From cc86857601da5685a30da76665914af0cd744530 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 16 Nov 2015 08:12:08 +0100 Subject: [PATCH 01/61] libpng: security and maintenance 1.6.18 -> 1.6.19 Fixes #11030, CVE-2015-{7981,8126}. --- pkgs/development/libraries/libpng/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/libpng/default.nix b/pkgs/development/libraries/libpng/default.nix index 53777a0c56f..a2454aa02f0 100644 --- a/pkgs/development/libraries/libpng/default.nix +++ b/pkgs/development/libraries/libpng/default.nix @@ -3,11 +3,11 @@ assert zlib != null; let - version = "1.6.18"; - sha256 = "0qq96rf31483kxz32h6l6921hy6p2v2pfqfvc74km229g4xw241f"; + version = "1.6.19"; + sha256 = "1s1mmkl79ghiczi2x2rbnp6y70v4c5pr8g3icxn9h5imymbmc71i"; patch_src = fetchurl { url = "mirror://sourceforge/libpng-apng/libpng-${version}-apng.patch.gz"; - sha256 = "0g2ljh2vhclas1hacys1c4gk6l6hyy6sngb2yvdsnjz50nyq16kv"; + sha256 = "0bgqkac16yhl0zwjzq2zwkixg2l2x3a6blbk3k0wqz0lza2a6jrh"; }; whenPatched = stdenv.lib.optionalString apngSupport; From d50d14d55f1e5a53633f8a18bc55fe4d42361f93 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 21 Dec 2013 13:48:06 +0100 Subject: [PATCH 02/61] Use the nix provided shell. This is guaranteed to be bash, SmartOS has ksh by default and doesn't work. --- pkgs/build-support/fetchgit/builder.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/build-support/fetchgit/builder.sh b/pkgs/build-support/fetchgit/builder.sh index 64eea4ae100..4bbef1d6e62 100644 --- a/pkgs/build-support/fetchgit/builder.sh +++ b/pkgs/build-support/fetchgit/builder.sh @@ -6,7 +6,7 @@ source $stdenv/setup header "exporting $url (rev $rev) into $out" -$fetcher --builder --url "$url" --out "$out" --rev "$rev" \ +$SHELL $fetcher --builder --url "$url" --out "$out" --rev "$rev" \ ${leaveDotGit:+--leave-dotGit} \ ${deepClone:+--deepClone} \ ${fetchSubmodules:+--fetch-submodules} \ From 546601cf4b02a9c0c9d47a577d7be9d285590c2d Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 21 Dec 2013 13:48:11 +0100 Subject: [PATCH 03/61] SmartOS: Fix w3m build --- pkgs/applications/networking/browsers/w3m/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index d8c421af46a..c9d8f626c8c 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { sha256 = "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"; }; + NIX_LDFLAGS = "-lsocket -lnsl"; + patches = [ ./glibc214.patch ] # Patch for the newer unstable boehm-gc 7.2alpha. Not all platforms use that # alpha. At the time of writing this, boehm-gc-7.1 is the last stable. From fdb534f06e4614bab25f38c48db7c99ae13c2b15 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Thu, 3 Apr 2014 19:01:43 +0200 Subject: [PATCH 04/61] GCC 4.8 compiles on Illumos. - Disable profiled bootstrap. - Add illumos meta platform. --- lib/platforms.nix | 5 +++-- pkgs/development/compilers/gcc/4.8/default.nix | 1 + pkgs/top-level/all-packages.nix | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/platforms.nix b/lib/platforms.nix index 825cc4136a1..750829da375 100644 --- a/lib/platforms.nix +++ b/lib/platforms.nix @@ -8,8 +8,9 @@ rec { openbsd = ["i686-openbsd" "x86_64-openbsd"]; netbsd = ["i686-netbsd" "x86_64-netbsd"]; cygwin = ["i686-cygwin" "x86_64-cygwin"]; - unix = linux ++ darwin ++ freebsd ++ openbsd; - all = linux ++ darwin ++ cygwin ++ freebsd ++ openbsd; + illumos = ["x86_64-solaris"]; + unix = linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos; + all = linux ++ darwin ++ cygwin ++ freebsd ++ openbsd ++ netbsd ++ illumos; none = []; allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all; mesaPlatforms = ["i686-linux" "x86_64-linux" "x86_64-darwin" "armv5tel-linux" "armv6l-linux"]; diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index ff1d388b6e2..22c4fc22c02 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -519,6 +519,7 @@ stdenv.mkDerivation ({ platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.freebsd ++ + stdenv.lib.platforms.illumos ++ optionals (langAda == false) stdenv.lib.platforms.darwin; }; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 38b954fdd1c..8134b08f5f7 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3890,7 +3890,7 @@ let inherit noSysDirs; # PGO seems to speed up compilation by gcc by ~10%, see #445 discussion - profiledCompiler = with stdenv; (!isDarwin && (isi686 || isx86_64)); + profiledCompiler = with stdenv; (!isSunOS && !isDarwin && (isi686 || isx86_64)); # When building `gcc.crossDrv' (a "Canadian cross", with host == target # and host != build), `cross' must be null but the cross-libc must still From a93f8835560ae7f601156b42deca870cdfbda443 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Thu, 3 Apr 2014 19:11:07 +0200 Subject: [PATCH 05/61] Fix bison build on Illumos. --- pkgs/development/tools/parsing/bison/3.x.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix index b38751ba99e..8e7d65b81ff 100644 --- a/pkgs/development/tools/parsing/bison/3.x.nix +++ b/pkgs/development/tools/parsing/bison/3.x.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, m4, perl }: +{ stdenv, fetchurl, m4, perl, help2man }: stdenv.mkDerivation rec { name = "bison-3.0.4"; @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "b67fd2daae7a64b5ba862c66c07c1addb9e6b1b05c5f2049392cfd8a2172952e"; }; - nativeBuildInputs = [ m4 perl ]; + nativeBuildInputs = [ m4 perl help2man ]; propagatedBuildInputs = [ m4 ]; meta = { From f046f7bad3f337c9ad070ace9208bd8406d3f827 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Thu, 3 Apr 2014 19:11:48 +0200 Subject: [PATCH 06/61] Fix libelf build on Illumos --- pkgs/development/libraries/libelf/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix index 4a34ac6bdec..048902f4fc4 100644 --- a/pkgs/development/libraries/libelf/default.nix +++ b/pkgs/development/libraries/libelf/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation (rec { nativeBuildInputs = [ glibc ]; }; + buildInputs = [ gettext ]; + meta = { description = "ELF object file access library"; From 450d6aff9c05b5deec58ab31cb8bf0521af89dfb Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Fri, 4 Apr 2014 01:10:51 +0200 Subject: [PATCH 07/61] Less builds fine on Illumos. --- pkgs/tools/misc/less/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/misc/less/default.nix b/pkgs/tools/misc/less/default.nix index af8a0dd7d81..75e00635320 100644 --- a/pkgs/tools/misc/less/default.nix +++ b/pkgs/tools/misc/less/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { meta = { homepage = http://www.greenwoodsoftware.com/less/; description = "A more advanced file pager than ‘more’"; - platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin; + platforms = stdenv.lib.platforms.unix; maintainers = [ stdenv.lib.maintainers.eelco ]; }; } From 6a2b723a8b349ce38b064e7f948ea0c28eafd2e1 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Fri, 4 Apr 2014 22:08:10 +0200 Subject: [PATCH 08/61] Fix build of gccgo-wrapper on Illumos. When compiling GCC with NIX_ENFORCE_PURITY, linking libgcc fails because crti.o and friends aren't part of the nix store. --- pkgs/build-support/gcc-wrapper-old/utils.sh | 2 ++ pkgs/development/compilers/gcc/4.8/default.nix | 1 - pkgs/top-level/all-packages.nix | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/build-support/gcc-wrapper-old/utils.sh b/pkgs/build-support/gcc-wrapper-old/utils.sh index 753b3772e95..fa19f91bf5d 100644 --- a/pkgs/build-support/gcc-wrapper-old/utils.sh +++ b/pkgs/build-support/gcc-wrapper-old/utils.sh @@ -14,6 +14,8 @@ badPath() { # the temporary build directory). if test "${p:0:1}" != "/"; then return 1; fi + @extraPathTests@ + # Otherwise, the path should refer to the store or some temporary # directory (including the build directory). test \ diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index 22c4fc22c02..fd80f4ec8c5 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -294,7 +294,6 @@ stdenv.mkDerivation ({ ++ (optional stdenv.isDarwin gnused) ; - NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isSunOS "-lm -ldl"; preConfigure = stdenv.lib.optionalString (stdenv.isSunOS && stdenv.is64bit) '' export NIX_LDFLAGS=`echo $NIX_LDFLAGS | sed -e s~$prefix/lib~$prefix/lib/amd64~g` diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 8134b08f5f7..329e28f0c20 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -16,6 +16,7 @@ # outside of the store. Thus, GCC, GFortran, & co. must always look for # files in standard system directories (/usr/include, etc.) noSysDirs ? (system != "x86_64-freebsd" && system != "i686-freebsd" + && system != "x86_64-solaris" && system != "x86_64-kfreebsd-gnu") # More flags for the bootstrapping of stdenv. From f72bdba42035b51a9d5e6a1a6936436d7368b12e Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 17 May 2014 11:19:32 +0200 Subject: [PATCH 09/61] Fix dbus-tools build on SmartOS `ld` on illumos does not understand `--as-needed` --- pkgs/development/libraries/dbus/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/dbus/default.nix b/pkgs/development/libraries/dbus/default.nix index 4a0f98d262a..97eecf78a1a 100644 --- a/pkgs/development/libraries/dbus/default.nix +++ b/pkgs/development/libraries/dbus/default.nix @@ -93,7 +93,7 @@ let preBuild = makeInternalLib; buildInputs = buildInputsX ++ systemdOrEmpty ++ [ libs ]; NIX_CFLAGS_LINK = - stdenv.lib.optionalString (!stdenv.isDarwin) "-Wl,--as-needed " + stdenv.lib.optionalString (!stdenv.isDarwin && !stdenv.isSunOS) "-Wl,--as-needed " + "-ldbus-1"; # don't provide another dbus-1.pc (with incorrect include and link dirs), From 15c676fd30c52dc93009ec09ed069746f11d1743 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Wed, 27 Aug 2014 12:42:39 +0200 Subject: [PATCH 10/61] SmartOS: Make pkgconfig use proper i18n. --- pkgs/development/tools/misc/pkgconfig/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/misc/pkgconfig/default.nix b/pkgs/development/tools/misc/pkgconfig/default.nix index 6eea0a6d5d6..eabcebad31d 100644 --- a/pkgs/development/tools/misc/pkgconfig/default.nix +++ b/pkgs/development/tools/misc/pkgconfig/default.nix @@ -10,9 +10,10 @@ stdenv.mkDerivation (rec { sha256 = "0sq09a39wj4cxf8l2jvkq067g08ywfma4v6nhprnf351s82pfl68"; }; - buildInputs = stdenv.lib.optional (stdenv.isCygwin || stdenv.isDarwin) libiconv; + buildInputs = stdenv.lib.optional (stdenv.isCygwin || stdenv.isDarwin || stdenv.isSunOS) libiconv; - configureFlags = [ "--with-internal-glib" ]; + configureFlags = [ "--with-internal-glib" ] + ++ stdenv.lib.optional (stdenv.isSunOS) "--with-libiconv=gnu"; patches = (if vanilla then [] else [ # Process Requires.private properly, see From e9d6da77cdda475d225e6b23f558005c7cc1ca20 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 23 Aug 2014 04:26:04 +0200 Subject: [PATCH 11/61] =?UTF-8?q?Fix=20non-chrooted=20(stdenv-native)=20bu?= =?UTF-8?q?ilds=20that=20have=20`man`=20on=20path=20enabling=20building=20?= =?UTF-8?q?of=20built-in=20manual,=20while=20chrooted=20builds=20(hydra)?= =?UTF-8?q?=20will=20not=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pkgs/tools/networking/curl/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index 14687817835..3c77d2a6c8d 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -47,6 +47,7 @@ stdenv.mkDerivation rec { ''; configureFlags = [ + "--disable-manual" ( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" ) ( if scpSupport then "--with-libssh2=${libssh2}" else "--without-libssh2" ) ( if ldapSupport then "--enable-ldap" else "--disable-ldap" ) From bb3d083d63bfc1b5a92a741a7911682085d6e626 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Mon, 16 Nov 2015 17:04:34 +0100 Subject: [PATCH 12/61] Fix hardcoded target platform. --- pkgs/tools/networking/haproxy/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/networking/haproxy/default.nix b/pkgs/tools/networking/haproxy/default.nix index de8488ab3a8..6f02648f666 100644 --- a/pkgs/tools/networking/haproxy/default.nix +++ b/pkgs/tools/networking/haproxy/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { # TODO: make it work on darwin/bsd as well preConfigure = '' - export makeFlags="TARGET=linux2628 PREFIX=$out USE_OPENSSL=yes" + export makeFlags="TARGET=${if stdenv.isSunOS then "solaris" else "linux2628"} PREFIX=$out USE_OPENSSL=yes" ''; meta = { From e0f732415ffc274b42d872ca9f4d5d3bdb35dfda Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Fri, 29 Aug 2014 17:03:56 +0200 Subject: [PATCH 13/61] Fix glib build on SmartOS --- pkgs/development/libraries/glib/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/glib/default.nix b/pkgs/development/libraries/glib/default.nix index bafe8949e93..e53775464e0 100644 --- a/pkgs/development/libraries/glib/default.nix +++ b/pkgs/development/libraries/glib/default.nix @@ -65,7 +65,7 @@ stdenv.mkDerivation rec { configureFlags = optional stdenv.isDarwin "--disable-compile-warnings" - ++ optional stdenv.isSunOS "--disable-modular-tests"; + ++ optional stdenv.isSunOS ["--disable-modular-tests" "--with-libiconv"]; NIX_CFLAGS_COMPILE = optionalString stdenv.isDarwin " -lintl" + optionalString stdenv.isSunOS " -DBSD_COMP"; From ee56b6aa245b4111389db58f6dd0a9d8e0e887bc Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Fri, 29 Aug 2014 23:28:57 +0200 Subject: [PATCH 14/61] Doxygen: fix build on SmartOS --- pkgs/development/tools/documentation/doxygen/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/tools/documentation/doxygen/default.nix b/pkgs/development/tools/documentation/doxygen/default.nix index 78669dfdce7..82bbab5ff87 100644 --- a/pkgs/development/tools/documentation/doxygen/default.nix +++ b/pkgs/development/tools/documentation/doxygen/default.nix @@ -20,12 +20,14 @@ stdenv.mkDerivation { buildInputs = [ perl python flex bison ] ++ stdenv.lib.optional (qt4 != null) qt4 + ++ stdenv.lib.optional stdenv.isSunOS libiconv ++ stdenv.lib.optionals stdenv.isDarwin [ CoreServices libiconv ]; prefixKey = "--prefix "; configureFlags = [ "--dot dot" ] + ++ stdenv.lib.optional stdenv.isSunOS "--install install" ++ stdenv.lib.optional (qt4 != null) "--with-doxywizard"; preConfigure = From 2c80e12e96cc738264e74839ced61967ca3736fa Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Mon, 16 Nov 2015 17:05:49 +0100 Subject: [PATCH 15/61] Add support for gzip compression --- pkgs/tools/networking/haproxy/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/networking/haproxy/default.nix b/pkgs/tools/networking/haproxy/default.nix index 6f02648f666..f6201b44b3e 100644 --- a/pkgs/tools/networking/haproxy/default.nix +++ b/pkgs/tools/networking/haproxy/default.nix @@ -1,4 +1,4 @@ -{ stdenv, pkgs, fetchurl, openssl }: +{ stdenv, pkgs, fetchurl, openssl, zlib }: stdenv.mkDerivation rec { majorVersion = "1.5"; @@ -10,11 +10,11 @@ stdenv.mkDerivation rec { sha256 = "16cg1jmy2d8mq2ypwifsvhbyp4pyrj0zm0r818sx0r4hchwdsrcm"; }; - buildInputs = [ openssl ]; + buildInputs = [ openssl zlib ]; # TODO: make it work on darwin/bsd as well preConfigure = '' - export makeFlags="TARGET=${if stdenv.isSunOS then "solaris" else "linux2628"} PREFIX=$out USE_OPENSSL=yes" + export makeFlags="TARGET=${if stdenv.isSunOS then "solaris" else "linux2628"} PREFIX=$out USE_OPENSSL=yes USE_ZLIB=yes" ''; meta = { From b19116f688b9444eb25ade4142be780b53febc93 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 7 Nov 2015 04:44:30 +0100 Subject: [PATCH 16/61] Fix Perl build on SmartOS --- .../interpreters/perl/5.20/default.nix | 1 + .../interpreters/perl/5.20/ld-shared.patch | 33 +++++++++++++------ .../interpreters/perl/5.22/default.nix | 1 + .../interpreters/perl/5.22/ld-shared.patch | 33 +++++++++++++------ 4 files changed, 48 insertions(+), 20 deletions(-) diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index 141484814ea..81f4f946ea7 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -64,6 +64,7 @@ stdenv.mkDerivation rec { "-Dlocincpth=${libc}/include" "-Dloclibpth=${libc}/lib" ] + ++ optional stdenv.isSunOS "-Dcc=gcc" ++ optional enableThreading "-Dusethreads"; configureScript = "${stdenv.shell} ./Configure"; diff --git a/pkgs/development/interpreters/perl/5.20/ld-shared.patch b/pkgs/development/interpreters/perl/5.20/ld-shared.patch index be45230c8a7..9f92368df68 100644 --- a/pkgs/development/interpreters/perl/5.20/ld-shared.patch +++ b/pkgs/development/interpreters/perl/5.20/ld-shared.patch @@ -1,11 +1,24 @@ ---- perl-5.16.2/hints/solaris_2.sh.orig 2013-02-14 19:29:49.453988140 +0000 -+++ perl-5.16.2/hints/solaris_2.sh 2013-02-14 19:30:31.681631019 +0000 -@@ -568,7 +568,7 @@ - # ccflags="$ccflags -Wa,`getconf XBS5_LP64_OFF64_CFLAGS 2>/dev/null`" - # fi - ldflags="$ldflags -m64" -- lddlflags="$lddlflags -G -m64" -+ lddlflags="$lddlflags -shared -m64" +$NetBSD: patch-hints_solaris__2.sh,v 1.2 2015/10/27 09:10:44 jperkin Exp $ + +Redo PR pkg/44999. + +--- perl-5.20.2/hints/solaris_2.sh.orig 2015-05-13 20:19:29.000000000 +0000 ++++ perl-5.20.2/hints/solaris_2.sh +@@ -585,7 +585,7 @@ EOM + fi + fi + case "${cc:-cc} -v 2>/dev/null" in +- *gcc*) ++ *gcc*|clang*) + echo 'int main() { return 0; }' > try.c + case "`${cc:-cc} $ccflags -mcpu=v9 -m64 -S try.c 2>&1 | grep 'm64 is not supported by this configuration'`" in + *"m64 is not supported"*) +@@ -622,7 +622,7 @@ EOM + # use that with Solaris 11 and later, but keep + # the old behavior for older Solaris versions. + case "$osvers" in +- 2.?