { source = pkgs.runCommand "ca-bundle.crt"
|
||||
{ files =
|
||||
config.security.pki.certificateFiles ++
|
||||
[ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ];
|
||||
}
|
||||
''
|
||||
cat $files > $out
|
||||
'';
|
||||
target = "ssl/certs/ca-bundle.crt";
|
||||
}
|
||||
];
|
||||
|
@ -1,97 +1,6 @@
|
||||
{ buildEnv, nixpkgs, nixpkgs_i686, system
|
||||
, stdenv, glibc, glibc_multi, glibcLocales
|
||||
, bashInteractive, coreutils, less, shadow, su
|
||||
, gawk, gcc, gcc_multi, diffutils, findutils, gnused, gnugrep
|
||||
, gnutar, gzip, bzip2, xz
|
||||
} :
|
||||
{ name, pkgs ? [], profile ? ""
|
||||
, targetPkgs ? null, multiPkgs ? null
|
||||
, extraBuildCommands ? "", extraBuildCommandsMulti ? ""
|
||||
}:
|
||||
|
||||
assert pkgs != [] -> targetPkgs == null && multiPkgs == null;
|
||||
assert targetPkgs != null -> multiPkgs != null;
|
||||
assert multiPkgs != null -> targetPkgs != null;
|
||||
assert targetPkgs != null -> pkgs == [];
|
||||
|
||||
|
||||
# HOWTO:
|
||||
# If pkgs is defined buildFHSChrootEnv will run in legacy mode. This means
|
||||
# it will build all pkgs contained in pkgs and basePkgs and then just merge
|
||||
# all of their contents together via buildEnv.
|
||||
#
|
||||
# The new way is to define both targetPkgs and multiPkgs. These two are
|
||||
# functions which get a pkgs environment supplied and should then return a list
|
||||
# of packages based this environment.
|
||||
# For example: targetPkgs = pkgs: [ pkgs.nmap ];
|
||||
#
|
||||
# All packages (most likeley programs) placed in targetPkgs will only be
|
||||
# installed once--matching the hosts architecture (64bit on x86_64 and 32bit on
|
||||
# x86). These packages will populate the chroot directory tree.
|
||||
#
|
||||
# Packages (most likeley libraries) defined in multiPkgs will be installed once
|
||||
# on x86 systems and twice on x86_64 systems.
|
||||
# On x86 they will just be merge with the packages defined in targetPkgs.
|
||||
# On x86_64 they will be added to targetPkgs and in addition their 32bit
|
||||
# versions will also be installed. The final directory should look as follows:
|
||||
# /lib will include 32bit libraries from multiPkgs
|
||||
# /lib32 will link to /lib
|
||||
# /lib64 will include 64bit libraries from multiPkgs and targetPkgs
|
||||
# /x86 will contain a complete 32bit environment composed by multiPkgs
|
||||
{ stdenv } : { env } :
|
||||
|
||||
let
|
||||
is64Bit = system == "x86_64-linux";
|
||||
# enable multi builds on x86_64 hosts if pakgs_target/multi are defined
|
||||
isMultiBuild = is64Bit && targetPkgs != null;
|
||||
isTargetBuild = !isMultiBuild;
|
||||
|
||||
# list of packages (usually programs) which will only be installed for the
|
||||
# hosts architecture
|
||||
targetPaths = if targetPkgs == null
|
||||
then pkgs
|
||||
else targetPkgs nixpkgs ++ multiPkgs nixpkgs;
|
||||
|
||||
# list of pckages which should be build for both x86 and x86_64 on x86_64
|
||||
# systems
|
||||
multiPaths = if isMultiBuild
|
||||
then multiPkgs nixpkgs_i686
|
||||
else [];
|
||||
|
||||
# base packages of the chroot
|
||||
# these match the hosts architecture, gcc/glibc_multi will be choosen
|
||||
# on multi builds
|
||||
choosenGcc = if isMultiBuild then gcc_multi else gcc;
|
||||
basePkgs =
|
||||
[ (if isMultiBuild then glibc_multi else glibc)
|
||||
choosenGcc
|
||||
bashInteractive coreutils less shadow su
|
||||
gawk diffutils findutils gnused gnugrep
|
||||
gnutar gzip bzip2 xz
|
||||
];
|
||||
|
||||
# Compose a global profile for the chroot environment
|
||||
profilePkg = nixpkgs.stdenv.mkDerivation {
|
||||
name = "${name}-chrootenv-profile";
|
||||
buildCommand = ''
|
||||
mkdir -p $out/etc
|
||||
cat >> $out/etc/profile << "EOF"
|
||||
export PS1='${name}-chrootenv:\u@\h:\w\$ '
|
||||
${profile}
|
||||
EOF
|
||||
'';
|
||||
};
|
||||
|
||||
# Composes a /usr like directory structure
|
||||
staticUsrProfileTarget = buildEnv {
|
||||
name = "system-profile-target";
|
||||
paths = basePkgs ++ [ profilePkg ] ++ targetPaths;
|
||||
};
|
||||
|
||||
staticUsrProfileMulti = buildEnv {
|
||||
name = "system-profile-multi";
|
||||
paths = multiPaths;
|
||||
};
|
||||
|
||||
# References to shell scripts that set up or tear down the environment
|
||||
initSh = ./init.sh.in;
|
||||
mountSh = ./mount.sh.in;
|
||||
@ -99,89 +8,16 @@ let
|
||||
umountSh = ./umount.sh.in;
|
||||
destroySh = ./destroy.sh.in;
|
||||
|
||||
linkProfile = profile: ''
|
||||
for i in ${profile}/{etc,bin,sbin,share,var}; do
|
||||
if [ -x "$i" ]
|
||||
then
|
||||
ln -s "$i"
|
||||
fi
|
||||
done
|
||||
'';
|
||||
|
||||
# the target profile is the actual profile that will be used for the chroot
|
||||
setupTargetProfile = ''
|
||||
${linkProfile staticUsrProfileTarget}
|
||||
${setupLibDirs}
|
||||
|
||||
mkdir -m0755 usr
|
||||
cd usr
|
||||
${linkProfile staticUsrProfileTarget}
|
||||
${setupLibDirs}
|
||||
cd ..
