Commit Graph

81 Commits

Author SHA1 Message Date
Tom Bereknyei
ef63ee9504 chrootenv: remove default.nix from src 2022-02-05 03:01:03 -05:00
Yana Timoshenko
719567e91f maintainers: update personal details 2021-12-31 21:48:55 +03:00
Artturi
d9e8a587e1
Merge pull request #128126 from wentasah/chrootenv-opt 2021-11-19 04:40:34 +02:00
Matt Votava
ea4b37e679 buildFhsUserenv: inherit mounts from parent namespace 2021-09-01 18:37:54 -07:00
Jörg Thalheim
c145ac7eab build-fhs-userenv: fix defaults on aarch64 2021-07-30 11:23:37 +02:00
Michal Sojka
b681ad3254 buildFHSUserEnv: Allow having custom /opt in the FHS environment
buildFHSUserEnv is meant primarily for running 3rd-party software
which is difficult to patch for NixOS. Such software is often built to
run from /opt. Currently, running such a software from FHS environment
is difficult for two reasons:

1. If the 3rd-party software is put into the Nix store via a simple
   derivation (with e.g. installPhase = "dpkg-deb -x $src $out"), the
   content of /opt directory of that derivation does not appear in the
   FHSEnv even if the derivation is specified in targetPkgs. This is
   why we change env.nix.

2. If using buildFHSUserEnvChroot and the host system has the /opt
   directory, it always gets bind-mounted to the FHSEnv even if some
   targetPkgs contain /opt (NB buildFHSUserEnvBubblewrap does not have
   this problem). If that directory is not accessible for non-root
   users (which is what docker's containerd does with /opt :-(), the
   user running the FHSEnv cannot use it.

   With the change in chrootenv.c, /opt is not bind-mounted to the
   container, but instead created as user-modifiable symlink to
   /host/opt (see the init attribute in
   build-fhs-userenv/default.nix). If needed, the user can remove this
   symlink and create an empty /opt directory which is under his/her
   control.
2021-06-27 08:33:51 +02:00
Jörg Thalheim
43908f4c1d
buildFhsUserenv: don't leak mounts to other processes
If run as root we were leaking mounts to the parent namespace,
which lead to an error when removing the temporary mountroot.
To fix this we remount the whole tree as private as soon as we created
the new mountenamespace.
2021-06-05 16:47:44 +02:00
Maciej Krüger
e41249e466
buildFHSUserEnv: symlink /etc/nix
this fixes experimental-features option not being available in fhs
and breaking the flakes feature
2021-02-26 20:13:28 +01:00
André Silva
fe49d856b0
build-fhs-userenv: bind /etc/profiles 2021-01-26 00:41:50 +00:00
Jonathan Ringer
9bb3fccb5b treewide: pkgs.pkgconfig -> pkgs.pkg-config, move pkgconfig to alias.nix
continuation of #109595

pkgconfig was aliased in 2018, however, it remained in
all-packages.nix due to its wide usage. This cleans
up the remaining references to pkgs.pkgsconfig and
moves the entry to aliases.nix.

python3Packages.pkgconfig remained unchanged because
it's the canonical name of the upstream package
on pypi.
2021-01-19 01:16:25 -08:00
Profpatsch
4a7f99d55d treewide: with stdenv.lib; in meta -> with lib;
Part of: https://github.com/NixOS/nixpkgs/issues/108938

meta = with stdenv.lib;

is a widely used pattern. We want to slowly remove
the `stdenv.lib` indirection and encourage people
to use `lib` directly. Thus let’s start with the meta
field.

This used a rewriting script to mostly automatically
replace all occurances of this pattern, and add the
`lib` argument to the package header if it doesn’t
exist yet.