|2.10) lddlflags="$lddlflags -G -m64" ;; ++ 2.?|2.10) lddlflags="$lddlflags -shared -m64" ;; + *) lddlflags="$lddlflags -shared -m64" ;; + esac ;; - *) - getconfccflags="`getconf XBS5_LP64_OFF64_CFLAGS 2>/dev/null`" diff --git a/pkgs/development/interpreters/perl/5.22/default.nix b/pkgs/development/interpreters/perl/5.22/default.nix index 4b0f4364ea2..53e777c19a1 100644 --- a/pkgs/development/interpreters/perl/5.22/default.nix +++ b/pkgs/development/interpreters/perl/5.22/default.nix @@ -51,6 +51,7 @@ stdenv.mkDerivation rec { "-Dlocincpth=${libc}/include" "-Dloclibpth=${libc}/lib" ] + ++ optional stdenv.isSunOS "-Dcc=gcc" ++ optional enableThreading "-Dusethreads"; configureScript = "${stdenv.shell} ./Configure"; diff --git a/pkgs/development/interpreters/perl/5.22/ld-shared.patch b/pkgs/development/interpreters/perl/5.22/ld-shared.patch index be45230c8a7..140af9af40e 100644 --- a/pkgs/development/interpreters/perl/5.22/ld-shared.patch +++ b/pkgs/development/interpreters/perl/5.22/ld-shared.patch @@ -1,11 +1,24 @@ ---- perl-5.16.2/hints/solaris_2.sh.orig 2013-02-14 19:29:49.453988140 +0000 -+++ perl-5.16.2/hints/solaris_2.sh 2013-02-14 19:30:31.681631019 +0000 -@@ -568,7 +568,7 @@ - # ccflags="$ccflags -Wa,`getconf XBS5_LP64_OFF64_CFLAGS 2>/dev/null`" - # fi - ldflags="$ldflags -m64" -- lddlflags="$lddlflags -G -m64" -+ lddlflags="$lddlflags -shared -m64" +$NetBSD: patch-hints_solaris__2.sh,v 1.2 2015/10/27 09:10:44 jperkin Exp $ + +Redo PR pkg/44999. + +--- perl-5.22.0/hints/solaris_2.sh.orig 2015-05-13 20:19:29.000000000 +0000 ++++ perl-5.22.0/hints/solaris_2.sh +@@ -585,7 +585,7 @@ EOM + fi + fi + case "${cc:-cc} -v 2>/dev/null" in +- *gcc*) ++ *gcc*|clang*) + echo 'int main() { return 0; }' > try.c + case "`${cc:-cc} $ccflags -mcpu=v9 -m64 -S try.c 2>&1 | grep 'm64 is not supported by this configuration'`" in + *"m64 is not supported"*) +@@ -622,7 +622,7 @@ EOM + # use that with Solaris 11 and later, but keep + # the old behavior for older Solaris versions. + case "$osvers" in +- 2.?|2.10) lddlflags="$lddlflags -G -m64" ;; ++ 2.?|2.10) lddlflags="$lddlflags -shared -m64" ;; + *) lddlflags="$lddlflags -shared -m64" ;; + esac ;; - *) - getconfccflags="`getconf XBS5_LP64_OFF64_CFLAGS 2>/dev/null`" From f9134ca9df7281765ec1fcefc7636632b9ef11fb Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 7 Nov 2015 04:45:26 +0100 Subject: [PATCH 17/61] Fix patchShebangs on SmartOS Tail is very picky about the space after -c when compiled by Nix on Illumos (no idea why). --- pkgs/build-support/setup-hooks/patch-shebangs.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/build-support/setup-hooks/patch-shebangs.sh b/pkgs/build-support/setup-hooks/patch-shebangs.sh index 9d8cd0217a5..38660718d0e 100644 --- a/pkgs/build-support/setup-hooks/patch-shebangs.sh +++ b/pkgs/build-support/setup-hooks/patch-shebangs.sh @@ -19,12 +19,12 @@ patchShebangs() { local newInterpreterLine find "$dir" -type f -perm -0100 | while read f; do - if [ "$(head -1 "$f" | head -c +2)" != '#!' ]; then + if [ "$(head -1 "$f" | head -c+2)" != '#!' ]; then # missing shebang => not a script continue fi - oldInterpreterLine=$(head -1 "$f" | tail -c +3) + oldInterpreterLine=$(head -1 "$f" | tail -c+3) read -r oldPath arg0 args <<< "$oldInterpreterLine" if $(echo "$oldPath" | grep -q "/bin/env$"); then From 340375f42111310a5401a644d12f987fe0a61252 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 7 Nov 2015 05:03:28 +0100 Subject: [PATCH 18/61] Make sure optionalAttrs are set before actually building a derivation. --- pkgs/tools/misc/coreutils/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 35e9e3828d9..bd0d1b92857 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -11,7 +11,7 @@ assert selinuxSupport -> libselinux != null && libsepol != null; with { inherit (stdenv.lib) optional optionals optionalString optionalAttrs; }; let - self = stdenv.mkDerivation rec { + self = rec { name = "coreutils-8.24"; src = fetchurl { @@ -102,7 +102,7 @@ let }; }; in - self + stdenv.mkDerivation (self // stdenv.lib.optionalAttrs (stdenv.system == "armv7l-linux" || stdenv.isSunOS) { FORCE_UNSAFE_CONFIGURE = 1; - } + }) From caaded37135131d9a282d66fd44591caf5b169c7 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 7 Nov 2015 05:14:15 +0100 Subject: [PATCH 19/61] =?UTF-8?q?Disable=20inotify=20support=20on=20SunOS:?= =?UTF-8?q?=20it=E2=80=99s=20Linux-specific.=20This=20amazingly=20fixes=20?= =?UTF-8?q?the=20coreutils=20build=20on=20SmartOS.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pkgs/tools/misc/coreutils/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index bd0d1b92857..9f763115f9a 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -36,6 +36,8 @@ let touch -r src/stat.c src/tail.c ''; + configureFlags = optionalString stdenv.isSunOS "ac_cv_func_inotify_init=no"; + nativeBuildInputs = [ perl ]; buildInputs = [ gmp ] ++ optional aclSupport acl From e4b305ca703488204058b3a628ece974cf5befbd Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sat, 7 Nov 2015 05:59:34 +0100 Subject: [PATCH 20/61] Fix MPFR build again on SmartOS. --- pkgs/development/libraries/mpfr/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix index e1809d544d1..581f956b0af 100644 --- a/pkgs/development/libraries/mpfr/default.nix +++ b/pkgs/development/libraries/mpfr/default.nix @@ -14,6 +14,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ gmp ]; configureFlags = + stdenv.lib.optional stdenv.isSunOS "--disable-thread-safe" ++ stdenv.lib.optional stdenv.is64bit "--with-pic"; doCheck = true; From 46c4981e297e5345eda92528e408b874dfeca16b Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:35:00 +0100 Subject: [PATCH 21/61] Perl works fine on Illumos (and Solaris) --- pkgs/top-level/perl-packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 6292fa457f7..2f9d743dcb7 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -6495,7 +6495,7 @@ let self = _self // overrides; _self = with self; { meta = { description = "The World-Wide Web library for Perl"; license = with stdenv.lib.licenses; [ artistic1 gpl1Plus ]; - platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin; + platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin ++ stdenv.lib.platforms.illumos; }; }; From 11be480df492ae8bd0b9fc12c91577e3be027710 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:35:29 +0100 Subject: [PATCH 22/61] Skip failing tests on SmartOS --- pkgs/tools/text/gawk/default.nix | 1 + pkgs/tools/text/gnugrep/default.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/text/gawk/default.nix b/pkgs/tools/text/gawk/default.nix index 001a50458e2..f865b69cfed 100644 --- a/pkgs/tools/text/gawk/default.nix +++ b/pkgs/tools/text/gawk/default.nix @@ -12,6 +12,7 @@ stdenv.mkDerivation rec { doCheck = !( stdenv.isCygwin # XXX: `test-dup2' segfaults on Cygwin 6.1 || stdenv.isDarwin # XXX: `locale' segfaults + || stdenv.isSunOS # XXX: `_backsmalls1' fails, locale stuff? ); buildInputs = stdenv.lib.optional (stdenv.system != "x86_64-cygwin") libsigsegv diff --git a/pkgs/tools/text/gnugrep/default.nix b/pkgs/tools/text/gnugrep/default.nix index e8352e318b9..242ce36780d 100644 --- a/pkgs/tools/text/gnugrep/default.nix +++ b/pkgs/tools/text/gnugrep/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { buildInputs = [ pcre libiconv ]; # cygwin: FAIL: multibyte-white-space - doCheck = !stdenv.isDarwin && !stdenv.isCygwin; + doCheck = !stdenv.isDarwin && !stdenv.isSunOS && !stdenv.isCygwin; # On Mac OS X, force use of mkdir -p, since Grep's fallback # (./install-sh) is broken. From bcc7d8add92fe584915fa063a0b60ed87b153719 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:39:05 +0100 Subject: [PATCH 23/61] Texinfo requires GNU awk, mainly during make check. This fixes build on SmartOS. --- pkgs/development/tools/misc/texinfo/6.0.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix index 5099676f32b..3aa77fd2e5f 100644 --- a/pkgs/development/tools/misc/texinfo/6.0.nix +++ b/pkgs/development/tools/misc/texinfo/6.0.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, ncurses, perl, xz, interactive ? false }: +{ stdenv, fetchurl, ncurses, perl, xz, libiconv, gawk, interactive ? false }: stdenv.mkDerivation rec { name = "texinfo-6.0"; @@ -9,8 +9,11 @@ stdenv.mkDerivation rec { }; buildInputs = [ perl xz ] + ++ stdenv.lib.optional stdenv.isSunOS libiconv ++ stdenv.lib.optional interactive ncurses; + configureFlags = "AWK=${gawk}/bin/awk"; + preInstall = '' installFlags="TEXMF=$out/texmf-dist"; installTargets="install install-tex"; From bab0a82983d9b230ababcb6501f1b58a8541fbbf Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:40:49 +0100 Subject: [PATCH 24/61] Dummy SBCL property to allow other derivations to build. --- pkgs/development/compilers/sbcl/bootstrap.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/compilers/sbcl/bootstrap.nix b/pkgs/development/compilers/sbcl/bootstrap.nix index 43002aa72f5..c68189bd8c6 100644 --- a/pkgs/development/compilers/sbcl/bootstrap.nix +++ b/pkgs/development/compilers/sbcl/bootstrap.nix @@ -23,6 +23,7 @@ let sha256 = "0sp5445rbvms6qvzhld0kwwvydw51vq5iaf4kdqsf2d9jvaz3yx5"; }; armv6l-linux = armv7l-linux; + x86_64-solaris = x86_64-linux; }; cfg = options.${stdenv.system}; in From f17dea3b3dcae065c6ddb187111bef2975ad2eba Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:44:38 +0100 Subject: [PATCH 25/61] Fix compilation of GCC 4.9 on SmartOS. Fix ld-solaris-wrapper never calling ld (since gcc->cc-wrapper refactor). --- pkgs/build-support/cc-wrapper/default.nix | 2 +- pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh | 2 +- pkgs/development/compilers/gcc/4.9/default.nix | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 9822b1a026a..bea7e07a202 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -145,7 +145,7 @@ stdenv.mkDerivation { + optionalString (stdenv.isSunOS && nativePrefix != "") '' # Solaris needs an additional ld wrapper. ldPath="${nativePrefix}/bin" - ld="$out/bin/ld-solaris" + exec="$ldPath/ld" wrap ld-solaris ${./ld-solaris-wrapper.sh} '') diff --git a/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh index 9216ea3198d..5a7b92b5ad7 100644 --- a/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh @@ -6,7 +6,7 @@ set -u # I've also tried adding -z direct and -z lazyload, but it gave too many problems with C++ exceptions :'( # Also made sure libgcc would not be lazy-loaded, as suggested here: https://www.illumos.org/issues/2534#note-3 # but still no success. -cmd="@prog@ -z ignore" +cmd="@ld@ -z ignore" args=("$@"); diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index 13154ddd27a..fecdd85cd41 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -293,9 +293,8 @@ stdenv.mkDerivation ({ ++ (optional stdenv.isDarwin gnused) ; - NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isSunOS "-lm -ldl"; - preConfigure = stdenv.lib.optionalString (stdenv.isSunOS && stdenv.is64bit) '' + sed -i -e "s/-lrt//g" libstdc++-v3/configure export NIX_LDFLAGS=`echo $NIX_LDFLAGS | sed -e s~$prefix/lib~$prefix/lib/amd64~g` export LDFLAGS_FOR_TARGET="-Wl,-rpath,$prefix/lib/amd64 $LDFLAGS_FOR_TARGET" export CXXFLAGS_FOR_TARGET="-Wl,-rpath,$prefix/lib/amd64 $CXXFLAGS_FOR_TARGET" @@ -518,6 +517,7 @@ stdenv.mkDerivation ({ platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.freebsd ++ + stdenv.lib.platforms.illumos ++ optionals (langAda == false) stdenv.lib.platforms.darwin; }; } From 98180e3bb29388508ec1f8a6c2c2f8f4d3c40c8e Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 8 Nov 2015 02:47:17 +0100 Subject: [PATCH 26/61] Fix ncurses 5.9 build on SmartOS. Has been fixed before, but now includes C++ support. --- pkgs/development/libraries/ncurses/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/development/libraries/ncurses/default.nix b/pkgs/development/libraries/ncurses/default.nix index c505d89a6d8..8817e2c5523 100644 --- a/pkgs/development/libraries/ncurses/default.nix +++ b/pkgs/development/libraries/ncurses/default.nix @@ -27,12 +27,21 @@ stdenv.mkDerivation rec { "--enable-symlinks" ] ++ lib.optional unicode "--enable-widec"; + # Only the C compiler, and explicitly not C++ compiler needs this flag on solaris: + CFLAGS = lib.optionalString stdenv.isSunOS "-D_XOPEN_SOURCE_EXTENDED"; + buildInputs = lib.optional (mouseSupport && stdenv.isLinux) gpm; preConfigure = '' configureFlagsArray+=("--includedir=$out/include") export PKG_CONFIG_LIBDIR="$out/lib/pkgconfig" mkdir -p "$PKG_CONFIG_LIBDIR" + '' + + lib.optionalString stdenv.isSunOS '' + sed -i -e '/-D__EXTENSIONS__/ s/-D_XOPEN_SOURCE=\$cf_XOPEN_SOURCE//' \ + -e '/CPPFLAGS="$CPPFLAGS/s/ -D_XOPEN_SOURCE_EXTENDED//' \ + configure + CFLAGS=-D_XOPEN_SOURCE_EXTENDED '' + lib.optionalString stdenv.isCygwin '' sed -i -e 's,LIB_SUFFIX="t,LIB_SUFFIX=",' configure ''; From 62ff7367d533da02b92427997f5d2beb525fd61a Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Tue, 17 Nov 2015 11:20:33 +0100 Subject: [PATCH 27/61] LDFLAGS hack is only required for SmartOS builds --- pkgs/applications/networking/browsers/w3m/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index c9d8f626c8c..32deafffe90 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"; }; - NIX_LDFLAGS = "-lsocket -lnsl"; + NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isSunOS "-lsocket -lnsl"; patches = [ ./glibc214.patch ] # Patch for the newer unstable boehm-gc 7.2alpha. Not all platforms use that From 96648a8526e8e9a8dc7d56a1572cea717ec20403 Mon Sep 17 00:00:00 2001 From: aszlig Date: Tue, 17 Nov 2015 16:16:14 +0100 Subject: [PATCH 28/61] bzip2: Get rid of the custom builder.sh. Everything the builder.sh did can be done with the generic builder which makes it easier to override attributes and also easier to read. The reason I've done this is because of #10820, which tries to override the preBuild hook, but the latter is hardcoded in the builder.sh of bzip2. I have compared the output of this against the previous version and the only things that were different were timestamps in libbz2.a. Signed-off-by: aszlig --- pkgs/tools/compression/bzip2/builder.sh | 24 -------------- pkgs/tools/compression/bzip2/default.nix | 42 +++++++++++++++++++----- 2 files changed, 33 insertions(+), 33 deletions(-) delete mode 100644 pkgs/tools/compression/bzip2/builder.sh diff --git a/pkgs/tools/compression/bzip2/builder.sh b/pkgs/tools/compression/bzip2/builder.sh deleted file mode 100644 index a598dfcf808..00000000000 --- a/pkgs/tools/compression/bzip2/builder.sh +++ /dev/null @@ -1,24 +0,0 @@ -source $stdenv/setup -installFlags="PREFIX=$out" - -if test -n "$sharedLibrary"; then - - preBuild() { - make -f Makefile-libbz2_so - } - - preInstall() { - mkdir -p $out/lib - mv libbz2.so* $out/lib - (cd $out/lib && ln -s libbz2.so.1.0.? libbz2.so && ln -s libbz2.so.1.0.? libbz2.so.1); - } - -fi - -postInstall() { - rm $out/bin/bunzip2* $out/bin/bzcat* - ln -s bzip2 $out/bin/bunzip2 - ln -s bzip2 $out/bin/bzcat -} - -genericBuild diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index 74da91431a4..a485bf5eab6 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -1,12 +1,14 @@ { stdenv, fetchurl, linkStatic ? false }: -let version = "1.0.6"; in +let + version = "1.0.6"; -stdenv.mkDerivation { + sharedLibrary = !stdenv.isDarwin && !