|
||||
'';
|
||||
|
||||
# this will happen on x86_64 host:
|
||||
# /x86 -> links to the whole profile defined by multiPaths
|
||||
# /lib, /lib32 -> links to 32bit binaries
|
||||
# /lib64 -> links to 64bit binaries
|
||||
# /usr/lib* -> same as above
|
||||
setupMultiProfile = if isTargetBuild then "" else ''
|
||||
mkdir -m0755 x86
|
||||
cd x86
|
||||
${linkProfile staticUsrProfileMulti}
|
||||
cd ..
|
||||
'';
|
||||
|
||||
setupLibDirs = if isTargetBuild then setupLibDirs_target
|
||||
else setupLibDirs_multi;
|
||||
|
||||
# setup library paths only for the targeted architecture
|
||||
setupLibDirs_target = ''
|
||||
mkdir -m0755 lib
|
||||
|
||||
# copy content of targetPaths
|
||||
cp -rsf ${staticUsrProfileTarget}/lib/* lib/
|
||||
'';
|
||||
|
||||
# setup /lib, /lib32 and /lib64
|
||||
setupLibDirs_multi = ''
|
||||
mkdir -m0755 lib
|
||||
mkdir -m0755 lib64
|
||||
ln -s lib lib32
|
||||
|
||||
# copy glibc stuff
|
||||
cp -rsf ${staticUsrProfileTarget}/lib/32/* lib/
|
||||
|
||||
# copy content of multiPaths (32bit libs)
|
||||
cp -rsf ${staticUsrProfileMulti}/lib/* lib/
|
||||
|
||||
# copy content of targetPaths (64bit libs)
|
||||
cp -rsf ${staticUsrProfileTarget}/lib/* lib64/
|
||||
|
||||
# most 64bit only libs put their stuff into /lib
|
||||
# some pkgs (like gcc_multi) put 32bit libs into and /lib 64bit libs into /lib64
|
||||
# by overwriting these we will hopefully catch all these cases
|
||||
# in the end /lib should only contain 32bit and /lib64 only 64bit libs
|
||||
cp -rsf ${staticUsrProfileTarget}/lib64/* lib64/
|
||||
|
||||
# copy gcc libs (and may overwrite exitsting wrongly placed libs)
|
||||
cp -rsf ${choosenGcc.cc}/lib/* lib/
|
||||
cp -rsf ${choosenGcc.cc}/lib64/* lib64/
|
||||
'';
|
||||
name = env.pname;
|
||||
|
||||
in stdenv.mkDerivation {
|
||||
name = "${name}-chrootenv";
|
||||
name = "${name}-chrootenv";
|
||||
preferLocalBuild = true;
|
||||
buildCommand = ''
|
||||
mkdir -p "$out/sw"
|
||||
cd "$out/sw"
|
||||
${setupTargetProfile}
|
||||
${setupMultiProfile}
|
||||
cd ..
|
||||
mkdir -p $out/bin
|
||||
cd $out/bin
|
||||
|
||||
mkdir -p bin
|
||||
cd bin
|
||||
|
||||
sed -e "s|@chrootEnv@|$out|g" \
|
||||
sed -e "s|@chrootEnv@|${env}|g" \
|
||||
-e "s|@name@|${name}|g" \
|
||||
-e "s|@shell@|${stdenv.shell}|g" \
|
||||
${initSh} > init-${name}-chrootenv
|
||||
@ -202,18 +38,10 @@ in stdenv.mkDerivation {
|
||||
${umountSh} > umount-${name}-chrootenv
|
||||
chmod +x umount-${name}-chrootenv
|
||||
|
||||
sed -e "s|@chrootEnv@|$out|g" \
|
||||
sed -e "s|@chrootEnv@|${env}|g" \
|
||||
-e "s|@shell@|${stdenv.shell}|g" \
|
||||
-e "s|@name@|${name}|g" \
|
||||
${destroySh} > destroy-${name}-chrootenv
|
||||
chmod +x destroy-${name}-chrootenv
|
||||
|
||||
cd ..
|
||||
|
||||
cd "$out/sw"
|
||||
${extraBuildCommands}
|
||||
cd "$out/sw"
|
||||
${if isMultiBuild then extraBuildCommandsMulti else ""}
|
||||
cd ..