The script in its current form is available at
https://cs.tvl.fyi/depot@2f807d7f141068d2d60676a89213eaa5353ca6e0/-/blob/users/Profpatsch/nixpkgs-rewriter/default.nix
2021-01-11 10:38:22 +01:00
Jörg Thalheim
66c16e12fa
buildFhsUserenv: don't downgrade root user 2020-12-27 17:19:49 +01:00
John Ericson
1ac5398589 *-wrapper; Switch from infixSalt to suffixSalt
I hate the thing too even though I made it, and rather just get rid of
it. But we can't do that yet. In the meantime, this brings us more
inline with autoconf and will make it slightly easier for me to write a
pkg-config wrapper, which we need.
2020-05-12 00:44:44 -04:00
Bjørn Forsman
d394c82cde
build-fhs-userenv: runCommand -> runCommandLocal (#77253)
It's a trivial derivation, no need to build remotely (it's slower that
way).
2020-02-14 20:16:49 +02:00
Anders Kaseorg
3cd8ce3bce treewide: Fix unsafe concatenation of $LD_LIBRARY_PATH
Naive concatenation of $LD_LIBRARY_PATH can result in an empty
colon-delimited segment; this tells glibc to load libraries from the
current directory, which is definitely wrong, and may be a security
vulnerability if the current directory is untrusted.  (See #67234, for
example.)  Fix this throughout the tree.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2020-01-15 09:47:03 +01:00
Nikolay Amiantov
06f27dc2e9 chrootenv: propagate nested chrootenv /host
To avoid symlink loops to /host in nested chrootenvs we need to remove
one level of indirection. This is also what's generally expected of
/host contents.
2019-05-30 15:34:01 +03:00
Nikolay Amiantov
7664ffbbaf chrootenv: small improvements
* Remove unused argument from pivot_root;
* Factor out tmpdir creation into a separate function;
* Remove unused fstype from bind mount;
* Use unlink instead of a treewalk to remove empty temporary directory.
2019-05-30 15:34:01 +03:00
Nikolay Amiantov
e0d3bc292c chrootenv: make stackable
The problem with stacking chrootenv before was that CLONE_NEWUSER cannot
be used when a child uses chroot. So instead of that we use pivot_root
which replaces root in the whole namespace. This requires our new root
to be an actual fs so we mount tmpfs.
2019-05-30 15:33:30 +03:00
Silvan Mosberger
b6a959b59e
Merge pull request #62040 from abbradar/chrootenv-extend
buildFHSUserEnv: extend PATH and LD_LIBRARY_PATH
2019-05-27 17:56:04 +02:00
Las
50c215df4a
Fix chrootenv segfaulting on exit
glibc 2.27 (and possibly other versions) can't handle an `nopenfd` value larger than 2^19 in `ntfw`, which is problematic if you've set the maximum number of fds per process to a value higher than that.
2019-05-26 17:19:06 +02:00
Nikolay Amiantov
668f8a12f7 buildFHSUserEnv: extend PATH and LD_LIBRARY_PATH
This allows one to run applications from PATH and override libraries for
applications inside chrootenv. Useful for development environments.
2019-05-25 11:37:01 +03:00
Pascal Bach
977d1d8413 nixos/fhsUserenv: make all locales available 2019-04-02 22:45:50 +02:00
volth
c706233f2e
buildFHSEnv: allowSubstitutes = false
trivial builder
2019-02-08 00:27:40 +00:00
Michael Eden
a3488fb9ac fix FHSUserEnv blacklists 2018-11-11 10:32:09 -05:00
Yegor Timoshenko
cea0e9226f
chrootenv: use meson 2018-11-04 11:33:34 +00:00
Piotr Bogdan
ccb76eeb3c chrootenv: strip the binary 2018-11-04 03:43:22 +00:00
Kristoffer Søholm
5e5e57c572 buildFHSUserEnv: use runScript in env (#49077)
This makes its behaviour conform to what is implied in the
documentation.
2018-10-30 22:47:08 +01:00
John Ericson
2c2f1e37d4 reewide: Purge all uses stdenv.system and top-level system
It is deprecated and will be removed after 18.09.
2018-08-30 17:20:32 -04:00
volth
52f53c69ce pkgs/*: remove unreferenced function arguments 2018-07-21 02:48:04 +00:00
Linus Heckemann
75cfbdf33b buildFHSUserEnv: change to root directory after chroot
Fixes #38525
2018-04-28 14:51:07 +01:00
Nikolay Amiantov
9db2a3e638 buildFHSEnv: export TZDIR
This is needed since NixOS keeps tzdata in non-standard /etc/zoneinfo path.
2018-03-11 02:14:49 +03:00
Nikolay Amiantov
94f0ef6628 buildFHSEnv: fix compiler search paths
Fixes OpenWrt compilation.
2018-03-10 23:57:12 +03:00
Yegor Timoshenko
4b1cf5afb8
chrootenv: rewrite on top of GLib
Changes:

* doesn't handle root user separately
* doesn't chdir("/") which makes using it seamless
* only bind mounts, doesn't symlink (i.e. files)

Incidentally, fixes #33106.