(stdenv ? isStatic) + && stdenv.system != "i686-cygwin" && !linkStatic; + +in stdenv.mkDerivation { name = "bzip2-${version}"; - builder = ./builder.sh; - src = fetchurl { url = "http://www.bzip.org/${version}/bzip2-${version}.tar.gz"; sha256 = "1kfrc7f0ja9fdn6j1y6yir6li818npy6217hvr3wzmnmzhs8z152"; @@ -23,14 +25,36 @@ stdenv.mkDerivation { ''; }; - sharedLibrary = - !stdenv.isDarwin && !(stdenv ? isStatic) && stdenv.system != "i686-cygwin" && !linkStatic; + preBuild = stdenv.lib.optionalString sharedLibrary '' + make -f Makefile-libbz2_so + ''; - patchPhase = stdenv.lib.optionalString stdenv.isDarwin "substituteInPlace Makefile --replace 'CC=gcc' 'CC=clang'"; + preInstall = stdenv.lib.optionalString sharedLibrary '' + mkdir -p $out/lib + mv libbz2.so* $out/lib + ( cd $out/lib && + ln -s libbz2.so.1.0.? libbz2.so && + ln -s libbz2.so.1.0.? libbz2.so.1 + ) + ''; - preConfigure = "substituteInPlace Makefile --replace '$(PREFIX)/man' '$(PREFIX)/share/man'"; + installFlags = [ "PREFIX=$(out)" ]; - makeFlags = if linkStatic then "LDFLAGS=-static" else ""; + postInstall = '' + rm $out/bin/bunzip2* $out/bin/bzcat* + ln -s bzip2 $out/bin/bunzip2 + ln -s bzip2 $out/bin/bzcat + ''; + + patchPhase = stdenv.lib.optionalString stdenv.isDarwin '' + substituteInPlace Makefile --replace 'CC=gcc' 'CC=clang' + ''; + + preConfigure = '' + substituteInPlace Makefile --replace '$(PREFIX)/man' '$(PREFIX)/share/man' + ''; + + makeFlags = stdenv.lib.optional linkStatic "LDFLAGS=-static"; inherit linkStatic; From 590eec7945f7718c9f9ea96ad0828624a7e7c190 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Tue, 17 Nov 2015 18:28:51 +0100 Subject: [PATCH 29/61] Simplify FORCE_UNSAFE_CONFIGURE by making it an optional string. postInstall references ${self} and requires self to be a derivation. --- pkgs/tools/misc/coreutils/default.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 9f763115f9a..c9aacd0ba6b 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -11,7 +11,7 @@ assert selinuxSupport -> libselinux != null && libsepol != null; with { inherit (stdenv.lib) optional optionals optionalString optionalAttrs; }; let - self = rec { + self = stdenv.mkDerivation rec { name = "coreutils-8.24"; src = fetchurl { @@ -82,6 +82,7 @@ let enableParallelBuilding = false; NIX_LDFLAGS = optionalString selinuxSupport "-lsepol"; + FORCE_UNSAFE_CONFIGURE = stdenv.lib.optionalString (stdenv.system == "armv7l-linux" || stdenv.isSunOS) "1"; makeFlags = optionalString stdenv.isDarwin "CFLAGS=-D_FORTIFY_SOURCE=0"; @@ -104,7 +105,4 @@ let }; }; in - stdenv.mkDerivation (self - // stdenv.lib.optionalAttrs (stdenv.system == "armv7l-linux" || stdenv.isSunOS) { - FORCE_UNSAFE_CONFIGURE = 1; - }) + self; From 6e9f0df8bdde24bee4a18235ed64f47c580c45d7 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 17 Nov 2015 21:09:52 -0800 Subject: [PATCH 30/61] gtk: 3.18.4 -> 3.18.5 --- pkgs/development/libraries/gtk+/3.x.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gtk+/3.x.nix b/pkgs/development/libraries/gtk+/3.x.nix index 174f12fc68c..248c4fa385e 100644 --- a/pkgs/development/libraries/gtk+/3.x.nix +++ b/pkgs/development/libraries/gtk+/3.x.nix @@ -10,7 +10,7 @@ assert cupsSupport -> cups != null; let ver_maj = "3.18"; - ver_min = "4"; + ver_min = "5"; version = "${ver_maj}.${ver_min}"; in stdenv.mkDerivation rec { @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "mirror://gnome/sources/gtk+/${ver_maj}/gtk+-${version}.tar.xz"; - sha256 = "5400dcf280d28d24606f33d59ed48c717f7d3db425d4b6fb52e8002f0c76c7eb"; + sha256 = "107aeb9a4244ce3c044becdd6dffc32d83202595181597180d4c736302a71852"; }; nativeBuildInputs = [ pkgconfig gettext gobjectIntrospection perl ]; From b809f886c0bdbd4665fc65a4c308d38a30c368d8 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 17 Nov 2015 21:10:13 -0800 Subject: [PATCH 31/61] libinput: 1.0.1 -> 1.1.1 --- pkgs/development/libraries/libinput/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libinput/default.nix b/pkgs/development/libraries/libinput/default.nix index ed97952940a..430743af96a 100644 --- a/pkgs/development/libraries/libinput/default.nix +++ b/pkgs/development/libraries/libinput/default.nix @@ -15,11 +15,11 @@ in with stdenv.lib; stdenv.mkDerivation rec { - name = "libinput-1.0.2"; + name = "libinput-1.1.1"; src = fetchurl { url = "http://www.freedesktop.org/software/libinput/${name}.tar.xz"; - sha256 = "1fggbi8w8r7mayyk7zwqrqf3ni95y2703vcpggxqq7yjdgw0bld3"; + sha256 = "05yxz3cds65zmzj98yhsrwvnkv8c7n3zs2fksjzs2fy7vlrv9qid"; }; configureFlags = [ From 020f6cfadc0d95a91e441d9f24851e3a53c6a428 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 17 Nov 2015 21:10:52 -0800 Subject: [PATCH 32/61] xorg-server: 1.17.2 -> 1.18.0 --- pkgs/servers/x11/xorg/default.nix | 6 +-- pkgs/servers/x11/xorg/fix_segfault.patch | 63 ------------------------ pkgs/servers/x11/xorg/overrides.nix | 2 +- 3 files changed, 4 insertions(+), 67 deletions(-) delete mode 100644 pkgs/servers/x11/xorg/fix_segfault.patch diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix index c64a0fd86b5..c1e0ab6a8f6 100644 --- a/pkgs/servers/x11/xorg/default.nix +++ b/pkgs/servers/x11/xorg/default.nix @@ -2108,11 +2108,11 @@ let }) // {inherit ;}; xorgserver = (mkDerivation "xorgserver" { - name = "xorg-server-1.17.2"; + name = "xorg-server-1.18.0"; builder = ./builder.sh; src = fetchurl { - url = mirror://xorg/individual/xserver/xorg-server-1.17.2.tar.bz2; - sha256 = "14vr4mm0x94a9bd3sfx9mdh8qhvk48zcml3i8q1wbwi84xhj04gn"; + url = mirror://xorg/individual/xserver/xorg-server-1.18.0.tar.bz2; + sha256 = "0biimwnp17wz80nplybpi940y3dyd7hgp5fyipfwxncmjs0p0mhr"; }; buildInputs = [pkgconfig dri2proto dri3proto renderproto libdrm openssl libX11 libXau libXaw libxcb xcbutil xcbutilwm xcbutilimage xcbutilkeysyms xcbutilrenderutil libXdmcp libXfixes libxkbfile libXmu libXpm libXrender libXres libXt ]; }) // {inherit dri2proto dri3proto renderproto libdrm openssl libX11 libXau libXaw libxcb xcbutil xcbutilwm xcbutilimage xcbutilkeysyms xcbutilrenderutil libXdmcp libXfixes libxkbfile libXmu libXpm libXrender libXres libXt ;}; diff --git a/pkgs/servers/x11/xorg/fix_segfault.patch b/pkgs/servers/x11/xorg/fix_segfault.patch deleted file mode 100644 index b3a7d2ed5e0..00000000000 --- a/pkgs/servers/x11/xorg/fix_segfault.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 7cc7ffd25d5e50b54cb942d07d4cb160f20ff9c5 Mon Sep 17 00:00:00 2001 -From: Martin Peres -Date: Fri, 17 Jul 2015 17:21:26 +0300 -Subject: [PATCH] os: make sure the clientsWritable fd_set is initialized - before use - -In WaitForSomething(), the fd_set clientsWritable may be used unitialized when -the boolean AnyClientsWriteBlocked is set in the WakeupHandler(). This leads to -a crash in FlushAllOutput() after x11proto's commit -2c94cdb453bc641246cc8b9a876da9799bee1ce7. - -The problem did not manifest before because both the XFD_SIZE and the maximum -number of clients were set to 256. As the connectionTranslation table was -initalized for the 256 clients to 0, the test on the index not being 0 was -aborting before dereferencing the client #0. - -As of commit 2c94cdb453bc641246cc8b9a876da9799bee1ce7 in x11proto, the XFD_SIZE -got bumped to 512. This lead the OutputPending fd_set to have any fd above 256 -to be uninitialized which in turns lead to reading an index after the end of -the ConnectionTranslation table. This index would then be used to find the -client corresponding to the fd marked as pending writes and would also result -to an out-of-bound access which would usually be the fatal one. - -Fix this by zeroing the clientsWritable fd_set at the beginning of -WaitForSomething(). In this case, the bottom part of the loop, which would -indirectly call FlushAllOutput, will not do any work but the next call to -select will result in the execution of the right codepath. This is exactly what -we want because we need to know the writable clients before handling them. In -the end, it also makes sure that the fds above MaxClient are initialized, -preventing the crash in FlushAllOutput(). - -Thanks to everyone involved in tracking this one down! - -Reported-by: Karol Herbst -Reported-by: Tobias Klausmann -Signed-off-by: Martin Peres -Tested-by: Martin Peres -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91316 -Cc: Ilia Mirkin -Cc: Martin Peres -Cc: Olivier Fourdan -Cc: Alan Coopersmith ---- - os/WaitFor.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/os/WaitFor.c b/os/WaitFor.c -index 431f1a6..993c14e 100644 ---- a/os/WaitFor.c -+++ b/os/WaitFor.c -@@ -158,6 +158,7 @@ WaitForSomething(int *pClientsReady) - Bool someReady = FALSE; - - FD_ZERO(&clientsReadable); -+ FD_ZERO(&clientsWritable); - - if (nready) - SmartScheduleStopTimer(); --- -2.4.5 - diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix index 1339e51eb23..78be046366d 100644 --- a/pkgs/servers/x11/xorg/overrides.nix +++ b/pkgs/servers/x11/xorg/overrides.nix @@ -291,7 +291,7 @@ in dri2proto dri3proto kbproto xineramaproto resourceproto scrnsaverproto videoproto ]; # fix_segfault: https://bugs.freedesktop.org/show_bug.cgi?id=91316 - commonPatches = [ ./xorgserver-xkbcomp-path.patch ./fix_segfault.patch ]; + commonPatches = [ ./xorgserver-xkbcomp-path.patch ]; # XQuartz requires two compilations: the first to get X / XQuartz, # and the second to get Xvfb, Xnest, etc. darwinOtherX = overrideDerivation xorgserver (oldAttrs: { From b52f2f64013dcc206cac1986f7bc9f9b1badc798 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 18 Nov 2015 02:34:22 -0800 Subject: [PATCH 33/61] xorg-server: 1.18.0 -> 1.17.4 There were lots of issues with the proprietary nvidia driver on 352.63 and we don't yet have a proprietary AMD driver. --- pkgs/servers/x11/xorg/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix index c1e0ab6a8f6..39acc25c453 100644 --- a/pkgs/servers/x11/xorg/default.nix +++ b/pkgs/servers/x11/xorg/default.nix @@ -2108,11 +2108,11 @@ let }) // {inherit ;}; xorgserver = (mkDerivation "xorgserver" { - name = "xorg-server-1.18.0"; + name = "xorg-server-1.17.4"; builder = ./builder.sh; src = fetchurl { - url = mirror://xorg/individual/xserver/xorg-server-1.18.0.tar.bz2; - sha256 = "0biimwnp17wz80nplybpi940y3dyd7hgp5fyipfwxncmjs0p0mhr"; + url = mirror://xorg/individual/xserver/xorg-server-1.17.4.tar.bz2; + sha256 = "0mv4ilpqi5hpg182mzqn766frhi6rw48aba3xfbaj4m82v0lajqc"; }; buildInputs = [pkgconfig dri2proto dri3proto renderproto libdrm openssl libX11 libXau libXaw libxcb xcbutil xcbutilwm xcbutilimage xcbutilkeysyms xcbutilrenderutil libXdmcp libXfixes libxkbfile libXmu libXpm libXrender libXres libXt ]; }) // {inherit dri2proto dri3proto renderproto libdrm openssl libX11 libXau libXaw libxcb xcbutil xcbutilwm xcbutilimage xcbutilkeysyms xcbutilrenderutil libXdmcp libXfixes libxkbfile libXmu libXpm libXrender libXres libXt ;}; From 094c374941e68bf667719da15c655f148840ebab Mon Sep 17 00:00:00 2001 From: "Matthias C. M. Troffaes" Date: Wed, 4 Nov 2015 08:26:11 +0000 Subject: [PATCH 34/61] bzip2: fix cross build on mingw by using autoconf patch --- pkgs/tools/compression/bzip2/default.nix | 64 ++++++++---------------- 1 file changed, 20 insertions(+), 44 deletions(-) diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index a485bf5eab6..286ad16cc86 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -1,11 +1,7 @@ -{ stdenv, fetchurl, linkStatic ? false }: +{ stdenv, fetchurl, libtool, autoconf, automake, pkgconfig, gnum4 }: let version = "1.0.6"; - - sharedLibrary = !stdenv.isDarwin && !(stdenv ? isStatic) - && stdenv.system != "i686-cygwin" && !linkStatic; - in stdenv.mkDerivation { name = "bzip2-${version}"; @@ -14,50 +10,30 @@ in stdenv.mkDerivation { sha256 = "1kfrc7f0ja9fdn6j1y6yir6li818npy6217hvr3wzmnmzhs8z152"; }; + patches = [ + # original upstream for the autoconf patch is here: + # http://ftp.suse.com/pub/people/sbrabec/bzip2/for_downstream/bzip2-1.0.6-autoconfiscated.patch + # but we get the mingw-builds version of the patch, which fixes + # a few more issues + (fetchurl { + url = "https://raw.githubusercontent.com/niXman/mingw-builds/17ae841dcf6e72badad7941a06d631edaf687436/patches/bzip2/bzip2-1.0.6-autoconfiscated.patch"; + sha256 = "1flbd3i8vg9kzq0a712qcg9j2c4ymnqvgd0ldyafpzvbqj1iicnp"; + }) + ]; + + patchFlags = "-p0"; + + nativeBuildInputs = [ libtool autoconf automake gnum4 pkgconfig ]; + + preConfigure = "sh ./autogen.sh"; + crossAttrs = { - patchPhase = '' + # https://github.com/niXman/mingw-builds/blob/master/patches/bzip2/bzip2-1.0.5-slash.patch + postPatch = '' sed -i -e '//s|\\|/|' bzip2.c - sed -i -e 's/CC=gcc/CC=${stdenv.cross.config}-gcc/' \ - -e 's/AR=ar/AR=${stdenv.cross.config}-ar/' \ - -e 's/RANLIB=ranlib/RANLIB=${stdenv.cross.config}-ranlib/' \ - -e 's/bzip2recover test/bzip2recover/' \ - Makefile* ''; }; - preBuild = stdenv.lib.optionalString sharedLibrary '' - make -f Makefile-libbz2_so - ''; - - preInstall = stdenv.lib.optionalString sharedLibrary '' - mkdir -p $out/lib - mv libbz2.so* $out/lib - ( cd $out/lib && - ln -s libbz2.so.1.0.? libbz2.so && - ln -s libbz2.so.1.0.? libbz2.so.1 - ) - ''; - - installFlags = [ "PREFIX=$(out)" ]; - - postInstall = '' - rm $out/bin/bunzip2* $out/bin/bzcat* - ln -s bzip2 $out/bin/bunzip2 - ln -s bzip2 $out/bin/bzcat - ''; - - patchPhase = stdenv.lib.optionalString stdenv.isDarwin '' - substituteInPlace Makefile --replace 'CC=gcc' 'CC=clang' - ''; - - preConfigure = '' - substituteInPlace Makefile --replace '$(PREFIX)/man' '$(PREFIX)/share/man' - ''; - - makeFlags = stdenv.lib.optional linkStatic "LDFLAGS=-static"; - - inherit linkStatic; - meta = { homepage = "http://www.bzip.org"; description = "high-quality data compression program"; From 22bf2d0bf3a5f80f3c6c2bd6fd4212672e107351 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 18 Nov 2015 17:49:54 -0800 Subject: [PATCH 35/61] flex: 2.5.39 -> 2.6.0 --- .../tools/parsing/flex/{2.5.39.nix => default.nix} | 8 ++++---- pkgs/top-level/all-packages.nix | 3 +-- 2 files changed, 5 insertions(+), 6 deletions(-) rename pkgs/development/tools/parsing/flex/{2.5.39.nix => default.nix} (75%) diff --git a/pkgs/development/tools/parsing/flex/2.5.39.nix b/pkgs/development/tools/parsing/flex/default.nix similarity index 75% rename from pkgs/development/tools/parsing/flex/2.5.39.nix rename to pkgs/development/tools/parsing/flex/default.nix index 93d54803e7c..57ce29f5175 100644 --- a/pkgs/development/tools/parsing/flex/2.5.39.nix +++ b/pkgs/development/tools/parsing/flex/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, bison, m4 }: -stdenv.mkDerivation { - name = "flex-2.5.39"; +stdenv.mkDerivation rec { + name = "flex-2.6.0"; src = fetchurl { - url = mirror://sourceforge/flex/flex-2.5.39.tar.bz2; - sha256 = "0zv15giw3gma03y2bzw78hjfy49vyir7vbcgnh9bb3637dgvblmd"; + url = "mirror://sourceforge/flex/${name}.tar.bz2"; + sha256 = "1sdqx63yadindzafrq1w31ajblf9gl1c301g068s20s7bbpi3ri4"; }; buildInputs = [ bison ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 8fcc8a6b419..e1d494c8abc 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5613,8 +5613,7 @@ let jdepend = callPackage ../development/tools/analysis/jdepend { }; flex_2_5_35 = callPackage ../development/tools/parsing/flex/2.5.35.nix { }; - flex_2_5_39 = callPackage ../development/tools/parsing/flex/2.5.39.nix { }; - flex = flex_2_5_39; + flex = callPackage ../development/tools/parsing/flex/default.nix { }; flexcpp = callPackage ../development/tools/parsing/flexc++ { }; From 914e9baefe9b606ed331ba427af50c41715f973d Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Fri, 6 Nov 2015 17:44:02 -0800 Subject: [PATCH 36/61] start on sandbox stuff --- lib/default.nix | 3 +- lib/sandbox.nix | 40 ++++++++++++ pkgs/build-support/fetchurl/default.nix | 4 ++ .../interpreters/perl/5.16/default.nix | 2 + .../interpreters/perl/5.20/default.nix | 6 +- .../CoreOSMakefiles/default.nix | 2 +- .../adv_cmds/default.nix | 65 +++++++++++++------ .../apple-source-releases/bsdmake/default.nix | 45 +++++++++++++ .../darwin/apple-source-releases/default.nix | 7 +- pkgs/stdenv/generic/default.nix | 26 ++++---- pkgs/stdenv/pure-darwin/default.nix | 46 ++++++------- pkgs/stdenv/pure-darwin/standard-sandbox.sb | 65 +++++++++++++++++++ pkgs/top-level/all-packages.nix | 4 +- 13 files changed, 251 insertions(+), 64 deletions(-) create mode 100644 lib/sandbox.nix create mode 100644 pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix create mode 100644 pkgs/stdenv/pure-darwin/standard-sandbox.sb diff --git a/lib/default.nix b/lib/default.nix index cd0d8161c8c..32ac0c58af6 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -17,10 +17,11 @@ let systems = import ./systems.nix; customisation = import ./customisation.nix; licenses = import ./licenses.nix; + sandbox = import ./sandbox.nix; in { inherit trivial lists strings stringsWithDeps attrsets sources options - modules types meta debug maintainers licenses platforms systems; + modules types meta debug maintainers licenses platforms systems sandbox; } # !!! don't include everything at top-level; perhaps only the most # commonly used functions. diff --git a/lib/sandbox.nix b/lib/sandbox.nix new file mode 100644 index 00000000000..2deee89e12c --- /dev/null +++ b/lib/sandbox.nix @@ -0,0 +1,40 @@ +with import ./strings.nix; + +/* Helpers for creating lisp S-exprs for the Apple sandbox + +lib.sandbox.allowFileRead [ "/usr/bin/file" ]; + # => "(allow file-read* (literal \"/usr/bin/file\"))"; + +lib.sandbox.allowFileRead { + literal = [ "/usr/bin/file" ]; + subpath = [ "/usr/lib/system" ]; +} + # => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))" +*/ + +let + +sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")"; +generateFileList = files: + if builtins.isList files + then concatMapStringsSep " " (x: sexp [ "literal" x ]) files + else concatStringsSep " " ( + (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++ + (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or [])) + ); +applyToFiles = f: act: files: f "${act} ${generateFileList files}"; +genActions = actionName: let + action = feature: sexp [ actionName feature ]; + self = { + "${actionName}" = action; + "${actionName}File" = applyToFiles action "file*"; + "${actionName}FileRead" = applyToFiles action "file-read*"; + "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata"; + "${actionName}FileWrite" = applyToFiles action "file-write*"; + "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata"; + }; + in self; + +in + +genActions "allow" // genActions "deny" diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index b1dc6e7be31..96ad0c2864b 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -118,6 +118,10 @@ if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${s outputHashMode = if recursiveHash then "recursive" else "flat"; + __sandboxProfile = '' + (allow network-outbound) + ''; + inherit curlOpts showURLs mirrorsFile impureEnvVars postFetch downloadToTemp; # Doing the download on a remote machine just duplicates network diff --git a/pkgs/development/interpreters/perl/5.16/default.nix b/pkgs/development/interpreters/perl/5.16/default.nix index 568025edfd4..8a89d97a100 100644 --- a/pkgs/development/interpreters/perl/5.16/default.nix +++ b/pkgs/development/interpreters/perl/5.16/default.nix @@ -33,6 +33,8 @@ stdenv.mkDerivation rec { pwd="$(type -P pwd)" substituteInPlace dist/Cwd/Cwd.pm \ --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'" + grep -R /bin/pwd . + exit 1 ''; # Build a thread-safe Perl with a dynamic libperls.o. We need the diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index 141484814ea..b2f43d176e8 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -44,12 +44,14 @@ stdenv.mkDerivation rec { # while at the same time erasing the PATH environment variable so it unconditionally # fails. The code in question is guarded by a check for Mac OS, but the patch below # doesn't have any runtime effect on other platforms. - postPatch = stdenv.lib.optional (stdenv.isDarwin && !stdenv.cc.nativeLibc) '' + postPatch = stdenv.lib.optional stdenv.isDarwin '' pwd="$(type -P pwd)" substituteInPlace dist/PathTools/Cwd.pm \ - --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'" + --replace "/bin/pwd" "$pwd" ''; + __sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under # $out/lib/perl5 - this is the general default, but because $out diff --git a/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix index 9f6031771c2..203ca010d62 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CoreOSMakefiles/default.nix @@ -1,7 +1,7 @@ { stdenv, appleDerivation, unifdef }: appleDerivation { - buildinputs = [ unifdef ]; + buildInputs = [ unifdef ]; phases = [ "unpackPhase" "installPhase" ]; diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index 4bc3a7a7fa4..baeca0f6fe3 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -1,32 +1,55 @@ -{ stdenv, appleDerivation, version }: +{ stdenv, appleDerivation, fetchzip, version, bsdmake, perl, flex, yacc, writeScriptBin +}: + +let recentAdvCmds = fetchzip { + url = "http://opensource.apple.com/tarballs/adv_cmds/adv_cmds-158.tar.gz"; + sha256 = "0z081kcprzg5jcvqivfnwvvv6wfxzkjg2jc2lagsf8c7j7vgm8nn"; +}; + +in appleDerivation { + buildInputs = [ bsdmake perl yacc flex (writeScriptBin "lex" "exec ${flex}/bin/flex $@") ]; + + patchPhase = '' + substituteInPlace BSDMakefile \ + --replace chgrp true \ + --replace /Developer/Makefiles/bin/compress-man-pages.pl true \ + --replace "ps.tproj" "" --replace "gencat.tproj" "" --replace "md.tproj" "" \ + --replace "tabs.tproj" "" --replace "cap_mkdb.tproj" "" \ + --replace "!= tconf --test TARGET_OS_EMBEDDED" "= NO" + + substituteInPlace Makefile --replace perl true + + substituteInPlace colldef.tproj/BSDmakefile --replace "-ll" "-lfl" + + for subproject in colldef mklocale monetdef msgdef numericdef timedef; do + substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \ + --replace /usr/share/locale "" \ + --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \ + --replace "rsync -a" "cp -r" + done + ''; -appleDerivation { - # Will override the name until we provide all of adv_cmds buildPhase = '' - pushd ps - cc -Os -Wall -I. -c -o fmt.o fmt.c - cc -Os -Wall -I. -c -o keyword.o keyword.c - cc -Os -Wall -I. -c -o nlist.o nlist.c - cc -Os -Wall -I. -c -o print.o print.c - cc -Os -Wall -I. -c -o ps.o ps.c - cc -Os -Wall -I. -c -o tasks.o tasks.c - cc -o ps fmt.o keyword.o nlist.o print.o ps.o tasks.o - popd + bsdmake -C colldef.tproj + bsdmake -C mklocale.tproj + bsdmake -C usr-share-locale.tproj - pushd locale - c++ -o locale locale.cc - popd + clang ${recentAdvCmds}/ps/*.c -o ps ''; installPhase = '' - mkdir -p $out/bin $out/share/man/man1 - - cp ps/ps $out/bin/ps - cp ps/ps.1 $out/share/man/man1 - cp locale/locale $out/bin/locale - cp locale/locale.1 $out/share/man/man1 + bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale" + install -d 0755 $ps/bin + install ps $ps/bin/ps ''; + outputs = [ + "ps" + "locale" + ]; + + # ps uses this syscall to get process info + __propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix b/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix new file mode 100644 index 00000000000..dcbf8b43308 --- /dev/null +++ b/pkgs/os-specific/darwin/apple-source-releases/bsdmake/default.nix @@ -0,0 +1,45 @@ +{ stdenv, appleDerivation, fetchurl, fetchpatch, makeWrapper }: + +appleDerivation { + buildInputs = [ makeWrapper ]; + + patchPhase = '' + substituteInPlace mk/bsd.prog.mk \ + --replace '-o ''${BINOWN} -g ''${BINGRP}' "" \ + --replace '-o ''${SCRIPTSOWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${SCRIPTSGRP_''${.ALLSRC:T}}' "" + substituteInPlace mk/bsd.lib.mk --replace '-o ''${LIBOWN} -g ''${LIBGRP}' "" + substituteInPlace mk/bsd.info.mk --replace '-o ''${INFOOWN} -g ''${INFOGRP}' "" + substituteInPlace mk/bsd.doc.mk --replace '-o ''${BINOWN} -g ''${BINGRP}' "" + substituteInPlace mk/bsd.man.mk --replace '-o ''${MANOWN} -g ''${MANGRP}' "" + substituteInPlace mk/bsd.files.mk \ + --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \ + --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' "" + substituteInPlace mk/bsd.incs.mk \ + --replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \ + --replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \ + --replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' "" + ''; + + buildPhase = '' + objs=() + for file in $(find . -name '*.c'); do + obj="$(basename "$file" .c).o" + objs+=("$obj") + cc -c "$file" -o "$obj" -DDEFSHELLNAME='"sh"' -D__FBSDID=__RCSID -mdynamic-no-pic -g + done + cc "''${objs[@]}" -o bsdmake + ''; + + installPhase = '' + install -d 0644 $out/bin + install -m 0755 bsdmake $out/bin + install -d 0644 $out/share/mk + install -m 0755 mk/* $out/share/mk + ''; + + preFixup = '' + wrapProgram "$out/bin/bsdmake" --add-flags "-m $out/share/mk" + ''; +} diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index 906e0ad2d54..b494f5ae346 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -48,16 +48,19 @@ let IOKitSrcs = stdenv.lib.mapAttrs (name: value: if builtins.isFunction value then value name else value) IOKitSpecs; + adv_cmds = applePackage "adv_cmds" "119" "102ssayxbg9wb35mdmhswbnw0bg7js3pfd8fcbic83c5q3bqa6c6" {}; + packages = { - adv_cmds = applePackage "adv_cmds" "153" "174v6a4zkcm2pafzgdm6kvs48z5f911zl7k49hv7kjq6gm58w99v" {}; + inherit (adv_cmds) ps locale; architecture = applePackage "architecture" "265" "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {}; bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; + bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; - CoreOSMakefiles = applePackage "CoreOSMakefiles" "76" "0sw3w3sjil0kvxz8y86b81sz82rcd1nijayki1a1bsnsf0hz6qbf" {}; + CoreOSMakefiles = applePackage "CoreOSMakefiles" "40" "0kxp53spbn7109l7cvhi88pmfsi81lwmbws819b6wr3hm16v84f4" {}; Csu = applePackage "Csu" "79" "1hif4dz23isgx85sgh11yg8amvp2ksvvhz3y5v07zppml7df2lnh" {}; dtrace = applePackage "dtrace" "118.1" "0pp5x8dgvzmg9vvg32hpy2brm17dpmbwrcr4prsmdmfvd4767wcf" {}; dyld = applePackage "dyld" "239.4" "07z7lyv6x0f6gllb5hymccl31zisrdhz4gqp722xcs9nhsqaqvn7" {}; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 246ca3696d5..c2324c86eb5 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,6 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] +, __stdenvSandboxProfile ? "" +, __extraSandboxProfile ? "" }: let @@ -100,6 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] + , __sandboxProfile ? "" + , __propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -149,13 +153,14 @@ let lib.addPassthru (derivation ( (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" - "__impureHostDeps" "__propagatedImpureHostDeps"]) + "__impureHostDeps" "__propagatedImpureHostDeps" + "__sandboxProfile" "__propagatedSandboxProfile"]) // (let # TODO: remove lib.unique once nix has a list canonicalization primitive - computedImpureHostDeps = - lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs)); - computedPropagatedImpureHostDeps = - lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs)); + computedSandboxProfile = + lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (extraBuildInputs ++ buildInputs ++ nativeBuildInputs))); + computedPropagatedSandboxProfile = + lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (propagatedBuildInputs ++ propagatedNativeBuildInputs))); in { builder = attrs.realBuilder or shell; @@ -173,13 +178,8 @@ let propagatedNativeBuildInputs = propagatedNativeBuildInputs ++ (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { - __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [ - "/dev/zero" - "/dev/random" - "/dev/urandom" - "/bin/sh" - ]; - __propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps; + __sandboxProfile = computedSandboxProfile + computedPropagatedSandboxProfile + __propagatedSandboxProfile + __sandboxProfile + __extraSandboxProfile; + __propagatedSandboxProfile = computedPropagatedSandboxProfile + __propagatedSandboxProfile; } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -216,7 +216,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - __impureHostDeps = __stdenvImpureHostDeps; + __sandboxProfile = __stdenvSandboxProfile; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index d13dc98cd74..fb3559659e5 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -5,18 +5,7 @@ }: let - # libSystem and its transitive dependencies. Get used to this; it's a recurring theme in darwin land - libSystemClosure = [ - "/usr/lib/libSystem.dylib" - "/usr/lib/libSystem.B.dylib" - "/usr/lib/libobjc.A.dylib" - "/usr/lib/libobjc.dylib" - "/usr/lib/libauto.dylib" - "/usr/lib/libc++abi.dylib" - "/usr/lib/libc++.1.dylib" - "/usr/lib/libDiagnosticMessagesClient.dylib" - "/usr/lib/system" - ]; + libSystemProfile = builtins.readFile ./standard-sandbox.sb; fetch = { file, sha256, executable ? true }: import { url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}"; @@ -46,7 +35,9 @@ in rec { ''; # The one dependency of /bin/sh :( - binShClosure = [ "/usr/lib/libncurses.5.4.dylib" ]; + binShClosure = '' + (allow file-read* (literal "/usr/lib/libncurses.5.4.dylib")) + ''; bootstrapTools = derivation rec { inherit system tarball; @@ -57,7 +48,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - __impureHostDeps = binShClosure ++ libSystemClosure; + __sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -100,8 +91,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - __stdenvImpureHostDeps = binShClosure ++ libSystemClosure; - __extraImpureHostDeps = binShClosure ++ libSystemClosure; + __stdenvSandboxProfile = binShClosure + libSystemProfile; + __extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -178,10 +169,14 @@ in rec { }; stage2 = with stage1; stageFun 2 stage1 { + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + allowedRequisites = [ bootstrapTools ] ++ (with pkgs; [ xz libcxx libcxxabi icu ]) ++ - (with pkgs.darwin; [ dyld Libsystem CF ]); + (with pkgs.darwin; [ dyld Libsystem CF locale ]); overrides = persistent1; }; @@ -196,7 +191,7 @@ in rec { darwin = orig.darwin // { inherit (darwin) - dyld Libsystem xnu configd libdispatch libclosure launchd libiconv; + dyld Libsystem xnu configd libdispatch libclosure launchd libiconv locale; }; }; @@ -209,10 +204,14 @@ in rec { # patches our shebangs back to point at bootstrapTools. This makes sure bash comes first. extraInitialPath = [ pkgs.bash ]; + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; + allowedRequisites = [ bootstrapTools ] ++ (with pkgs; [ icu bash libcxx libcxxabi ]) ++ - (with pkgs.darwin; [ dyld Libsystem ]); + (with pkgs.darwin; [ dyld Libsystem locale ]); overrides = persistent2; }; @@ -230,13 +229,16 @@ in rec { }; darwin = orig.darwin // { - inherit (darwin) dyld Libsystem libiconv; + inherit (darwin) dyld Libsystem libiconv locale; }; }; stage4 = with stage3; stageFun 4 stage3 { shell = "${pkgs.bash}/bin/bash"; extraInitialPath = [ pkgs.bash ]; + extraPreHook = '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; overrides = persistent3; }; @@ -263,8 +265,8 @@ in rec { preHook = commonPreHook; - __stdenvImpureHostDeps = binShClosure ++ libSystemClosure; - __extraImpureHostDeps = binShClosure ++ libSystemClosure; + __stdenvSandboxProfile = binShClosure + libSystemProfile; + __extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb new file mode 