|
||||
'';
|
||||
}
|
||||
|
@ -6,9 +6,9 @@ chrootenvDest=/run/chrootenv/@name@
|
||||
rmdir $chrootenvDest/{dev,nix/store,nix,proc,sys,host-etc,home,var,run,tmp}
|
||||
|
||||
# Remove symlinks to the software that should be part of the chroot system profile
|
||||
for i in @chrootEnv@/sw/*
|
||||
for i in @chrootEnv@/*
|
||||
do
|
||||
if [ "$i" != "@chrootEnv@/sw/etc" ] && [ "$i" != "@chrootEnv@/sw/var" ]
|
||||
if [ "$i" != "@chrootEnv@/etc" ] && [ "$i" != "@chrootEnv@/var" ]
|
||||
then
|
||||
rm $chrootenvDest/$(basename $i)
|
||||
fi
|
||||
|
177
pkgs/build-support/build-fhs-chrootenv/env.nix
Normal file
177
pkgs/build-support/build-fhs-chrootenv/env.nix
Normal file
@ -0,0 +1,177 @@
|
||||
{ nixpkgs, nixpkgs_i686, system
|
||||
} :
|
||||
{ name, pkgs ? [], profile ? ""
|
||||
, targetPkgs ? null, multiPkgs ? null
|
||||
, extraBuildCommands ? "", extraBuildCommandsMulti ? ""
|
||||
}:
|
||||
|
||||
assert pkgs != [] -> targetPkgs == null && multiPkgs == null;
|
||||
assert targetPkgs != null -> multiPkgs != null;
|
||||
assert multiPkgs != null -> targetPkgs != null;
|
||||
assert targetPkgs != null -> pkgs == [];
|
||||
|
||||
|
||||
# HOWTO:
|
||||
# If pkgs is defined buildFHSEnv will run in legacy mode. This means
|
||||
# it will build all pkgs contained in pkgs and basePkgs and then just merge
|
||||
# all of their contents together via buildEnv.
|
||||
#
|
||||
# The new way is to define both targetPkgs and multiPkgs. These two are
|
||||
# functions which get a pkgs environment supplied and should then return a list
|
||||
# of packages based this environment.
|
||||
# For example: targetPkgs = pkgs: [ pkgs.nmap ];
|
||||
#
|
||||
# All packages (most likely programs) placed in targetPkgs will only be
|
||||
# installed once--matching the hosts architecture (64bit on x86_64 and 32bit on
|
||||
# x86). These packages will populate the chroot directory tree.
|
||||
#
|
||||
# Packages (most likeley libraries) defined in multiPkgs will be installed once
|
||||
# on x86 systems and twice on x86_64 systems.
|
||||
# On x86 they will just be merge with the packages defined in targetPkgs.
|
||||
# On x86_64 they will be added to targetPkgs and in addition their 32bit
|
||||
# versions will also be installed. The final directory should look as follows:
|
||||
# /lib will include 32bit libraries from multiPkgs
|
||||
# /lib32 will link to /lib
|
||||
# /lib64 will include 64bit libraries from multiPkgs and targetPkgs
|
||||
# /x86 will contain a complete 32bit environment composed by multiPkgs
|
||||
|
||||
let
|
||||
is64Bit = system == "x86_64-linux";
|
||||
# enable multi builds on x86_64 hosts if pakgs_target/multi are defined
|
||||
isMultiBuild = is64Bit && targetPkgs != null;
|
||||
isTargetBuild = !isMultiBuild;
|
||||
|
||||
# list of packages (usually programs) which will only be installed for the
|
||||
# hosts architecture
|
||||
targetPaths = if targetPkgs == null
|
||||
then pkgs
|
||||
else targetPkgs nixpkgs ++ multiPkgs nixpkgs;
|
||||
|
||||
# list of pckages which should be build for both x86 and x86_64 on x86_64
|
||||
# systems
|
||||
multiPaths = if isMultiBuild
|
||||
then multiPkgs nixpkgs_i686
|
||||
else [];
|
||||
|
||||
# base packages of the chroot
|
||||
# these match the hosts architecture, gcc/glibc_multi will be choosen
|
||||
# on multi builds
|
||||
chosenGcc = if isMultiBuild then nixpkgs.gcc_multi else nixpkgs.gcc;
|
||||
basePkgs = with nixpkgs;
|
||||
[ (if isMultiBuild then glibc_multi else glibc)
|
||||
chosenGcc
|
||||
bashInteractive coreutils less shadow su
|
||||
gawk diffutils findutils gnused gnugrep
|
||||
gnutar gzip bzip2 xz
|
||||
];
|
||||
|
||||
# Compose a global profile for the chroot environment
|
||||
profilePkg = nixpkgs.stdenv.mkDerivation {
|
||||
name = "${name}-chrootenv-profile";
|
||||
buildCommand = ''
|
||||
mkdir -p $out/etc
|
||||
cat >> $out/etc/profile << "EOF"
|
||||
export PS1='${name}-chrootenv:\u@\h:\w\$ '
|
||||
${profile}
|
||||
EOF
|
||||
'';
|
||||
};
|
||||
|
||||
# Composes a /usr like directory structure
|
||||
staticUsrProfileTarget = nixpkgs.buildEnv {
|
||||
name = "system-profile-target";
|
||||
paths = basePkgs ++ [ profilePkg ] ++ targetPaths;
|
||||
};
|
||||
|
||||
staticUsrProfileMulti = nixpkgs.buildEnv {
|
||||
name = "system-profile-multi";
|
||||
paths = multiPaths;
|
||||
};
|
||||
|
||||
linkProfile = profile: ''
|
||||
for i in ${profile}/{etc,bin,sbin,share,var}; do
|
||||
if [ -x "$i" ]
|
||||
then
|
||||
ln -s "$i"
|
||||
fi
|
||||
done
|
||||
'';
|
||||
|
||||
# the target profile is the actual profile that will be used for the chroot
|
||||
setupTargetProfile = ''
|
||||
${linkProfile staticUsrProfileTarget}
|
||||
${setupLibDirs}
|
||||
|
||||
mkdir -m0755 usr
|
||||
cd usr
|
||||
${linkProfile staticUsrProfileTarget}
|
||||
${setupLibDirs}
|
||||
cd ..
