What this allows us to do is define a "dumpcap" setuid wrapper in NixOS
and have wireshark use that instead of the non-setuid dumpcap binary
that it normally uses.
As far as I can tell, the code that is changed to do lookup in PATH is
only used by wireshark/tshark to find dumpcap. dumpcap, the thing that's
typically setuid, is not affected by this patch. wireshark and tshark
should *not* be installed setuid, so the fact that they now do lookup in
PATH is not a security concern.
With this commit, and the following config, only "root" and users in the
"wireshark" group will have access to capturing network traffic with
wireshark/dumpcap:
environment.systemPackages = [ pkgs.wireshark ];
security.setuidOwners = [
{ program = "dumpcap";
owner = "root";
group = "wireshark";
setuid = true;
setgid = false;
permissions = "u+rx,g+x";
}
];
users.extraGroups.wireshark.gid = 500;
(This wouldn't have worked before, because then wireshark would not use
our setuid dumpcap binary.)
This makes running wireshark (or more specifically, dumpcap) as root a
bit more secure. From <wireshark-1.11.2>/doc/README.packaging:
The "--with-libcap" option is only useful when dumpcap is installed
setuid. If it is enabled dumpcap will try to drop any setuid privileges
it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW
capabilities. It is enabled by default, if the Linux capabilities
library (on which it depends) is found.
This resolves a cyclic dependency: the daemon depends on tools (for
dbus-send) while tools depends on the daemon. Keeping them separate
doesn't seem very useful in any case.
Our version of SQLite causes the tests to fail, so I'm hereby adding a
patch from dbsrgits/dbix-class@ed5550d36 with the hunk for the Changes
file dropped.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This causes OpenVPN services to reach the "active" state when the VPN
connection is up (i.e., after OpenVPN prints "Initialization Sequence
Completed"). This allows units to be ordered correctly after openvpn-*
units, and makes systemctl present a password prompt:
$ start openvpn-foo
Enter Private Key Password: *************
(I first tried to implement this by calling "systemd-notify --ready"
from the "up" script, but systemd-notify is not reliable.)
The real path of the schemas is:
$out/share/gsettings-schemas/gsettings-desktop-schemas-3.10.1/glib-2.0/schemas
While the previous approach was to load schemas from:
$out/share/glib-2.0/schemas
So, we're now relying on the setup hook of glib to find the right schema
path.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
If dmenu isn't installed in the user environment, dmenu_run will fail
because it searches $PATH for its own binaries.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Youtube feeds now don't append a "sig" query string argument anymore, so
all those feeds would fail without this patch. For the latter, a pull
request already exists on upstream at pculture/miro#428, so I guess we
can drop our patch upon release of the next new upstream bugfix release.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is needed because the pkgconfig file contains linker flags for
alsa-lib. And we had it propagated before already.
Should fix build of quite a lot of SDL dependencies, such as SDL_image:
https://hydra.nixos.org/build/10558332
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Unfortunately, github periodically changes output even for raw diffs
(not just raw patches). I'm including the patch in nixpkgs.
I was unable to do it without hash change. Even if I added binary equal file.
This includes a lot of fixes for cross-building to Windows and Mac OS X
and could possibly fix things even for non-cross-builds, like for
example OpenSSL on Windows.
The main reason for merging this in 14.04 already is that we already
have runInWindowsVM in master and it doesn't work until we actually
cross-build Cygwin's setup binary as the upstream version is a fast
moving target which gets _overwritten_ on every new release.
Conflicts:
pkgs/top-level/all-packages.nix
This implements some longstanding work of getting the Chromium
derivation more modular. Unfortunately, I didn't manage to decrease the
compile time, which was one of the primary goal for doing the refactor.
A main reason this didn't work out well was the fact that most bundled
libraries are so heavily patched that it's not possible within a limited
time frame to decouple it from the main derivation.
However, it should now be easier to build other derivations that build
upon Chromium, like libcef. Also, it finally adds support for the
non-free PepperAPI Flash and PDF plugins and support for fetching the
corresponding versions through the updater.