100644 index 00000000000..670ab01f347 --- /dev/null +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -0,0 +1,65 @@ +(define TMPDIR (param "_GLOBAL_TMP_DIR")) + +; obvious +(allow process-fork) + +; allow reading system information like #CPUs, etc. +(allow sysctl-read) + +; IPC +(allow ipc-posix-sem) + +; Unix sockets +(allow system-socket) + +; all runtime dependencies of libSystem.dylib +(allow file-read* + (literal "/usr/lib/libSystem.dylib") + (literal "/usr/lib/libSystem.B.dylib") + (literal "/usr/lib/libobjc.A.dylib") + (literal "/usr/lib/libobjc.dylib") + (literal "/usr/lib/libauto.dylib") + (literal "/usr/lib/libc++abi.dylib") + (literal "/usr/lib/libc++.1.dylib") + (literal "/usr/lib/libDiagnosticMessagesClient.dylib") + (subpath "/usr/lib/system")) + +; tmp +(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) + +; clang likes to read the system version +(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) + +; used for bootstrap builders +(allow process-exec* (literal "/bin/sh")) + +; standard devices +(allow file* + (literal "/dev/null") + (literal "/dev/random") + (literal "/dev/stdin") + (literal "/dev/stdout") + (literal "/dev/tty") + (literal "/dev/urandom") + (literal "/dev/zero") + (subpath "/dev/fd")) + +; does nothing, but reduces build noise +(allow file* (literal "/dev/dtracehelper")) + +; ICU data and zoneinfo data are hardcoded +; both are in libicucore and zoneinfo is in libsystem_c as well +(allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo")) + +; lots of autoconf projects want to list this directory +(allow file-read-metadata (literal "/var") (literal "/private/var/tmp")) + +; mute annoying failures +(deny file-read-metadata (with no-log) + (literal "/etc") + (subpath "/usr/bin")) + +(deny process-exec* (with no-log) + (literal "/usr/bin/arch") + (literal "/usr/bin/hostinfo") + (literal "/usr/bin/uname")) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index fe750870f57..4531fbcc183 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1553,7 +1553,7 @@ let garmintools = callPackage ../development/libraries/garmintools {}; gawk = callPackage ../tools/text/gawk { - locale = darwin.adv_cmds; + inherit (darwin) locale; }; gawkInteractive = appendToName "interactive" @@ -5486,7 +5486,7 @@ let cmake = callPackage ../development/tools/build-managers/cmake { wantPS = stdenv.isDarwin; - ps = if stdenv.isDarwin then darwin.adv_cmds else null; + inherit (darwin) ps; }; cmakeCurses = cmake.override { useNcurses = true; }; From df80090d092a9dec4393060bb1ab8f278aba11f2 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Thu, 12 Nov 2015 18:59:17 -0800 Subject: [PATCH 37/61] use per-derivation sandbox profiles --- lib/sandbox.nix | 26 ++++++-- .../applications/editors/emacs-24/default.nix | 4 +- pkgs/applications/editors/vim/default.nix | 2 + .../git-and-tools/git/default.nix | 3 + pkgs/build-support/fetchurl/default.nix | 4 +- .../haskell-modules/configuration-common.nix | 4 ++ .../interpreters/python/2.7/default.nix | 8 ++- pkgs/os-specific/darwin/apple-sdk/default.nix | 17 ++++- .../apple-sdk/generate-framework-profile.nix | 64 +++++++++++++++++++ .../apple-source-releases/CF/default.nix | 12 ++-- .../adv_cmds/default.nix | 42 ++++++++++-- .../apple-source-releases/configd/default.nix | 4 ++ .../darwin/apple-source-releases/default.nix | 4 +- .../libsecurity_generic/default.nix | 3 + .../libsecurity_utilities/default.nix | 3 + pkgs/stdenv/generic/default.nix | 13 ++-- pkgs/stdenv/pure-darwin/default.nix | 12 ++-- pkgs/stdenv/pure-darwin/standard-sandbox.sb | 27 +++++--- pkgs/top-level/all-packages.nix | 2 +- pkgs/top-level/perl-packages.nix | 1 + pkgs/top-level/python-packages.nix | 4 ++ 21 files changed, 209 insertions(+), 50 deletions(-) create mode 100644 pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix diff --git a/lib/sandbox.nix b/lib/sandbox.nix index 2deee89e12c..9a429cf2ae6 100644 --- a/lib/sandbox.nix +++ b/lib/sandbox.nix @@ -17,11 +17,13 @@ let sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")"; generateFileList = files: if builtins.isList files - then concatMapStringsSep " " (x: sexp [ "literal" x ]) files - else concatStringsSep " " ( - (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++ - (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or [])) - ); + then concatMapStringsSep " " (x: sexp [ "literal" ''"${x}"'' ]) files + else if builtins.isString files + then generateFileList [ files ] + else concatStringsSep " " ( + (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++ + (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or [])) + ); applyToFiles = f: act: files: f "${act} ${generateFileList files}"; genActions = actionName: let action = feature: sexp [ actionName feature ]; @@ -30,11 +32,23 @@ genActions = actionName: let "${actionName}File" = applyToFiles action "file*"; "${actionName}FileRead" = applyToFiles action "file-read*"; "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata"; + "${actionName}DirectoryList" = self."${actionName}FileReadMetadata"; "${actionName}FileWrite" = applyToFiles action "file-write*"; "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata"; + "${actionName}Network" = sexp [ actionName "network*" ]; + "${actionName}NetworkBind" = sexp [ actionName "network-bind" ]; + "${actionName}NetworkInbound" = sexp [ actionName "network-inbound" ]; + "${actionName}NetworkOutbound" = sexp [ actionName "network-outbound" ]; + "${actionName}NetworkLocal" = sexp [ actionName "network*" (sexp [ "local" "ip" ]) ]; + "${actionName}NetworkInboundLocal" = sexp [ actionName "network-inbound" (sexp [ "local" "ip" ]) ]; + "${actionName}NetworkOutboundLocal" = sexp [ actionName "network-outbound" (sexp [ "local" "ip" ]) ]; }; in self; in -genActions "allow" // genActions "deny" +genActions "allow" // genActions "deny" // { + importProfile = derivation: '' + (import "${derivation}") + ''; +} diff --git a/pkgs/applications/editors/emacs-24/default.nix b/pkgs/applications/editors/emacs-24/default.nix index 59f9f711004..c2956006fb4 100644 --- a/pkgs/applications/editors/emacs-24/default.nix +++ b/pkgs/applications/editors/emacs-24/default.nix @@ -1,7 +1,7 @@ { stdenv, fetchurl, ncurses, xlibsWrapper, libXaw, libXpm, Xaw3d , pkgconfig, gettext, libXft, dbus, libpng, libjpeg, libungif , libtiff, librsvg, texinfo, gconf, libxml2, imagemagick, gnutls -, alsaLib, cairo, acl, gpm, AppKit +, alsaLib, cairo, acl, gpm, AppKit, CoreWLAN, Kerberos, GSS, ImageIO , withX ? !stdenv.isDarwin , withGTK3 ? false, gtk3 ? null , withGTK2 ? true, gtk2 @@ -49,7 +49,7 @@ stdenv.mkDerivation rec { ++ stdenv.lib.optional (withX && withGTK3) gtk3 ++ stdenv.lib.optional (stdenv.isDarwin && withX) cairo; - propagatedBuildInputs = stdenv.lib.optional stdenv.isDarwin AppKit; + propagatedBuildInputs = stdenv.lib.optionals stdenv.isDarwin [ AppKit GSS ImageIO ]; configureFlags = if stdenv.isDarwin diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index ab7b08d8186..08e0e05590f 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,6 +43,8 @@ stdenv.mkDerivation rec { ]; }; + __sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. # http://groups.google.com/group/vim_dev/browse_thread/thread/66c02efd1523554b?pli=1 diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 0f079314959..57ebb7397bc 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -36,6 +36,9 @@ stdenv.mkDerivation { # required to support pthread_cancel() NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; + # without this, git fails when trying to check for /etc/gitconfig existence + __propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") + (if stdenv.isSunOS then " INSTALL=install NO_INET_NTOP= NO_INET_PTON=" else "") diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index 96ad0c2864b..bcd279380a3 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -118,9 +118,7 @@ if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${s outputHashMode = if recursiveHash then "recursive" else "flat"; - __sandboxProfile = '' - (allow network-outbound) - ''; + __sandboxProfile = stdenv.lib.sandbox.allowNetworkOutbound; inherit curlOpts showURLs mirrorsFile impureEnvVars postFetch downloadToTemp; diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index edafbe5eab6..2dac800bace 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -924,4 +924,8 @@ self: super: { librarySystemDepends = (drv.librarySystemDepends or []) ++ [ pkgs.ncurses ]; }); + streaming-commons = pkgs.stdenv.lib.overrideDerivation super.streaming-commons (drv: { + __sandboxProfile = drv.__sandboxProfile + + pkgs.stdenv.lib.sandbox.allowNetworkLocal; + }); } diff --git a/pkgs/development/interpreters/python/2.7/default.nix b/pkgs/development/interpreters/python/2.7/default.nix index e08fde3c8bf..f624bd5d85e 100644 --- a/pkgs/development/interpreters/python/2.7/default.nix +++ b/pkgs/development/interpreters/python/2.7/default.nix @@ -97,7 +97,9 @@ let ] ++ optionals x11Support [ tcl tk xlibsWrapper libX11 ] ) ++ optional zlibSupport zlib - ++ optionals stdenv.isDarwin [ CF configd ]; + ++ optional stdenv.isDarwin CF; + + propagatedBuildInputs = optional stdenv.isDarwin configd; # Build the basic Python interpreter without modules that have # external dependencies. @@ -105,8 +107,8 @@ let name = "python-${version}"; pythonVersion = majorVersion; - inherit majorVersion version src patches buildInputs preConfigure - configureFlags; + inherit majorVersion version src patches buildInputs propagatedBuildInputs + preConfigure configureFlags; LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; C_INCLUDE_PATH = concatStringsSep ":" (map (p: "${p}/include") buildInputs); diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index 24083060e54..b31e5d043ef 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -1,6 +1,7 @@ { stdenv, fetchurl, xar, gzip, cpio, pkgs }: let + generateFrameworkProfile = pkgs.callPackage ./generate-framework-profile.nix {}; # sadly needs to be exported because security_tool needs it sdk = stdenv.mkDerivation rec { version = "10.9"; @@ -95,8 +96,12 @@ let propagatedBuildInputs = deps; - # Not going to bother being more precise than this... - __propagatedImpureHostDeps = (import ./impure-deps.nix).${name}; + # allows building the symlink tree + __sandboxProfile = '' + (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) + ''; + + __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -159,6 +164,12 @@ in rec { ''; }); + CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: { + __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ ['' + (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd")) + '']; + }); + Security = stdenv.lib.overrideDerivation super.Security (drv: { setupHook = ./security-setup-hook.sh; }); @@ -171,5 +182,5 @@ in rec { frameworks = bareFrameworks // overrides bareFrameworks; - inherit sdk; + inherit sdk generateFrameworkProfile; } diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix new file mode 100644 index 00000000000..eb6228db14d --- /dev/null +++ b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix @@ -0,0 +1,64 @@ +{ runCommand }: + +# In a normal programming language, one might store a hashmap +# { library name -> runtime dependencies }. +# associative arrays were only recently added to bash, and even then, bash arrays cannot +# be multidimensional. instead, the filesystem is the hash table! +# once every dependency in the tree has been visited, a comprehensive list of libraries +# will exist inside ./build. then `find ./build -type f` will give you the +# dependency tree you need! + +frameworkName: + +let path = "/System/Library/Frameworks/${frameworkName}.framework"; + +in runCommand "${frameworkName}-profile.sb" { + # __noChroot lite + __sandboxProfile = '' + (allow file* (subpath "/")) + ''; + + # inconsistencies may exist between self and hydra + allowSubstitutes = false; +} '' + if [ ! -f "${path}/${frameworkName}" ]; then + touch $out + exit + fi + base=./build + find_deps () { + if [ -f "$base/$1" ]; then + return + fi + dependencies=$(otool -l -arch x86_64 $1 \ + | grep 'LC_\w*_DYLIB' -A 2 \ + | grep name \ + | sed 's/^ *//' \ + | cut -d' ' -f2) + mkdir -p $base/"$(dirname "$1")" + touch $base/"$1" + for dep in $dependencies; do + find_deps "$dep" + done + } + find_deps "${path}/${frameworkName}" "$out" + set -o noglob + profile="(allow file-read*" + for file in $(find $base -type f); do + filename=''${file/$base/} + case $filename in + /usr/lib/system*) ;; + /usr/lib/libSystem.dylib) ;; + /usr/lib/libSystem.B.dylib) ;; + /usr/lib/libobjc.A.dylib) ;; + /usr/lib/libobjc.dylib) ;; + /usr/lib/libauto.dylib) ;; + /usr/lib/libc++abi.dylib) ;; + /usr/lib/libDiagnosticMessagesClient.dylib) ;; + *) profile+=" (literal \"$filename\")" ;; + esac + done + profile+=" (literal \"${path}/${frameworkName}\")" + profile+=" (literal \"${path}/Versions/Current\")" + echo "$profile)" > $out +'' diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index 55c8279340b..0eac8fcae39 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -1,4 +1,4 @@ -{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure }: +{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure, generateFrameworkProfile }: # this project uses blocks, a clang-only extension assert stdenv.cc.isClang; @@ -8,13 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedImpureHostDeps = [ - "/System/Library/Frameworks/CoreFoundation.framework" - "/usr/lib/libc++.1.dylib" - "/usr/lib/libc++abi.dylib" - "/usr/lib/libicucore.A.dylib" - "/usr/lib/libz.1.dylib" - ]; + __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); preBuild = '' substituteInPlace Makefile \ @@ -52,5 +46,7 @@ appleDerivation { postInstall = '' mv $out/System/* $out rmdir $out/System + mv $out/Library/Frameworks/CoreFoundation.framework/Versions/A/PrivateHeaders/* \ + $out/Library/Frameworks/CoreFoundation.framework/Versions/A/Headers ''; } diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index baeca0f6fe3..d465fa71ff0 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -1,13 +1,22 @@ { stdenv, appleDerivation, fetchzip, version, bsdmake, perl, flex, yacc, writeScriptBin }: +# this derivation sucks +# locale data was removed after adv_cmds-118, so our base is that because it's easier than +# replicating the bizarre bsdmake file structure +# +# sadly adv_cmds-118 builds a mklocale and colldef that generate files that our libc can no +# longer understand +# +# the more recent adv_cmds release is used for everything else in this package + let recentAdvCmds = fetchzip { url = "http://opensource.apple.com/tarballs/adv_cmds/adv_cmds-158.tar.gz"; sha256 = "0z081kcprzg5jcvqivfnwvvv6wfxzkjg2jc2lagsf8c7j7vgm8nn"; }; in appleDerivation { - buildInputs = [ bsdmake perl yacc flex (writeScriptBin "lex" "exec ${flex}/bin/flex $@") ]; + buildInputs = [ bsdmake perl yacc flex ]; patchPhase = '' substituteInPlace BSDMakefile \ @@ -19,8 +28,6 @@ in appleDerivation { substituteInPlace Makefile --replace perl true - substituteInPlace colldef.tproj/BSDmakefile --replace "-ll" "-lfl" - for subproject in colldef mklocale monetdef msgdef numericdef timedef; do substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \ --replace /usr/share/locale "" \ @@ -29,9 +36,28 @@ in appleDerivation { done ''; + preBuild = '' + cp -r --no-preserve=all ${recentAdvCmds}/colldef . + pushd colldef + mv locale/collate.h . + flex -t -8 -i scan.l > scan.c + yacc -d parse.y + clang *.c -o colldef -lfl + popd + mv colldef/colldef colldef.tproj/colldef + + cp -r --no-preserve=all ${recentAdvCmds}/mklocale . + pushd mklocale + flex -t -8 -i lex.l > lex.c + yacc -d yacc.y + clang *.c -o mklocale -lfl + popd + mv mklocale/mklocale mklocale.tproj/mklocale + ''; + buildPhase = '' - bsdmake -C colldef.tproj - bsdmake -C mklocale.tproj + runHook preBuild + bsdmake -C usr-share-locale.tproj clang ${recentAdvCmds}/ps/*.c -o ps @@ -39,6 +65,12 @@ in appleDerivation { installPhase = '' bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale" + + # need to get rid of runtime dependency on flex + # install -d 0755 $locale/bin + # install -m 0755 colldef.tproj/colldef $locale/bin + # install -m 0755 mklocale.tproj/mklocale $locale/bin + install -d 0755 $ps/bin install ps $ps/bin/ps ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index 8687f3fe532..c730a409609 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,6 +7,10 @@ appleDerivation { propagatedBuildInputs = [ Security ]; + __propagatedSandboxProfile = '' + (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) + ''; + patchPhase = '' substituteInPlace SystemConfiguration.fproj/SCNetworkReachabilityInternal.h \ --replace '#include ' "" diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index b494f5ae346..6b7858d374a 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -56,7 +56,9 @@ let bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; - CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; + CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" { + inherit (pkgs.darwin.apple_sdk) generateFrameworkProfile; + }; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; diff --git a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix index 4a739032e2a..ccce7448e5d 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_generic/default.nix @@ -30,6 +30,9 @@ name: version: sha256: args: let ''; buildInputs = [ pkgs.gnustep-make + pkgs.darwin.apple_sdk.frameworks.AppKit + pkgs.darwin.apple_sdk.frameworks.Foundation + pkgs.darwin.cf-private ]; makeFlags = [ "-f${makeFile}" diff --git a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix index 23ac246b4af..9de1d120cc9 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/libsecurity_utilities/default.nix @@ -14,6 +14,9 @@ appleDerivation { substituteInPlace lib/debugging.cpp --replace PATH_MAX 1024 substituteInPlace lib/superblob.h --replace 'result->at' 'result->template at' substituteInPlace lib/ccaudit.cpp --replace '' '"bsm/libbsm.h"' + substituteInPlace lib/powerwatch.h --replace \ + '' \ + '"${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/System/Library/Frameworks/IOKit.framework/Versions/A/PrivateHeaders/pwr_mgt/IOPMLibPrivate.h"' cp ${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/usr/include/security_utilities/utilities_dtrace.h lib cp -R ${osx_private_sdk}/PrivateSDK10.9.sparse.sdk/usr/local/include/bsm lib diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index c2324c86eb5..196c8618c91 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -156,11 +156,10 @@ let "__impureHostDeps" "__propagatedImpureHostDeps" "__sandboxProfile" "__propagatedSandboxProfile"]) // (let - # TODO: remove lib.unique once nix has a list canonicalization primitive computedSandboxProfile = - lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (extraBuildInputs ++ buildInputs ++ nativeBuildInputs))); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (propagatedBuildInputs ++ propagatedNativeBuildInputs))); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,8 +177,12 @@ let propagatedNativeBuildInputs = propagatedNativeBuildInputs ++ (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { - __sandboxProfile = computedSandboxProfile + computedPropagatedSandboxProfile + __propagatedSandboxProfile + __sandboxProfile + __extraSandboxProfile; - __propagatedSandboxProfile = computedPropagatedSandboxProfile + __propagatedSandboxProfile; + # TODO: remove lib.unique once nix has a list canonicalization primitive + __sandboxProfile = + let profiles = [ __extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile __sandboxProfile ]; + final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); + in final; + __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index fb3559659e5..1770d48278d 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -5,7 +5,9 @@ }: let - libSystemProfile = builtins.readFile ./standard-sandbox.sb; + libSystemProfile = '' + (import "${./standard-sandbox.sb}") + ''; fetch = { file, sha256, executable ? true }: import { url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}"; @@ -253,7 +255,7 @@ in rec { }; darwin = orig.darwin // { - inherit (darwin) dyld Libsystem cctools CF libiconv; + inherit (darwin) dyld Libsystem cctools libiconv; }; }; @@ -263,7 +265,9 @@ in rec { name = "stdenv-darwin"; - preHook = commonPreHook; + preHook = commonPreHook + '' + export PATH_LOCALE=${pkgs.darwin.locale}/share/locale + ''; __stdenvSandboxProfile = binShClosure + libSystemProfile; __extraSandboxProfile = binShClosure + libSystemProfile; @@ -294,7 +298,7 @@ in rec { coreutils ed diffutils gnutar gzip ncurses gnused bash gawk gnugrep llvmPackages.clang-unwrapped patch pcre binutils-raw binutils gettext ]) ++ (with pkgs.darwin; [ - dyld Libsystem CF cctools libiconv + dyld Libsystem CF cctools libiconv locale ]); overrides = orig: persistent4 orig // { diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb index 670ab01f347..37a9b736e53 100644 --- a/pkgs/stdenv/pure-darwin/standard-sandbox.sb +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -7,7 +7,7 @@ (allow sysctl-read) ; IPC -(allow ipc-posix-sem) +(allow ipc-posix*) ; Unix sockets (allow system-socket) @@ -33,6 +33,9 @@ ; used for bootstrap builders (allow process-exec* (literal "/bin/sh")) +; without this line clang cannot write to /dev/null, breaking some configure tests +(allow file-read-metadata (literal "/dev")) + ; standard devices (allow file* (literal "/dev/null") @@ -51,15 +54,21 @@ ; both are in libicucore and zoneinfo is in libsystem_c as well (allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo")) +; no idea what this is +(allow file-read-data (literal "/dev/autofs_nowait")) + ; lots of autoconf projects want to list this directory (allow file-read-metadata (literal "/var") (literal "/private/var/tmp")) -; mute annoying failures -(deny file-read-metadata (with no-log) - (literal "/etc") - (subpath "/usr/bin")) +; send signals +(allow signal (target same-sandbox)) -(deny process-exec* (with no-log) - (literal "/usr/bin/arch") - (literal "/usr/bin/hostinfo") - (literal "/usr/bin/uname")) +; allow getpwuid (for git and other packages) +(allow mach-lookup + (global-name "com.apple.system.notification_center") + (global-name "com.apple.system.opendirectoryd.libinfo")) + +; mute annoying failures +(deny (with no-log) file-read-metadata (literal "/etc") (subpath "/usr/bin")) + +(deny process-exec* (literal "/usr/bin/arch") (literal "/usr/bin/hostinfo") (literal "/usr/bin/uname")) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 4531fbcc183..cdbb03bd0e5 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11349,7 +11349,7 @@ let imagemagick = null; acl = null; gpm = null; - inherit (darwin.apple_sdk.frameworks) AppKit; + inherit (darwin.apple_sdk.frameworks) AppKit CoreWLAN GSS Kerberos ImageIO; }; emacs24-nox = lowPrio (appendToName "nox" (emacs24.override { diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index ed00e4ea66d..4937a00bad9 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -8266,6 +8266,7 @@ let self = _self // overrides; _self = with self; { url = mirror://cpan/authors/id/E/ET/ETHER/Net-HTTP-6.09.tar.gz; sha256 = "52762b939d84806908ba544581c5708375f7938c3c0e496c128ca3fbc425e58d"; }; + __sandboxProfile = stdenv.lib.sandbox.allowNetworkLocal; propagatedBuildInputs = [ URI ]; meta = { description = "Low-level HTTP connection (client)"; diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 22cdc99fcef..dbd991d8205 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -3759,6 +3759,8 @@ let substituteInPlace test-requirements.txt --replace 'nose==1.3' 'nose' ''; + __sandboxProfile = pkgs.lib.sandbox.allowNetwork; + doCheck = !isPy3k; # lots of transient failures checkPhase = '' # Not worth the trouble @@ -6548,6 +6550,8 @@ let sha256 = "02rknqarwy7p50693cqswbibqwgxzrfzdq4yhwqxbdmhbsmh0rk6"; }; + __sandboxProfile = pkgs.lib.sandbox.allowNetwork; + # Only test dependencies buildInputs = with self; [ pkgs.git gevent geventhttpclient mock fastimport ]; From 163acc0efa2a378b8f3fe74a6350e1a0e179d5f2 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Thu, 12 Nov 2015 22:35:15 -0800 Subject: [PATCH 38/61] remove useless muting lines; they interfere with debugging --- pkgs/stdenv/pure-darwin/standard-sandbox.sb | 5 ----- 1 file changed, 5 deletions(-) diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb index 37a9b736e53..32a91162152 100644 --- a/pkgs/stdenv/pure-darwin/standard-sandbox.sb +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -67,8 +67,3 @@ (allow mach-lookup (global-name "com.apple.system.notification_center") (global-name "com.apple.system.opendirectoryd.libinfo")) - -; mute annoying failures -(deny (with no-log) file-read-metadata (literal "/etc") (subpath "/usr/bin")) - -(deny process-exec* (literal "/usr/bin/arch") (literal "/usr/bin/hostinfo") (literal "/usr/bin/uname")) From 131e831cb97c9762c3b10b35ae3c2094366a5886 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 14 Nov 2015 13:51:50 -0800 Subject: [PATCH 39/61] allow networking by default and remove it from derivations --- lib/sandbox.nix | 7 ------- pkgs/build-support/fetchurl/default.nix | 2 -- pkgs/development/haskell-modules/configuration-common.nix | 5 ----- pkgs/stdenv/pure-darwin/standard-sandbox.sb | 3 +++ pkgs/top-level/perl-packages.nix | 1 - pkgs/top-level/python-packages.nix | 4 ---- 6 files changed, 3 insertions(+), 19 deletions(-) diff --git a/lib/sandbox.nix b/lib/sandbox.nix index 9a429cf2ae6..414bf36f779 100644 --- a/lib/sandbox.nix +++ b/lib/sandbox.nix @@ -35,13 +35,6 @@ genActions = actionName: let "${actionName}DirectoryList" = self."${actionName}FileReadMetadata"; "${actionName}FileWrite" = applyToFiles action "file-write*"; "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata"; - "${actionName}Network" = sexp [ actionName "network*" ]; - "${actionName}NetworkBind" = sexp [ actionName "network-bind" ]; - "${actionName}NetworkInbound" = sexp [ actionName "network-inbound" ]; - "${actionName}NetworkOutbound" = sexp [ actionName "network-outbound" ]; - "${actionName}NetworkLocal" = sexp [ actionName "network*" (sexp [ "local" "ip" ]) ]; - "${actionName}NetworkInboundLocal" = sexp [ actionName "network-inbound" (sexp [ "local" "ip" ]) ]; - "${actionName}NetworkOutboundLocal" = sexp [ actionName "network-outbound" (sexp [ "local" "ip" ]) ]; }; in self; diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index bcd279380a3..b1dc6e7be31 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -118,8 +118,6 @@ if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${s outputHashMode = if recursiveHash then "recursive" else "flat"; - __sandboxProfile = stdenv.lib.sandbox.allowNetworkOutbound; - inherit curlOpts showURLs mirrorsFile impureEnvVars postFetch downloadToTemp; # Doing the download on a remote machine just duplicates network diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 2dac800bace..f57de134b79 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -923,9 +923,4 @@ self: super: { hscurses = overrideCabal super.hscurses (drv: { librarySystemDepends = (drv.librarySystemDepends or []) ++ [ pkgs.ncurses ]; }); - - streaming-commons = pkgs.stdenv.lib.overrideDerivation super.streaming-commons (drv: { - __sandboxProfile = drv.__sandboxProfile + - pkgs.stdenv.lib.sandbox.allowNetworkLocal; - }); } diff --git a/pkgs/stdenv/pure-darwin/standard-sandbox.sb b/pkgs/stdenv/pure-darwin/standard-sandbox.sb index 32a91162152..b87be89f35f 100644 --- a/pkgs/stdenv/pure-darwin/standard-sandbox.sb +++ b/pkgs/stdenv/pure-darwin/standard-sandbox.sb @@ -67,3 +67,6 @@ (allow mach-lookup (global-name "com.apple.system.notification_center") (global-name "com.apple.system.opendirectoryd.libinfo")) + +; allow networking on localhost +(allow network* (local ip) (remote unix-socket)) diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 4937a00bad9..ed00e4ea66d 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -8266,7 +8266,6 @@ let self = _self // overrides; _self = with self; { url = mirror://cpan/authors/id/E/ET/ETHER/Net-HTTP-6.09.tar.gz; sha256 = "52762b939d84806908ba544581c5708375f7938c3c0e496c128ca3fbc425e58d"; }; - __sandboxProfile = stdenv.lib.sandbox.allowNetworkLocal; propagatedBuildInputs = [ URI ]; meta = { description = "Low-level HTTP connection (client)"; diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index dbd991d8205..22cdc99fcef 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -3759,8 +3759,6 @@ let substituteInPlace test-requirements.txt --replace 'nose==1.3' 'nose' ''; - __sandboxProfile = pkgs.lib.sandbox.allowNetwork; - doCheck = !isPy3k; # lots of transient failures checkPhase = '' # Not worth the trouble @@ -6550,8 +6548,6 @@ let sha256 = "02rknqarwy7p50693cqswbibqwgxzrfzdq4yhwqxbdmhbsmh0rk6"; }; - __sandboxProfile = pkgs.lib.sandbox.allowNetwork; - # Only test dependencies buildInputs = with self; [ pkgs.git gevent geventhttpclient mock fastimport ]; From 4a64687737cbe9deee23d15b431c8a70c804257e Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 14 Nov 2015 14:14:18 -0800 Subject: [PATCH 40/61] remove debugging from perl 5.16 --- pkgs/development/interpreters/perl/5.16/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/development/interpreters/perl/5.16/default.nix b/pkgs/development/interpreters/perl/5.16/default.nix index 8a89d97a100..568025edfd4 100644 --- a/pkgs/development/interpreters/perl/5.16/default.nix +++ b/pkgs/development/interpreters/perl/5.16/default.nix @@ -33,8 +33,6 @@ stdenv.mkDerivation rec { pwd="$(type -P pwd)" substituteInPlace dist/Cwd/Cwd.pm \ --replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'" - grep -R /bin/pwd . - exit 1 ''; # Build a thread-safe Perl with a dynamic libperls.o. We need the From 815e9f5af288b3d44a7a926469b25cf58663fe40 Mon Sep 17 00:00:00 2001 From: Pascal Wittmann Date: Fri, 20 Nov 2015 17:20:51 +0100 Subject: [PATCH 41/61] help2man: 1.47.2 -> 1.47.3 --- pkgs/development/tools/misc/help2man/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/misc/help2man/default.nix b/pkgs/development/tools/misc/help2man/default.nix index 4386e7eaf74..8f687908017 100644 --- a/pkgs/development/tools/misc/help2man/default.nix +++ b/pkgs/development/tools/misc/help2man/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, perl, gettext, LocaleGettext, makeWrapper }: stdenv.mkDerivation rec { - name = "help2man-1.47.2"; + name = "help2man-1.47.3"; src = fetchurl { url = "mirror://gnu/help2man/${name}.tar.xz"; - sha256 = "0z1zgw6k1fba59fii6ksfi1g2gci6i4ysa3kdfh3j475fdkn1if4"; + sha256 = "0miqq77ssk5rgsc9xlv7k5n2wk2c5wv2m1kh4zhbwrggfmjaycn2"; }; buildInputs = [ makeWrapper perl gettext LocaleGettext ]; From a63346e33ca05f691e6854b896eac5cef99b4ef8 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 11:17:30 -0800 Subject: [PATCH 42/61] use single underscore for sandboxProfile --- pkgs/applications/editors/vim/default.nix | 2 +- .../git-and-tools/git/default.nix | 2 +- .../interpreters/perl/5.20/default.nix | 2 +- pkgs/os-specific/darwin/apple-sdk/default.nix | 6 ++--- .../apple-sdk/generate-framework-profile.nix | 2 +- .../apple-source-releases/CF/default.nix | 2 +- .../adv_cmds/default.nix | 2 +- .../apple-source-releases/configd/default.nix | 2 +- pkgs/stdenv/generic/default.nix | 22 +++++++++---------- pkgs/stdenv/pure-darwin/default.nix | 10 ++++----- 10 files changed, 26 insertions(+), 26 deletions(-) diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 08e0e05590f..42010f15421 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - __sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + _sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 57ebb7397bc..ed963d206e9 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; # without this, git fails when trying to check for /etc/gitconfig existence - __propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + _propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index