maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Enable sandboxing by default

Browse source 
Closes #179.
This commit is contained in:
Eelco Dolstra 2018-11-07 17:08:28 +01:00
parent 5a3f140856
commit 812e39313c
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
5 changed files with 34 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

1
doc/manual/release-notes/release-notes.xml
View file

@ -12,6 +12,7 @@
</partintro> </partintro>
--> -->
<xi:include href="rl-2.3.xml" />
<xi:include href="rl-2.2.xml" /> <xi:include href="rl-2.2.xml" />
<xi:include href="rl-2.1.xml" /> <xi:include href="rl-2.1.xml" />
<xi:include href="rl-2.0.xml" /> <xi:include href="rl-2.0.xml" />

19
doc/manual/release-notes/rl-2.3.xml Normal file
View file

@ -0,0 +1,19 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="ssec-relnotes-2.3">
<title>Release 2.3 (2019-??-??)</title>
<para>This release has the following changes:</para>
<itemizedlist>
<listitem>
<para>Sandbox builds are now enabled by default on Linux.</para>
</listitem>
</itemizedlist>
</section>

8
src/libstore/globals.hh
View file

@ -195,7 +195,13 @@ public:
Setting<bool> showTrace{this, false, "show-trace", Setting<bool> showTrace{this, false, "show-trace",
"Whether to show a stack trace on evaluation errors."}; "Whether to show a stack trace on evaluation errors."};
Setting<SandboxMode> sandboxMode{this, smDisabled, "sandbox", Setting<SandboxMode> sandboxMode{this,
#if __linux__
smEnabled
#else
smDisabled
#endif
, "sandbox",
"Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".", "Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".",
{"build-use-chroot", "build-use-sandbox"}}; {"build-use-chroot", "build-use-sandbox"}};

15
tests/common.sh.in
View file

@ -85,16 +85,13 @@ killDaemon() {
trap "" EXIT trap "" EXIT
} }
if [[ $(uname) == Linux ]] && [[ -L /proc/self/ns/user ]] && unshare --user true; then
_canUseSandbox=1
fi
canUseSandbox() { canUseSandbox() {
if [[ $(uname) != Linux ]]; then return 1; fi if [[ ! $_canUseSandbox ]]; then
echo "Sandboxing not supported, skipping this test..."
if [ ! -L /proc/self/ns/user ]; then
echo "Kernel doesn't support user namespaces, skipping this test..."
return 1
fi
if ! unshare --user true ; then
echo "Unprivileged user namespaces disabled by sysctl, skipping this test..."
return 1 return 1
fi fi

1
tests/init.sh
View file

@ -16,6 +16,7 @@ mkdir "$NIX_CONF_DIR"
cat > "$NIX_CONF_DIR"/nix.conf <<EOF cat > "$NIX_CONF_DIR"/nix.conf <<EOF
build-users-group = build-users-group =
keep-derivations = false keep-derivations = false
sandbox = false
include nix.conf.extra include nix.conf.extra
EOF EOF