|
||||
'';
|
||||
|
||||
# this will happen on x86_64 host:
|
||||
# /x86 -> links to the whole profile defined by multiPaths
|
||||
# /lib, /lib32 -> links to 32bit binaries
|
||||
# /lib64 -> links to 64bit binaries
|
||||
# /usr/lib* -> same as above
|
||||
setupMultiProfile = if isTargetBuild then "" else ''
|
||||
mkdir -m0755 x86
|
||||
cd x86
|
||||
${linkProfile staticUsrProfileMulti}
|
||||
cd ..
|
||||
'';
|
||||
|
||||
setupLibDirs = if isTargetBuild then setupLibDirs_target
|
||||
else setupLibDirs_multi;
|
||||
|
||||
# setup library paths only for the targeted architecture
|
||||
setupLibDirs_target = ''
|
||||
mkdir -m0755 lib
|
||||
|
||||
# copy content of targetPaths
|
||||
cp -rsf ${staticUsrProfileTarget}/lib/* lib/
|
||||
'';
|
||||
|
||||
# setup /lib, /lib32 and /lib64
|
||||
setupLibDirs_multi = ''
|
||||
mkdir -m0755 lib
|
||||
mkdir -m0755 lib64
|
||||
ln -s lib lib32
|
||||
|
||||
# copy glibc stuff
|
||||
cp -rsf ${staticUsrProfileTarget}/lib/32/* lib/
|
||||
|
||||
# copy content of multiPaths (32bit libs)
|
||||
cp -rsf ${staticUsrProfileMulti}/lib/* lib/
|
||||
|
||||
# copy content of targetPaths (64bit libs)
|
||||
cp -rsf ${staticUsrProfileTarget}/lib/* lib64/
|
||||
|
||||
# most 64bit only libs put their stuff into /lib
|
||||
# some pkgs (like gcc_multi) put 32bit libs into and /lib 64bit libs into /lib64
|
||||
# by overwriting these we will hopefully catch all these cases
|
||||
# in the end /lib should only contain 32bit and /lib64 only 64bit libs
|
||||
cp -rsf ${staticUsrProfileTarget}/lib64/* lib64/
|
||||
|
||||
# copy gcc libs (and may overwrite exitsting wrongly placed libs)
|
||||
cp -rsf ${chosenGcc.cc}/lib/* lib/
|
||||
cp -rsf ${chosenGcc.cc}/lib64/* lib64/
|
||||
'';
|
||||
|
||||
in nixpkgs.stdenv.mkDerivation {
|
||||
name = "${name}-fhs";
|
||||
buildCommand = ''
|
||||
mkdir -p $out
|
||||
cd $out
|
||||
${setupTargetProfile}
|
||||
${setupMultiProfile}
|
||||
cd $out
|
||||
${extraBuildCommands}
|
||||
cd $out
|
||||
${if isMultiBuild then extraBuildCommandsMulti else ""}
|
||||
'';
|
||||
preferLocalBuild = true;
|
||||
passthru = {
|
||||
pname = name;
|
||||
};
|
||||
}
|
@ -6,9 +6,9 @@ chrootenvDest=/run/chrootenv/@name@
|
||||
mkdir -p $chrootenvDest/{nix/store,dev,proc,sys,host-etc,home,var,run}
|
||||
|
||||
# Symlink the software that should be part of the chroot system profile
|
||||
for i in @chrootEnv@/sw/*
|
||||
for i in @chrootEnv@/*
|
||||
do
|
||||
if [ "$i" != "@chrootEnv@/sw/etc" ] && [ "$i" != "@chrootEnv@/sw/var" ]
|
||||
if [ "$i" != "@chrootEnv@/etc" ] && [ "$i" != "@chrootEnv@/var" ]
|
||||
then
|
||||
ln -s "$i" "$chrootenvDest"
|
||||
fi
|
||||
@ -18,7 +18,7 @@ done
|
||||
|
||||
mkdir $chrootenvDest/etc
|
||||
|
||||
for i in @chrootEnv@/sw/etc/*
|
||||
for i in @chrootEnv@/etc/*
|
||||
do
|
||||
ln -s "$i" $chrootenvDest/etc
|
||||
done
|
||||
|
175
pkgs/build-support/build-fhs-userenv/chroot-user.rb
Executable file
175
pkgs/build-support/build-fhs-userenv/chroot-user.rb
Executable file
@ -0,0 +1,175 @@
|
||||
#!/usr/bin/env ruby
|
||||
|
||||
# Bind mounts hierarchy: [from, to (relative)]
|
||||
# If 'to' is nil, path will be the same
|
||||
mounts = [ ['/nix/store', nil],
|
||||
['/dev', nil],
|
||||
['/proc', nil],
|
||||
['/sys', nil],
|
||||
['/etc', 'host-etc'],
|
||||
['/home', nil],
|
||||
['/var', nil],
|
||||
['/run', nil],
|
||||
['/root', nil],
|
||||
].map! { |x| [ x[0], x[1].nil? ? x[0].sub(/^\/*/, '') : x[1] ] }
|
||||
|
||||
# Create directories
|