It's about two times shorter than the previous version, and much
easier to read/follow through. It uses GLib quite heavily, along with
RAII (available in GCC/Clang).
2017-12-30 22:28:38 +00:00
Yegor Timoshenko
25b35f4ffb
chrootenv: resolve potential race condition 2017-12-28 00:25:02 +00:00
Yegor Timoshenko
73a0d95b96 chrootenv: code review
* Wrap LEN macro in parantheses
* Drop env_filter in favor of stateful environ_blacklist_filter,
  use execvp instead of execvpe, don't explicitly use environ
* Add argument error logging wherever it makes sense
* Drop strjoin in favor of asprintf
* char* -> const char* where appropriate
* Handle stat errors
* Print user messages with fputs, not errorf
* Abstract away is_str_in (previously bind_blacklisted)
* Cleanup temporary directory on error
* Some minor syntactic and naming changes

Thanks to Jörg Thalheim and Tuomas Tynkkynen for the code review!
2017-12-22 18:56:13 +03:00
Yegor Timoshenko
710662be94 chrootenv: error on chrootenv-inside-chrootenv, resolves #32802 2017-12-22 18:56:13 +03:00
Yegor Timoshenko
0234cd41b4 chrootenv: replace env whitelist with blacklist, closes #32878 2017-12-22 18:56:13 +03:00
Yegor Timoshenko
c03663a145 chrootenv: bind-mount all dirs in /, symlink files, closes #32877 2017-12-22 18:56:13 +03:00
Yegor Timoshenko
ef1accae91 chrootenv: print sysctl command for Debian users, fixes #32876 2017-12-22 18:56:13 +03:00
Jörg Thalheim
438fb59e6f chroot-user: better error message, if unshare is not allowed 2017-12-09 09:14:56 +00:00
Yegor Timoshenko
edb59ee7bd chroot-user: rewrite in C, drop CHROOTENV_EXTRA_BINDS
Formatted via clang-format.
2017-11-09 19:58:55 +00:00
Nikolay Amiantov
2a036ca1a5 buildFHSEnv: fix NIX_* compiler flags
This is needed now after #27672.
2017-10-17 00:39:39 +03:00
Jamey Sharp
09bae7cb70 build-fhs-userenv: Propagate $XAUTHORITY
The `DISPLAY` environment variable is propagated into chroots built with
`buildFHSUserEnv`, but currently the `XAUTHORITY` variable is not. When
the latter is set, its value is usually necessary in order to connect to
the X server identified by the former.

This matters for users running gdm3, for example, who have `XAUTHORITY`
set to something like `/run/user/1000/gdm/Xauthority` instead of the X
default of `~/.Xauthority`, which doesn't exist in that setup.

Fixes #21532.
2017-07-18 00:03:22 -07:00
Nikolay Amiantov
54bbf91479 buildFHSEnv: add ACLOCAL_PATH
Fixes #24620.
2017-04-12 14:43:08 +03:00
Parnell Springmeyer
4aa0923009
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00
Parnell Springmeyer
e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer
bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Nikolay Amiantov
7a73ecc18e buildFHSEnv: link /etc/zoneinfo
This is needed because now /etc/localtime symlink points there.
2016-10-11 16:56:11 +03:00
Parnell Springmeyer
98c058a1ee Adapting everything for the merged permissions wrappers work. 2016-09-01 19:21:06 -05:00
Benno Fünfstück
a368b27270 fhs-user-env: keep DBUS_SESSION_BUS_ADDRESS env
Steam requires this variable or some games run incredibly slow.
See ValveSoftware/Dota-2#921 for more information.
2016-06-28 23:55:43 +02:00