74107a7867
This takes another approach at binding FHS directory structure. We now bind-mount all the root filesystem to directory "/host" in the target tree. From that we symlink all the directories into the tree if they do not already exist in FHS structure. This probably makes `CHROOTENV_EXTRA_BINDS` unnecessary -- its main usecase was to add bound directories from the host to the sandbox, and we not just symlink all of them. I plan to get some feedback on its usage and maybe deprecate it. This also drops old `buildFHSChrootEnv` infrastructure. The main problem with it is it's very difficult to unmount a recursive-bound directory when mount is not sandboxed. This problem is a bug even without these changes -- if you have for example `/home/alice` mounted to somewhere, you wouldn't see it in `buildFHSChrootEnv` now. With the new directory structure, it's impossible to use regular bind at all. After some tackling with this I realized that the fix would be brittle and dangerous (if you don't unmount everything clearly and proceed to removing the temporary directory, bye-bye fs!). It also probably doesn't worth it because I haven't heard that someone actually uses it for a long time, and `buildFHSUserEnv` should cover most cases while being much more maintainable and safe for the end-user. |
||
---|---|---|
.. | ||
agda | ||
build-dotnet-package | ||
build-fhs-userenv | ||
buildenv | ||
builder-defs | ||
cc-wrapper | ||
docker | ||
dotnetbuildhelpers | ||
dotnetenv | ||
emacs | ||
fetchadc | ||
fetchbower | ||
fetchbzr | ||
fetchcvs | ||
fetchdarcs | ||
fetchegg | ||
fetchfile | ||
fetchgit | ||
fetchgitlocal | ||
fetchgitrevision | ||
fetchhg | ||
fetchmtn | ||
fetchnuget | ||
fetchpatch | ||
fetchsvn | ||
fetchsvnrevision | ||
fetchsvnssh | ||
fetchurl | ||
fetchzip | ||
gcc-cross-wrapper | ||
gcc-wrapper-old | ||
grsecurity | ||
icon-conv-tools | ||
kdewrapper | ||
kernel | ||
libredirect | ||
make-desktopitem | ||
make-startupitem | ||
make-symlinks | ||
mono-dll-fixer | ||
nuke-references | ||
ocaml | ||
release | ||
rust | ||
setup-hooks | ||
src-only | ||
substitute | ||
substitute-files | ||
templaterpm | ||
upstream-updater | ||
vm | ||
vsenv | ||
build-maven.nix | ||
build-pecl.nix | ||
replace-dependency.nix | ||
source-from-head-fun.nix | ||
trivial-builders.nix |