||||
mkdirs = ['tmp',
|
||||
]
|
||||
|
||||
# Symlinks: [from, to (dir)]
|
||||
symlinks =
|
||||
# /etc symlinks: [file name, prefix in host-etc]
|
||||
[ ['passwd', ''],
|
||||
['group', ''],
|
||||
['shadow', ''],
|
||||
['hosts', ''],
|
||||
['resolv.conf', ''],
|
||||
['nsswitch.conf', ''],
|
||||
['pam.d', 'static'],
|
||||
['fonts/fonts.conf', 'static'],
|
||||
['fonts/conf.d/00-nixos.conf', 'static'],
|
||||
].map! { |x| [ "host-etc/#{x[1]}/#{x[0]}", "etc/#{File.dirname x[0]}" ] }
|
||||
|
||||
require 'tmpdir'
|
||||
require 'fileutils'
|
||||
require 'pathname'
|
||||
require 'set'
|
||||
require 'fiddle'
|
||||
|
||||
def write_file(path, str)
|
||||
File.open(path, 'w') { |file| file.write str }
|
||||
end
|
||||
|
||||
# Import C standard library and several needed calls
|
||||
$libc = Fiddle.dlopen nil
|
||||
|
||||
def make_fcall(name, args, output)
|
||||
c = Fiddle::Function.new $libc[name], args, output
|
||||
lambda do |*args|
|
||||
ret = c.call *args
|
||||
raise SystemCallError.new Fiddle.last_error if ret < 0
|
||||
return ret
|
||||
end
|
||||
end
|
||||
|
||||
$fork = make_fcall 'fork', [], Fiddle::TYPE_INT
|
||||
|
||||
CLONE_NEWNS = 0x00020000
|
||||
CLONE_NEWUSER = 0x10000000
|
||||
$unshare = make_fcall 'unshare', [Fiddle::TYPE_INT], Fiddle::TYPE_INT
|
||||
|
||||
MS_BIND = 0x1000
|
||||
MS_REC = 0x4000
|
||||
$mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP,
|
||||
Fiddle::TYPE_VOIDP,
|
||||
Fiddle::TYPE_VOIDP,
|
||||
Fiddle::TYPE_LONG,
|
||||
Fiddle::TYPE_VOIDP],
|
||||
Fiddle::TYPE_INT
|
||||
|
||||
# Read command line args
|
||||
abort "Usage: chrootenv swdir program args..." unless ARGV.length >= 2
|
||||
swdir = Pathname.new ARGV[0]
|
||||
execp = ARGV.drop 1
|
||||
|
||||
# Create temporary directory for root and chdir
|
||||
root = Dir.mktmpdir 'chrootenv'
|
||||
|
||||
# Fork process; we need this to do a proper cleanup because
|
||||
# child process will chroot into temporary directory.
|
||||
# We use imported 'fork' instead of native to overcome
|
||||
# CRuby's meddling with threads; this should be safe because
|
||||
# we don't use threads at all.
|
||||
$cpid = $fork.call
|
||||
if $cpid == 0
|
||||
# Save user UID and GID
|
||||
uid = Process.uid
|
||||
gid = Process.gid
|
||||
|
||||
# Create new mount and user namespaces
|
||||
# CLONE_NEWUSER requires a program to be non-threaded, hence
|
||||
# native fork above.
|
||||
$unshare.call CLONE_NEWNS | CLONE_NEWUSER
|
||||
|
||||
# Map users and groups to the parent namespace
|
||||
write_file '/proc/self/setgroups', 'deny'
|
||||
write_file '/proc/self/uid_map', "#{uid} #{uid} 1"
|
||||
write_file '/proc/self/gid_map', "#{gid} #{gid} 1"
|
||||
|
||||
# Do mkdirs
|
||||
mkdirs.each { |x| FileUtils.mkdir_p x }
|
||||
|
||||
# Do rbind mounts.
|
||||
mounts.each do |x|
|
||||
to = "#{root}/#{x[1]}"
|
||||
FileUtils.mkdir_p to
|
||||
$mount.call x[0], to, nil, MS_BIND | MS_REC, nil
|
||||
end
|
||||
|
||||
# Chroot!
|
||||
Dir.chroot root
|
||||
Dir.chdir '/'
|
||||
|
||||
# Do symlinks
|
||||
symlinks.each do |x|
|
||||
FileUtils.mkdir_p x[1]
|
||||
FileUtils.ln_s x[0], x[1]
|
||||
end
|
||||
|
||||
# Symlink swdir hierarchy
|
||||
mount_dirs = Set.new mounts.map { |x| Pathname.new x[1] }
|
||||
link_swdir = lambda do |swdir, prefix|
|
||||
swdir.find do |path|
|
||||
rel = prefix.join path.relative_path_from(swdir)
|
||||
# Don't symlink anything in binded or symlinked directories
|
||||
Find.prune if mount_dirs.include? rel or rel.symlink?