The packageName attribute defines the output path and binary name of the
product that's going to be created, so we really want to have "chromium"
instead of "chromium-browser" here, especially for the resulting binary.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We already have a desktop icon from the browser wrapper, so this is only
for people who do not use the wrapper (for example if you don't want to
use Mozilla plugins).
Also, we someday might want to propagate the desktop item to the browser
wrapper as well.
Conflicts:
pkgs/applications/networking/browsers/chromium/default.nix
Yes, it's just a comment and yes, it's so insignificant that everyone
would make a "O_o" face. But I'm getting annoyed by things like this.
Obviously that means no feature changes :-)
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is to ensure that nothing unexpected will be after the merge of the
refactoring branch, and also my own autoupdate machinery is expecting
this location, so there really is no reason to change it now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
beta: 34.0.1847.60 -> 35.0.1916.47 (builds fine, tested)
dev: 35.0.1883.0 -> 36.0.1941.0 (builds fine, tested)
For the new version 36, we needed to rebase our user namespaces sandbox
patch, because http://crbug.com/312380 is preparing for an upstream
implementation of the same functionality.
Also, we need to add ply and jinja2 to the depends on version 36. This
is done unconditionally, because I want to avoid cluttering up the
expressions with various versionOlder checks.
The sandbox binary had to be fixed as well and we no longer use system
zlib, as - who might have guessed it - it's a fast moving target at
Chromium as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Commit 986f361946 started to use
<nix/fetchurl.nix> to "download" the bootstrap binaries from the
Nixpkgs tree, using the file:/// scheme. This has really bad
consequences:
* It makes any derivation depend on the path of the Nixpkgs tree. So
evaluating a package will produce a different .drv file when run
from different locations. No wonder Hydra evaluation has been so
slow lately: for every Nixpkgs evaluation, it had to create tens of
thousands of .drv files, even if nothing had changed.
* It requires the builder to have file system access to the Nixpkgs
tree. So if your tree is in your home directory, the stdenv
bootstrap would probably fail.
So now the binaries are downloaded from tarballs.nixos.org.
Also dropped PowerPC "support".
The version of v8 to use for Chromium is heavily tied to the specific
version of Chromium and thus it doesn't really make sense to use v8 from
<nixpkgs>, as we would need to have 3 different versions of v8, one for
each Chromium channel.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It doesn't make sense to do the splitting of the source code on a remote
machine, so don't try to do it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This results in a new function called mkChromiumDerivation, which can be
used to easily build packages that are based on the Chromium source
tree.
We pass through this function as mkDerivation in the chromium wrappre,
so in the end if you want to create such a package, something like:
chromium.mkDerivation (base: {
name = "your-shiny-package-based-on-chromium";
...
})
will suffice.
Of course, this is only the first step towards this functionality,
because right now I'm not even sure the Chromium browser itself will
build.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The reason I'm not making this the default is because it seems to add
complexity and degrades performance of the library. For details have a
look at this lengthy discussion at:
https://bugs.debian.org/686777
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This now uses the Debian package from the sources derivation instead of
hardcoding it, so we finally should have proper PepperAPI plugin support
without crashing plugins and whatnot.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This cases the Debian binaries to be fetched from Google's official APT
repository. If we aren't able to find a package from the APT repository,
it's very likely that it already got deleted upstream and we need to
fallback to mirrors instead.
Unfortunately, we can't use mirrors for updating, because Google doesn't
sign the Debian packages themselves and only the release files.
We're going to hook it into a Chromium updater soon, making the sha256
hashes publicly available, so if it is missing, we can still put the
sha256 manually into sources.nix, without risking anything by blindly
fetching from one of the provided mirrors.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The updater is now splitted between a shellscript and a Nix expression
file which contains helpers and lookup functions to reconstruct all
information needed in order to fetch the source tarballs.