|
||||
if not rel.directory?
|
||||
# File does not exist; make a symlink and bail out
|
||||
rel.make_symlink path
|
||||
Find.prune
|
||||
end
|
||||
# Recursively follow symlinks
|
||||
link_swdir.call path.readlink, rel if path.symlink?
|
||||
end
|
||||
end
|
||||
link_swdir.call swdir, Pathname.new('')
|
||||
|
||||
# New environment
|
||||
oldenv = ENV.to_h
|
||||
ENV.replace({ 'PS1' => oldenv['PS1'],
|
||||
'TERM' => oldenv['TERM'],
|
||||
'DISPLAY' => oldenv['DISPLAY'],
|
||||
'HOME' => oldenv['HOME'],
|
||||
'PATH' => '/bin:/sbin',
|
||||
'XDG_RUNTIME_DIR' => oldenv['XDG_RUNTIME_DIR'],
|
||||
})
|
||||
|
||||
# Finally, exec!
|
||||
exec *execp
|
||||
end
|
||||
|
||||
# Wait for a child. If we catch a signal, resend it to child and continue
|
||||
# waiting.
|
||||
def wait_child
|
||||
begin
|
||||
Process.wait
|
||||
|
||||
# Return child's exit code
|
||||
if $?.exited?
|
||||
exit $?.exitstatus
|
||||
else
|
||||
exit 1
|
||||
end
|
||||
rescue SignalException => e
|
||||
Process.kill e.signo, $cpid
|
||||
wait_child
|
||||
end
|
||||
end
|
||||
|
||||
begin
|
||||
wait_child
|
||||
ensure
|
||||
# Cleanup
|
||||
FileUtils.rm_rf root, secure: true
|
||||
end
|
37
pkgs/build-support/build-fhs-userenv/default.nix
Normal file
37
pkgs/build-support/build-fhs-userenv/default.nix
Normal file
@ -0,0 +1,37 @@
|
||||
{ writeTextFile, stdenv, ruby } : { env, runScript } :
|
||||
|
||||
let
|
||||
name = env.pname;
|
||||
|
||||
# Sandboxing script
|
||||
chroot-user = writeTextFile {
|
||||
name = "chroot-user";
|
||||
executable = true;
|
||||
destination = "/bin/chroot-user";
|
||||
text = ''
|
||||
#! ${ruby}/bin/ruby
|
||||
${builtins.readFile ./chroot-user.rb}
|
||||
'';
|
||||
};
|
||||
|
||||
in stdenv.mkDerivation {
|
||||
name = "${name}-userenv";
|
||||
buildInputs = [ ruby ];
|
||||
preferLocalBuild = true;
|
||||
buildCommand = ''
|
||||
mkdir -p $out/bin
|
||||
cat > $out/bin/${name} <<EOF
|
||||
#! ${stdenv.shell}
|
||||
exec ${chroot-user}/bin/chroot-user ${env} $out/libexec/run
|
||||
EOF
|
||||
chmod +x $out/bin/${name}
|
||||
|
||||
mkdir -p $out/libexec
|
||||
cat > $out/libexec/run <<EOF
|
||||
#! ${stdenv.shell}
|
||||
source /etc/profile
|
||||
${runScript}
|
||||
EOF
|
||||
chmod +x $out/libexec/run
|
||||
'';
|
||||
}
|
39
pkgs/development/compilers/openjdk/nonreparenting-wm.patch
Normal file
39
pkgs/development/compilers/openjdk/nonreparenting-wm.patch
Normal file
@ -0,0 +1,39 @@
|
||||
--- a/jdk/src/solaris/classes/sun/awt/X11/XWM.java 2014-09-06 18:41:39.018530981 -0400
|
||||
+++ b/jdk/src/solaris/classes/sun/awt/X11/XWM.java 2014-09-06 18:46:43.098540372 -0400
|
||||
@@ -104,7 +104,8 @@
|
||||
COMPIZ_WM = 12,
|
||||
LG3D_WM = 13,
|
||||
CWM_WM = 14,
|
||||
- MUTTER_WM = 15;
|
||||
+ MUTTER_WM = 15,
|
||||
+ OTHER_NONREPARENTING_WM = 16;
|
||||
public String toString() {
|
||||
switch (WMID) {
|
||||
case NO_WM:
|
||||
@@ -596,7 +597,7 @@
|
||||
}
|
||||
|
||||
static boolean isNonReparentingWM() {
|
||||
- return (XWM.getWMID() == XWM.COMPIZ_WM || XWM.getWMID() == XWM.LG3D_WM || XWM.getWMID() == XWM.CWM_WM);
|
||||
+ return (XWM.getWMID() == XWM.COMPIZ_WM || XWM.getWMID() == XWM.LG3D_WM || XWM.getWMID() == XWM.CWM_WM || XWM.getWMID() == XWM.OTHER_NONREPARENTING_WM);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -786,6 +787,9 @@
|
||||
} else if (doIsIceWM && isIceWM()) {
|
||||
awt_wmgr = XWM.ICE_WM;
|
||||
}
|
||||
+ else if (XToolkit.getEnv("_JAVA_AWT_WM_NONREPARENTING") != null) {
|
||||
+ awt_wmgr = XWM.OTHER_NONREPARENTING_WM;
|
||||
+ }
|
||||
/*
|
||||
* We don't check for legacy WM when we already know that WM
|
||||
* supports WIN or _NET wm spec.
|
||||
@@ -1332,6 +1336,7 @@
|
||||
res = new Insets(28, 6, 6, 6);
|
||||
break;
|
||||
case NO_WM:
|
||||
+ case OTHER_NONREPARENTING_WM:
|
||||
case LG3D_WM:
|
||||
res = zeroInsets;
|
||||
break;
|
@ -1,41 +1,41 @@
|
||||
{ stdenv, fetchurl, cpio, file, which, unzip, zip, xorg, cups, freetype, alsaLib, openjdk, cacert, perl } :
|
||||
let
|
||||
update = "25";
|
||||
build = "18";
|
||||
update = "31";
|
||||
build = "13";
|
||||
baseurl = "http://hg.openjdk.java.net/jdk8u/jdk8u";
|
||||
repover = "jdk8u${update}-b${build}";
|
||||
paxflags = if stdenv.isi686 then "msp" else "m";
|
||||
jdk8 = fetchurl {
|
||||
url = "${baseurl}/archive/${repover}.tar.gz";
|
||||
sha256 = "90eb3f3cb7094e609686168ec52ba462ef0f9832a4264bd1575e5896a6dd85c3";
|
||||
sha256 = "824b28c554ce32edbdaa77cc4f21f8ed57542c74c8748b89cd06be43a1537b34";
|
||||
};
|
||||
langtools = fetchurl {
|
||||
url = "${baseurl}/langtools/archive/${repover}.tar.gz";
|
||||
sha256 = "f292afe8540436090489841771259b274e3c36d42f11d0f58ba8082cd24fcc66";
|
||||
sha256 = "3e09a644d2fb38970acf78c72bc201c031d43574b5a3f7e00bec1b11bffec9c4";
|
||||
};
|
||||
hotspot = fetchurl {
|
||||
url = "${baseurl}/hotspot/archive/${repover}.tar.gz";
|
||||
sha256 = "e574567b48f57c5cdeebae6fa22e2482c05446dbf9133e820f2d95e99459ddf2";
|
||||
sha256 = "485b1a88b4b44b468e96211de238a5eed80f7472f91977fc27e2f443a8ab8ed3";
|
||||
};
|
||||
corba = fetchurl {
|
||||
url = "${baseurl}/corba/archive/${repover}.tar.gz";
|
||||
sha256 = "61d0bba710d6803b0368c93bc9182b0b40348eed81d578886a03904baf61ba6f";
|
||||
sha256 = "47b07945d3f534e6b87dc273676b8bcb493292e8769667493bb5febfb5c9f347";
|
||||
};
|
||||
jdk = fetchurl {
|
||||
url = "${baseurl}/jdk/archive/${repover}.tar.gz";
|
||||
sha256 = "8ef05535a0e03c4262d55cc67887e884f3fda8e4872cbc2941dcb216ef1460ca";
|
||||
sha256 = "b3801935199973cc02df02ac2f2587ff0f1989f98af5bf6fe46520a8108c8d6a";
|
||||
};
|
||||
jaxws = fetchurl {
|
||||
url = "${baseurl}/jaxws/archive/${repover}.tar.gz";
|
||||
sha256 = "afbdf119af2ffc0f9cd6eb93e6dac8e6a56a4ed4b68c7ff07f9b0c1a6bd56a8f";
|
||||
sha256 = "04bb35fd8b071f65014fa1d3b9816886b88e06548eeda27181993b80efb6a0bf";
|
||||
};
|
||||
jaxp = fetchurl {
|
||||
url = "${baseurl}/jaxp/archive/${repover}.tar.gz";
|
||||
sha256 = "2e91c958024e6b64f7484b8225e07edce3bd3bcde43081fb73f32e4b73ef7b87";
|
||||
sha256 = "74bb7a376fa706e4283e235caebbcf9736974a6a4cf97b8c8335d389581965e2";
|
||||
};
|
||||
nashorn = fetchurl {
|
||||
url = "${baseurl}/nashorn/archive/${repover}.tar.gz";
|
||||
sha256 = "98b4fc2d448920b81404ce745d9c00e9a33b58e123176dec4074caf611c3f9c2";
|
||||
sha256 = "2fbdcb016506de4e86db5813c78b28382df5b601f0e73ffd5465c12519b75fd3";
|
||||
};
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
@ -58,6 +58,7 @@ stdenv.mkDerivation {
|
||||
./fix-java-home.patch
|
||||
./read-truststore-from-env-jdk8.patch
|
||||
./currency-date-range-jdk8.patch
|
||||
./nonreparenting-wm.patch
|
||||
];
|
||||
preConfigure = ''
|
||||
chmod +x configure
|
||||
@ -78,7 +79,7 @@ stdenv.mkDerivation {
|
||||
"--with-build-number=b${build}"
|
||||
"--with-milestone=fcs"
|
||||
];
|
||||
buildFlags = "all";
|
||||
buildFlags = "DEBUG_BINARIES=true all";
|
||||
installPhase = ''
|
||||
mkdir -p $out/lib/openjdk $out/share $jre/lib/openjdk
|
||||
|
||||
|
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
|
||||
name = "despotify-svn521";
|
||||
|
||||
src = fetchsvn {
|
||||