This means, that the sources.nix now doesn't contain URLs and only
versions and the corresponding SHA256 hashes. Of course, right now this
sounds like it's unnecessary, but we're going to fetch binaries soon so
it's a good idea to not unnecessarily clutter up sources.nix.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Next, we're going to refactor update.sh and the first step is to ensure
that we keep everything related to sources into its own subdirectory to
not clutter up the main directory too much.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The current version of v8 breaks builds of nodejs, mongodb and
rethinkdb. So let's bring back the old package with annoying _3_14
version suffix so hopefully the corresponding maintainers will get rid
of that dependency :-)
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We don't want ta have the source derivation in the runtime dependencies
of the browser itself. Also, we've broken the Firefox wrapper, because
we've no longer exposed the packageName attribute.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I'm giving up on this after several attempts to correctly unbundle the
largest part, namely Google's WebKit fork Blink. Right now it's so much
tied into the Chromium source it's going to be fairly hard to do if
you're not working full time on it.
Also, the intermediate steps needed to do this properly would introduce
uneccesary complexity on our side, so we really need to finish this
without leaving it in the "messy" state in order to not make Chromium
even more difficult to maintain than it is already.
However, anyone who wants to proceed on this messy step is free to
revert this commit and continue doing so. In my case I'm going to try
again once https://crbug.com/239107 and https://crbug.com/239181 are
fixed in _stable_ (I don't want to introduce *lots* of conditionals on
the version either).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We obviously don't want the Hydra job of nixpkgs to fail, so we need to
make sure that we have a proper meta attribute on the outermost
derivation.
For builds based on the Chromium source tree (like for example libcef),
we can still move the wrapper elsewhere when we need it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is because of our symlink mess, as Chromium's build support scripts
are trying to resolve everything based on absolute paths and we split
off the bundled sources from the main derivation.
Yes, I'm refering to this as a mess, because in the end, we're going to
patch up the gyp files and use references someday.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Now, we no longer tie the sandbox directly to the browser derivation but
wrap everything together into one derivation at the entry point at
default.nix.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
So far we just copied everything from source.* into the build directory
during the prePatch. This somewhat defeated the purpose of the source
splitup because it involved more I/O than just unpacking the entire
source tree.
Now, we're selectively *symlinking* the bundled sources into the build
directory. Even that isn't perfect because in the end we'd just
reference foreign derivations and we're done. But for now, this gets us
at least prepared for a massive reduction of compile time.
Unfortunately, gyp's behaviour when it comes to symlinks is quite
painful to come by, so we need to fix a few references to use absolute
paths.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We now no longer pass enablePepperFlash and enablePepperPDF to the
browser package itself and only use plugins.flagsEnabled from there.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This currently only passes through the arguments and is nothing more
than the foundation of the new structure. In essence, I want to have a
really small default.nix which is then going down into the respective
subparts that are isolated from each other.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is hardcoded for the dev channel at the moment and we're going to
fetch it along with the main Chromium sources.
Also I'm putting this in default.nix at the moment, because we're going
to tear apart the whole Chromium package into several subparts soon.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is required to build Chromium. Making it a non-optional dependency
as it shouldn't really hurt other packages using it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is needed by Chromium and is part of the zlib source tree in
contrib/, so let's propagate the version of zlib and use the same source
tree.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Not sure whether those are really needed for Chromium, but I suppose it
doesn't hurt to have support for conversion.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This now uses fetchurl instead of fetchsvn and now invokes gyp directly
instead of copying over the gyp command to the source tree.
Also, we're now using stdenv.is64bit to properly determine the host
architecture.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We currently can't build the -lite package because beta and dev versions
aren't yet compatible with ICU version 52. But apart from that blocker,
this should get us ready for the switch.
Also, we're now correctly unbundling all dependencies which are used
from <nixpkgs>.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Starting with version 35, version 2 of libgnome_keyring is no longer
supported and it's probably pretty useless to do backports to version 2,
given the assumption that most users on Nix probably don't use it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Note: simply calling `virtualenv .` will not produce a ./bin/python
which can import e.g. sqlite3, using `virtualenv --python=python2.7`
will, if python2.7 is python27Full (the wrapped python). I'm not sure
if this is a bug or a feature.
This creates static device nodes such as /dev/fuse or
/dev/snd/seq. The kernel modules for these devices will be loaded on
demand when the device node is opened.
Note that systemd no longer depends on dbus, so we're rid of the
cyclic dependency problem between systemd and dbus.
This commit incorporates from wkennington's systemd branch
(203dcff45002a63f6be75c65f1017021318cc839,
1f842558a95947261ece66f707bfa24faf5a9d88).