url = "https://despotify.svn.sourceforge.net/svnroot/despotify";
|
||||
url = "http://svn.code.sf.net/p/despotify/code";
|
||||
rev = "521";
|
||||
};
|
||||
|
||||
|
@ -4,14 +4,14 @@
|
||||
|
||||
let
|
||||
name = "cppcheck";
|
||||
version = "1.67";
|
||||
version = "1.68";
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
name = "${name}-${version}";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://sourceforge/${name}/${name}-${version}.tar.bz2";
|
||||
sha256 = "1f9azv714mk37mjij29nfyd3hizsnj6wry1mmv7kxj0i1k7w0532";
|
||||
sha256 = "1ca9fdhrrxfyzd6kn67gxbfszp70191cf3ndasrh5jh55ghybmmd";
|
||||
};
|
||||
|
||||
configurePhase = ''
|
||||
|
@ -1,10 +1,10 @@
|
||||
{ buildFHSChrootEnv, config }:
|
||||
{ buildFHSUserEnv, config }:
|
||||
|
||||
buildFHSChrootEnv {
|
||||
buildFHSUserEnv {
|
||||
name = "steam";
|
||||
|
||||
targetPkgs = pkgs:
|
||||
[ pkgs.steam
|
||||
[ pkgs.steamOriginal
|
||||
pkgs.corefonts
|
||||
pkgs.curl
|
||||
pkgs.dbus
|
||||
@ -69,4 +69,6 @@ buildFHSChrootEnv {
|
||||
export LD_LIBRARY_PATH=/run/opengl-driver/lib:/run/opengl-driver-32/lib:/lib:/lib32:/lib64
|
||||
export PATH=$PATH:/usr/bin:/usr/sbin
|
||||
'';
|
||||
|
||||
runScript = "exec steam";
|
||||
}
|
||||
|
@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
|
||||
version = "0.7.0";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/PrivacySolutions/i2pd/archive/${version}.tar.gz";
|
||||
url = "https://github.com/PurpleI2P/i2pd/archive/${version}.tar.gz";
|
||||
sha256 = "1fic1jxdr48b0jfaamwbfkldbfi7awfbrqga2k7gvpncq32v0aj6";
|
||||
};
|
||||
|
||||
|
@ -260,17 +260,25 @@ let
|
||||
inherit (pkgs) runCommand perl;
|
||||
};
|
||||
|
||||
buildFHSChrootEnv = import ../build-support/build-fhs-chrootenv {
|
||||
inherit buildEnv system;
|
||||
inherit stdenv glibc glibc_multi glibcLocales;
|
||||
inherit bashInteractive coreutils less shadow su;
|
||||
inherit gawk gcc gcc_multi diffutils findutils gnused gnugrep;
|
||||
inherit gnutar gzip bzip2 xz;
|
||||
|
||||
buildFHSEnv = callPackage ../build-support/build-fhs-chrootenv/env.nix {
|
||||
nixpkgs = pkgs;
|
||||
nixpkgs_i686 = pkgsi686Linux;
|
||||
};
|
||||
|
||||
chrootFHSEnv = callPackage ../build-support/build-fhs-chrootenv { };
|
||||
userFHSEnv = callPackage ../build-support/build-fhs-userenv {
|
||||
ruby = ruby_2_1_3;
|
||||
};
|
||||
|
||||
buildFHSChrootEnv = args: chrootFHSEnv {
|
||||
env = buildFHSEnv args;
|
||||
};
|
||||
|
||||
buildFHSUserEnv = args: userFHSEnv {
|
||||
env = buildFHSEnv (removeAttrs args [ "runScript" ]);
|
||||
runScript = args.runScript;
|
||||
};
|
||||
|
||||
dotnetenv = import ../build-support/dotnetenv {
|
||||
inherit stdenv;
|
||||
dotnetfx = dotnetfx40;
|
||||
@ -12154,9 +12162,17 @@ let
|
||||
|
||||
stardust = callPackage ../games/stardust {};
|
||||
|
||||
steam = callPackage ../games/steam {};
|
||||
steamOriginal = callPackage ../games/steam { };
|
||||
|
||||
steamChrootEnv = callPackage ../games/steam/chrootenv.nix { };
|
||||
steam = callPackage ../games/steam/chrootenv.nix { };
|
||||
|
||||
steamChrootEnv = steam.overrideDerivation (args: {
|
||||
buildCommand = ''
|
||||
${args.buildCommand}
|
||||
echo >&2 "'steamChrootEnv' is replaced with 'steam' now"
|
||||
echo >&2 "You now need just to run 'steam' without root rights"
|
||||
'';
|
||||
});
|
||||
|
||||
stuntrally = callPackage ../games/stuntrally { };
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user