b2f43d176e8..a85175bf0c3 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { --replace "/bin/pwd" "$pwd" ''; - __sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + _sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index b31e5d043ef..a422bfa6452 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -97,11 +97,11 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - __sandboxProfile = '' + _sandboxProfile = '' (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); + _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -165,7 +165,7 @@ in rec { }); CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: { - __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ ['' + _propagatedSandboxProfile = drv._propagatedSandboxProfile ++ ['' (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd")) '']; }); diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix index eb6228db14d..a0d37c5db38 100644 --- a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix +++ b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix @@ -14,7 +14,7 @@ let path = "/System/Library/Frameworks/${frameworkName}.framework"; in runCommand "${frameworkName}-profile.sb" { # __noChroot lite - __sandboxProfile = '' + _sandboxProfile = '' (allow file* (subpath "/")) ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index 0eac8fcae39..c02129d2afe 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); + _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index d465fa71ff0..2b2a9148f22 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -81,7 +81,7 @@ in appleDerivation { ]; # ps uses this syscall to get process info - __propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; + _propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index c730a409609..5fcb6a24204 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,7 +7,7 @@ appleDerivation { propagatedBuildInputs = [ Security ]; - __propagatedSandboxProfile = '' + _propagatedSandboxProfile = '' (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) ''; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 196c8618c91..e3ba2f27f22 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,8 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] -, __stdenvSandboxProfile ? "" -, __extraSandboxProfile ? "" +, _stdenvSandboxProfile ? "" +, _extraSandboxProfile ? "" }: let @@ -102,8 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] - , __sandboxProfile ? "" - , __propagatedSandboxProfile ? "" + , _sandboxProfile ? "" + , _propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -154,12 +154,12 @@ let (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" "__impureHostDeps" "__propagatedImpureHostDeps" - "__sandboxProfile" "__propagatedSandboxProfile"]) + "_sandboxProfile" "_propagatedSandboxProfile"]) // (let computedSandboxProfile = - lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); + lib.concatMap (input: input._propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + lib.concatMap (input: input._propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,11 +178,11 @@ let (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { # TODO: remove lib.unique once nix has a list canonicalization primitive - __sandboxProfile = - let profiles = [ __extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile __sandboxProfile ]; + _sandboxProfile = + let profiles = [ _extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile _sandboxProfile ]; final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; - __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile ]); + _propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -219,7 +219,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - __sandboxProfile = __stdenvSandboxProfile; + _sandboxProfile = _stdenvSandboxProfile; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index 1770d48278d..39ff3ebddb1 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -50,7 +50,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - __sandboxProfile = binShClosure + libSystemProfile; + _sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -93,8 +93,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - __stdenvSandboxProfile = binShClosure + libSystemProfile; - __extraSandboxProfile = binShClosure + libSystemProfile; + _stdenvSandboxProfile = binShClosure + libSystemProfile; + _extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -269,8 +269,8 @@ in rec { export PATH_LOCALE=${pkgs.darwin.locale}/share/locale ''; - __stdenvSandboxProfile = binShClosure + libSystemProfile; - __extraSandboxProfile = binShClosure + libSystemProfile; + _stdenvSandboxProfile = binShClosure + libSystemProfile; + _extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; From 69e7f3bb7405ad4bf81e6d8c1897116c3a4d77dc Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 12:06:41 -0800 Subject: [PATCH 43/61] switch to zero underscores for sandbox profiles; remove generateFrameworkProfile --- pkgs/applications/editors/vim/default.nix | 2 +- .../git-and-tools/git/default.nix | 2 +- .../interpreters/perl/5.20/default.nix | 2 +- pkgs/os-specific/darwin/apple-sdk/default.nix | 9 ++- .../apple-sdk/generate-framework-profile.nix | 64 ------------------- .../apple-source-releases/CF/default.nix | 4 +- .../adv_cmds/default.nix | 2 +- .../apple-source-releases/configd/default.nix | 2 +- .../darwin/apple-source-releases/default.nix | 6 +- pkgs/stdenv/generic/default.nix | 22 +++---- pkgs/stdenv/pure-darwin/default.nix | 10 +-- 11 files changed, 29 insertions(+), 96 deletions(-) delete mode 100644 pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 42010f15421..363413a698e 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - _sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index ed963d206e9..d060acef53e 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; # without this, git fails when trying to check for /etc/gitconfig existence - _propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index a85175bf0c3..aa384683728 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { --replace "/bin/pwd" "$pwd" ''; - _sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index a422bfa6452..f1e3556273e 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -1,7 +1,6 @@ { stdenv, fetchurl, xar, gzip, cpio, pkgs }: let - generateFrameworkProfile = pkgs.callPackage ./generate-framework-profile.nix {}; # sadly needs to be exported because security_tool needs it sdk = stdenv.mkDerivation rec { version = "10.9"; @@ -97,11 +96,11 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - _sandboxProfile = '' + sandboxProfile = '' (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); + __propagatedImpureHostDeps = "/System/Library/Frameworks/${name}.framework/${name}"; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -165,7 +164,7 @@ in rec { }); CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: { - _propagatedSandboxProfile = drv._propagatedSandboxProfile ++ ['' + __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ ['' (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd")) '']; }); @@ -182,5 +181,5 @@ in rec { frameworks = bareFrameworks // overrides bareFrameworks; - inherit sdk generateFrameworkProfile; + inherit sdk; } diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix deleted file mode 100644 index a0d37c5db38..00000000000 --- a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ runCommand }: - -# In a normal programming language, one might store a hashmap -# { library name -> runtime dependencies }. -# associative arrays were only recently added to bash, and even then, bash arrays cannot -# be multidimensional. instead, the filesystem is the hash table! -# once every dependency in the tree has been visited, a comprehensive list of libraries -# will exist inside ./build. then `find ./build -type f` will give you the -# dependency tree you need! - -frameworkName: - -let path = "/System/Library/Frameworks/${frameworkName}.framework"; - -in runCommand "${frameworkName}-profile.sb" { - # __noChroot lite - _sandboxProfile = '' - (allow file* (subpath "/")) - ''; - - # inconsistencies may exist between self and hydra - allowSubstitutes = false; -} '' - if [ ! -f "${path}/${frameworkName}" ]; then - touch $out - exit - fi - base=./build - find_deps () { - if [ -f "$base/$1" ]; then - return - fi - dependencies=$(otool -l -arch x86_64 $1 \ - | grep 'LC_\w*_DYLIB' -A 2 \ - | grep name \ - | sed 's/^ *//' \ - | cut -d' ' -f2) - mkdir -p $base/"$(dirname "$1")" - touch $base/"$1" - for dep in $dependencies; do - find_deps "$dep" - done - } - find_deps "${path}/${frameworkName}" "$out" - set -o noglob - profile="(allow file-read*" - for file in $(find $base -type f); do - filename=''${file/$base/} - case $filename in - /usr/lib/system*) ;; - /usr/lib/libSystem.dylib) ;; - /usr/lib/libSystem.B.dylib) ;; - /usr/lib/libobjc.A.dylib) ;; - /usr/lib/libobjc.dylib) ;; - /usr/lib/libauto.dylib) ;; - /usr/lib/libc++abi.dylib) ;; - /usr/lib/libDiagnosticMessagesClient.dylib) ;; - *) profile+=" (literal \"$filename\")" ;; - esac - done - profile+=" (literal \"${path}/${frameworkName}\")" - profile+=" (literal \"${path}/Versions/Current\")" - echo "$profile)" > $out -'' diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index c02129d2afe..aededa1a073 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -1,4 +1,4 @@ -{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure, generateFrameworkProfile }: +{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure }: # this project uses blocks, a clang-only extension assert stdenv.cc.isClang; @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); + __propagatedImpureHostDeps = "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index 2b2a9148f22..a0261875c10 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -81,7 +81,7 @@ in appleDerivation { ]; # ps uses this syscall to get process info - _propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; + propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index 5fcb6a24204..1fbacfb9284 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,7 +7,7 @@ appleDerivation { propagatedBuildInputs = [ Security ]; - _propagatedSandboxProfile = '' + propagatedSandboxProfile = '' (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index 6b7858d374a..f1b72b4123f 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -54,11 +54,9 @@ let inherit (adv_cmds) ps locale; architecture = applePackage "architecture" "265" "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {}; bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; - bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; + bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; - CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" { - inherit (pkgs.darwin.apple_sdk) generateFrameworkProfile; - }; + CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index e3ba2f27f22..850a2796259 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,8 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] -, _stdenvSandboxProfile ? "" -, _extraSandboxProfile ? "" +, stdenvSandboxProfile ? "" +, extraSandboxProfile ? "" }: let @@ -102,8 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] - , _sandboxProfile ? "" - , _propagatedSandboxProfile ? "" + , sandboxProfile ? "" + , propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -154,12 +154,12 @@ let (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" "__impureHostDeps" "__propagatedImpureHostDeps" - "_sandboxProfile" "_propagatedSandboxProfile"]) + "sandboxProfile" "propagatedSandboxProfile"]) // (let computedSandboxProfile = - lib.concatMap (input: input._propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatMap (input: input._propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,11 +178,11 @@ let (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { # TODO: remove lib.unique once nix has a list canonicalization primitive - _sandboxProfile = - let profiles = [ _extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile _sandboxProfile ]; + __sandboxProfile = + let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ]; final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; - _propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile ]); + __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -219,7 +219,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - _sandboxProfile = _stdenvSandboxProfile; + __sandboxProfile = stdenvSandboxProfile; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index 39ff3ebddb1..bc3b433e922 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -50,7 +50,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - _sandboxProfile = binShClosure + libSystemProfile; + __sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -93,8 +93,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - _stdenvSandboxProfile = binShClosure + libSystemProfile; - _extraSandboxProfile = binShClosure + libSystemProfile; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -269,8 +269,8 @@ in rec { export PATH_LOCALE=${pkgs.darwin.locale}/share/locale ''; - _stdenvSandboxProfile = binShClosure + libSystemProfile; - _extraSandboxProfile = binShClosure + libSystemProfile; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; From f5609a4d2ab02a1a39499e78e65ab2ea1f93ff10 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:51:48 -0800 Subject: [PATCH 44/61] reintroduce impure host deps to all derivations --- pkgs/os-specific/darwin/apple-sdk/default.nix | 2 +- .../darwin/apple-source-releases/CF/default.nix | 2 +- pkgs/stdenv/generic/default.nix | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index f1e3556273e..7c3d1482f81 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -100,7 +100,7 @@ let (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedImpureHostDeps = "/System/Library/Frameworks/${name}.framework/${name}"; + __propagatedImpureHostDeps = [ "/System/Library/Frameworks/${name}.framework/${name}" ]; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index aededa1a073..3993a360156 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedImpureHostDeps = "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"; + __propagatedImpureHostDeps = [ "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation" ]; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 850a2796259..dbb3e25a147 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -160,6 +160,10 @@ let lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + computedImpureHostDeps = + lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs)); + computedPropagatedImpureHostDeps = + lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs)); in { builder = attrs.realBuilder or shell; @@ -183,6 +187,13 @@ let final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]); + __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [ + "/dev/zero" + "/dev/random" + "/dev/urandom" + "/bin/sh" + ]; + __propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps; } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -220,6 +231,7 @@ let } // ifDarwin { __sandboxProfile = stdenvSandboxProfile; + __impureHostDeps = __stdenvImpureHostDeps; }) // rec { From 4cd86cb068558c68308dfeda47fefd7329dd561c Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:55:19 -0800 Subject: [PATCH 45/61] in cf-private, use correct path to CoreFoundation --- pkgs/os-specific/darwin/cf-private/setup-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/darwin/cf-private/setup-hook.sh b/pkgs/os-specific/darwin/cf-private/setup-hook.sh index a83a1323bf8..7594c07977b 100644 --- a/pkgs/os-specific/darwin/cf-private/setup-hook.sh +++ b/pkgs/os-specific/darwin/cf-private/setup-hook.sh @@ -6,7 +6,7 @@ linkWithRealCF() { # gross! many symbols (such as _OBJC_CLASS_$_NSArray) are defined in system CF, but not # in the opensource release # if the package needs private headers, we assume they also want to link with system CF - NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation" + NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation" } preConfigureHooks+=(prependSearchPath linkWithRealCF) From 32cb70bb0743b81a011bb3e4e33f26ea0caca1a1 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:59:43 -0800 Subject: [PATCH 46/61] propagate nothing for Kernel.framework since it exposes no library --- pkgs/os-specific/darwin/apple-sdk/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index 7c3d1482f81..847738158da 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -100,7 +100,7 @@ let (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedImpureHostDeps = [ "/System/Library/Frameworks/${name}.framework/${name}" ]; + __propagatedImpureHostDeps = stdenv.lib.optional (name != "Kernel") "/System/Library/Frameworks/${name}.framework/${name}"; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; From e3a036225d28accbb5f059a6fde0e2d416671bc4 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 22 Nov 2015 13:41:22 +0100 Subject: [PATCH 47/61] Fix: remove trailing ; --- pkgs/tools/misc/coreutils/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index c9aacd0ba6b..0943c1a026b 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -105,4 +105,4 @@ let }; }; in - self; + self From 1752268aed984552e0e2b7bcb1f90b61d61ece8b Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 22 Nov 2015 23:58:10 +0100 Subject: [PATCH 48/61] SmartOS: Fix pkgconfig 0.29 build --- pkgs/development/tools/misc/pkgconfig/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/tools/misc/pkgconfig/default.nix b/pkgs/development/tools/misc/pkgconfig/default.nix index eabcebad31d..c82a626336f 100644 --- a/pkgs/development/tools/misc/pkgconfig/default.nix +++ b/pkgs/development/tools/misc/pkgconfig/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation (rec { buildInputs = stdenv.lib.optional (stdenv.isCygwin || stdenv.isDarwin || stdenv.isSunOS) libiconv; configureFlags = [ "--with-internal-glib" ] - ++ stdenv.lib.optional (stdenv.isSunOS) "--with-libiconv=gnu"; + ++ stdenv.lib.optional (stdenv.isSunOS) [ "--with-libiconv=gnu" "--with-system-library-path" "--with-system-include-path" "CFLAGS=-DENABLE_NLS" ]; patches = (if vanilla then [] else [ # Process Requires.private properly, see From d510109c54e32137197dd85b84f67c805650f951 Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Sun, 22 Nov 2015 23:58:37 +0100 Subject: [PATCH 49/61] SmartOS: texinfo: Fix build and make configureFlags target optional. --- pkgs/development/tools/misc/texinfo/6.0.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix index 3aa77fd2e5f..11e822291e8 100644 --- a/pkgs/development/tools/misc/texinfo/6.0.nix +++ b/pkgs/development/tools/misc/texinfo/6.0.nix @@ -9,17 +9,17 @@ stdenv.mkDerivation rec { }; buildInputs = [ perl xz ] - ++ stdenv.lib.optional stdenv.isSunOS libiconv + ++ stdenv.lib.optionals stdenv.isSunOS [ libiconv gawk ] ++ stdenv.lib.optional interactive ncurses; - configureFlags = "AWK=${gawk}/bin/awk"; + configureFlags = stdenv.lib.optionalString stdenv.isSunOS "AWK=${gawk}/bin/awk"; preInstall = '' installFlags="TEXMF=$out/texmf-dist"; installTargets="install install-tex"; ''; - doCheck = !stdenv.isDarwin && !interactive; + doCheck = !stdenv.isDarwin && !interactive && !stdenv.isSunOS/*flaky*/; meta = { homepage = "http://www.gnu.org/software/texinfo/"; From baf7fdcb753fc57058ba27fc335b2798fbac804a Mon Sep 17 00:00:00 2001 From: Danny Wilson Date: Mon, 23 Nov 2015 00:05:58 +0100 Subject: [PATCH 50/61] SmartOS: bison: make help2man target specific dependency --- pkgs/development/tools/parsing/bison/3.x.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix index 8e7d65b81ff..ee007414017 100644 --- a/pkgs/development/tools/parsing/bison/3.x.nix +++ b/pkgs/development/tools/parsing/bison/3.x.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "b67fd2daae7a64b5ba862c66c07c1addb9e6b1b05c5f2049392cfd8a2172952e"; }; - nativeBuildInputs = [ m4 perl help2man ]; + nativeBuildInputs = [ m4 perl ] ++ stdenv.lib.optional stdenv.isSunOS help2man; propagatedBuildInputs = [ m4 ]; meta = { From 5f25c63bfd599228748726b2ba7d43754f5a0b3b Mon Sep 17 00:00:00 2001 From: "Matthias C. M. Troffaes" Date: Mon, 23 Nov 2015 11:23:37 +0000 Subject: [PATCH 51/61] Revert "bzip2: fix cross build on mingw by using autoconf patch" This reverts commit 094c374941e68bf667719da15c655f148840ebab. --- pkgs/tools/compression/bzip2/default.nix | 64 ++++++++++++++++-------- 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index 286ad16cc86..a485bf5eab6 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -1,7 +1,11 @@ -{ stdenv, fetchurl, libtool, autoconf, automake, pkgconfig, gnum4 }: +{ stdenv, fetchurl, linkStatic ? false }: let version = "1.0.6"; + + sharedLibrary = !stdenv.isDarwin && !(stdenv ? isStatic) + && stdenv.system != "i686-cygwin" && !linkStatic; + in stdenv.mkDerivation { name = "bzip2-${version}"; @@ -10,30 +14,50 @@ in stdenv.mkDerivation { sha256 = "1kfrc7f0ja9fdn6j1y6yir6li818npy6217hvr3wzmnmzhs8z152"; }; - patches = [ - # original upstream for the autoconf patch is here: - # http://ftp.suse.com/pub/people/sbrabec/bzip2/for_downstream/bzip2-1.0.6-autoconfiscated.patch - # but we get the mingw-builds version of the patch, which fixes - # a few more issues - (fetchurl { - url = "https://raw.githubusercontent.com/niXman/mingw-builds/17ae841dcf6e72badad7941a06d631edaf687436/patches/bzip2/bzip2-1.0.6-autoconfiscated.patch"; - sha256 = "1flbd3i8vg9kzq0a712qcg9j2c4ymnqvgd0ldyafpzvbqj1iicnp"; - }) - ]; - - patchFlags = "-p0"; - - nativeBuildInputs = [ libtool autoconf automake gnum4 pkgconfig ]; - - preConfigure = "sh ./autogen.sh"; - crossAttrs = { - # https://github.com/niXman/mingw-builds/blob/master/patches/bzip2/bzip2-1.0.5-slash.patch - postPatch = '' + patchPhase = '' sed -i -e '//s|\\|/|' bzip2.c + sed -i -e 's/CC=gcc/CC=${stdenv.cross.config}-gcc/' \ + -e 's/AR=ar/AR=${stdenv.cross.config}-ar/' \ + -e 's/RANLIB=ranlib/RANLIB=${stdenv.cross.config}-ranlib/' \ + -e 's/bzip2recover test/bzip2recover/' \ + Makefile* ''; }; + preBuild = stdenv.lib.optionalString sharedLibrary '' + make -f Makefile-libbz2_so + ''; + + preInstall = stdenv.lib.optionalString sharedLibrary '' + mkdir -p $out/lib + mv libbz2.so* $out/lib + ( cd $out/lib && + ln -s libbz2.so.1.0.? libbz2.so && + ln -s libbz2.so.1.0.? libbz2.so.1 + ) + ''; + + installFlags = [ "PREFIX=$(out)" ]; + + postInstall = '' + rm $out/bin/bunzip2* $out/bin/bzcat* + ln -s bzip2 $out/bin/bunzip2 + ln -s bzip2 $out/bin/bzcat + ''; + + patchPhase = stdenv.lib.optionalString stdenv.isDarwin '' + substituteInPlace Makefile --replace 'CC=gcc' 'CC=clang' + ''; + + preConfigure = '' + substituteInPlace Makefile --replace '$(PREFIX)/man' '$(PREFIX)/share/man' + ''; + + makeFlags = stdenv.lib.optional linkStatic "LDFLAGS=-static"; + + inherit linkStatic; + meta = { homepage = "http://www.bzip.org"; description = "high-quality data compression program"; From aeb3d8ce4c9fcb26e18b96d90f5d4bdb7a1cc230 Mon Sep 17 00:00:00 2001 From: "Matthias C. M. Troffaes" Date: Mon, 23 Nov 2015 11:25:03 +0000 Subject: [PATCH 52/61] bzip2: fix cross build on mingw by using autoconf patch --- pkgs/tools/compression/bzip2/default.nix | 26 +++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index a485bf5eab6..3e835c30e3d 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, linkStatic ? false }: +{ stdenv, fetchurl, libtool, autoconf, automake, gnum4, linkStatic ? false }: let version = "1.0.6"; @@ -15,14 +15,26 @@ in stdenv.mkDerivation { }; crossAttrs = { - patchPhase = '' + buildInputs = [ libtool autoconf automake gnum4 ]; + patches = [ + # original upstream for the autoconf patch is here: + # http://ftp.suse.com/pub/people/sbrabec/bzip2/for_downstream/bzip2-1.0.6-autoconfiscated.patch + # but we get the mingw-builds version of the patch, which fixes + # a few more issues + (fetchurl { + url = "https://raw.githubusercontent.com/niXman/mingw-builds/17ae841dcf6e72badad7941a06d631edaf687436/patches/bzip2/bzip2-1.0.6-autoconfiscated.patch"; + sha256 = "1flbd3i8vg9kzq0a712qcg9j2c4ymnqvgd0ldyafpzvbqj1iicnp"; + }) + ]; + patchFlags = "-p0"; + postPatch = '' sed -i -e '//s|\\|/|' bzip2.c - sed -i -e 's/CC=gcc/CC=${stdenv.cross.config}-gcc/' \ - -e 's/AR=ar/AR=${stdenv.cross.config}-ar/' \ - -e 's/RANLIB=ranlib/RANLIB=${stdenv.cross.config}-ranlib/' \ - -e 's/bzip2recover test/bzip2recover/' \ - Makefile* ''; + preConfigure = "sh ./autogen.sh"; + # clear native hooks that are not needed with autoconf + preBuild = ""; + preInstall = ""; + postInstall = ""; }; preBuild = stdenv.lib.optionalString sharedLibrary '' From 1a3689b87e82a3f4fe38e8b775b4cd865fef71ab Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Mon, 23 Nov 2015 12:24:04 -0800 Subject: [PATCH 53/61] fix an evaluation issue --- pkgs/top-level/all-packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d7a83d8cb21..9364e2c466c 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5493,7 +5493,7 @@ let cmake-2_8 = callPackage ../development/tools/build-managers/cmake/2.8.nix { wantPS = stdenv.isDarwin; - ps = if stdenv.isDarwin then darwin.adv_cmds else null; + inherit (darwin) ps; }; cmake = callPackage ../development/tools/build-managers/cmake { From c9f77f2b487de1b627ee367ef17e25332bdf34a1 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Mon, 23 Nov 2015 12:26:50 -0800 Subject: [PATCH 54/61] fix another evaluation issue --- pkgs/top-level/python-packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index b0c5277274d..9d0b04fb740 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -9232,7 +9232,7 @@ let meta = { description = "A module for monitoring memory usage of a python program"; homepage = http://pypi.python.org/pypi/memory_profiler; - license = licenses.bsd; + license = licenses.bsd3; }; }; From d539d9c935813a8d71d8c6e660a60f07a5ab15a5 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Wed, 25 Nov 2015 10:09:35 -0800 Subject: [PATCH 55/61] revert to __impureHostDeps where possible --- pkgs/applications/editors/vim/default.nix | 2 +- pkgs/os-specific/darwin/apple-sdk/default.nix | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 363413a698e..a09eb846e50 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + __impureHostDeps = [ "/dev/ptmx" ]; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index 847738158da..c18d3f6cc6d 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -96,9 +96,7 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - sandboxProfile = '' - (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) - ''; + __impureHostDeps = [ "/System/Library/Frameworks/${name}.framework" ]; __propagatedImpureHostDeps = stdenv.lib.optional (name != "Kernel") "/System/Library/Frameworks/${name}.framework/${name}"; From 8a779f345143a3c5451058603ec0e9e22b211c5a Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Wed, 25 Nov 2015 10:09:52 -0800 Subject: [PATCH 56/61] libdevil: fix build in clang stdenvs --- pkgs/development/libraries/libdevil/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/libdevil/default.nix b/pkgs/development/libraries/libdevil/default.nix index 99630198885..3b63ba98f57 100644 --- a/pkgs/development/libraries/libdevil/default.nix +++ b/pkgs/development/libraries/libdevil/default.nix @@ -23,6 +23,8 @@ stdenv.mkDerivation rec { preConfigure = '' sed -i 's, -std=gnu99,,g' configure sed -i 's,malloc.h,stdlib.h,g' src-ILU/ilur/ilur.c + '' + stdenv.lib.optionalString stdenv.cc.isClang '' + sed -i 's/libIL_la_CXXFLAGS = $(AM_CFLAGS)/libIL_la_CXXFLAGS =/g' lib/Makefile.in ''; postConfigure = '' From 2b97070986967bab185af7a5a4f17f67e30af6f7 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Wed, 25 Nov 2015 11:57:55 -0800 Subject: [PATCH 57/61] build python-novaclient on darwin --- pkgs/top-level/python-packages.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 9d0b04fb740..549faf56fee 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -9815,6 +9815,8 @@ let monotonic = buildPythonPackage rec { name = "monotonic-0.4"; + __propagatedImpureHostDeps = stdenv.lib.optional stdenv.isDarwin "/usr/lib/libc.dylib"; + src = pkgs.fetchurl { url = "http://pypi.python.org/packages/source/m/monotonic/${name}.tar.gz"; sha256 = "1diab6hfh3jpa1f0scpqaqrawk4g97ss4v7gkn2yw8znvdm6abw5"; @@ -11944,9 +11946,9 @@ let }; propagatedBuildInputs = with self; [ - pbr Babel six iso8601 debtcollector pyinotify + pbr Babel six iso8601 debtcollector oslo-utils oslo-i18n oslo-config oslo-serialization oslo-context - ]; + ] ++ stdenv.lib.optional stdenv.isLinux pyinotify; buildInputs = with self; [ oslotest oslosphinx ]; patchPhase = '' sed -i 's@python@${python.interpreter}@' .testr.conf From caed1528a3beb14b349bdfd76ce1caf7b7f9ea50 Mon Sep 17 00:00:00 2001 From: Jan Malakhovski Date: Tue, 18 Aug 2015 20:37:49 +0000 Subject: [PATCH 58/61] w3m: fix w3mimgdisplay, refactor the expression, make batch and nox versions, use batch version where appropriate --- .../networking/browsers/w3m/default.nix | 36 +++++++++++-------- .../networking/browsers/w3m/no-x11.patch | 15 ++++++++ pkgs/top-level/all-packages.nix | 26 +++++++++++--- 3 files changed, 59 insertions(+), 18 deletions(-) create mode 100644 pkgs/applications/networking/browsers/w3m/no-x11.patch diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index 32deafffe90..e71a733970e 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -1,16 +1,18 @@ { stdenv, fetchurl -, sslSupport ? true -, graphicsSupport ? false -, mouseSupport ? false -, ncurses, openssl ? null, boehmgc, gettext, zlib -, imlib2 ? null, xlibsWrapper ? null, fbcon ? null -, gpm-ncurses ? null +, ncurses, boehmgc, gettext, zlib +, sslSupport ? true, openssl ? null +, graphicsSupport ? true, imlib2 ? null +, x11Support ? graphicsSupport, libX11 ? null +, mouseSupport ? true, gpm-ncurses ? null }: assert sslSupport -> openssl != null; -assert graphicsSupport -> imlib2 != null && (xlibsWrapper != null || fbcon != null); +assert graphicsSupport -> imlib2 != null; +assert x11Support -> graphicsSupport && libX11 != null; assert mouseSupport -> gpm-ncurses != null; +with stdenv.lib; + stdenv.mkDerivation rec { name = "w3m-0.5.3"; @@ -24,16 +26,19 @@ stdenv.mkDerivation rec { patches = [ ./glibc214.patch ] # Patch for the newer unstable boehm-gc 7.2alpha. Not all platforms use that # alpha. At the time of writing this, boehm-gc-7.1 is the last stable. - ++ stdenv.lib.optional (boehmgc.name != "boehm-gc-7.1") [ ./newgc.patch ] - ++ stdenv.lib.optional stdenv.isCygwin ./cygwin.patch; + ++ optional (boehmgc.name != "boehm-gc-7.1") [ ./newgc.patch ] + ++ optional stdenv.isCygwin ./cygwin.patch + # for frame buffer only version + ++ optional (graphicsSupport && !x11Support) [ ./no-x11.patch ]; buildInputs = [ncurses boehmgc gettext zlib] - ++ stdenv.lib.optional sslSupport openssl - ++ stdenv.lib.optional mouseSupport gpm-ncurses - ++ stdenv.lib.optionals graphicsSupport [imlib2 xlibsWrapper fbcon]; + ++ optional sslSupport openssl + ++ optional mouseSupport gpm-ncurses + ++ optional graphicsSupport imlib2 + ++ optional x11Support libX11; configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" - + stdenv.lib.optionalString graphicsSupport " --enable-image=x11,fb"; + + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; preConfigure = '' substituteInPlace ./configure --replace "/lib /usr/lib /usr/local/lib /usr/ucblib /usr/ccslib /usr/ccs/lib /lib64 /usr/lib64" /no-such-path @@ -42,7 +47,10 @@ stdenv.mkDerivation rec { enableParallelBuilding = false; - meta = with stdenv.lib; { + # for w3mimgdisplay + LIBS = optionalString x11Support "-lX11"; + + meta = { homepage = http://w3m.sourceforge.net/; description = "A text-mode web browser"; maintainers = [ maintainers.mornfall ]; diff --git a/pkgs/applications/networking/browsers/w3m/no-x11.patch b/pkgs/applications/networking/browsers/w3m/no-x11.patch new file mode 100644 index 00000000000..83b3e96821f --- /dev/null +++ b/pkgs/applications/networking/browsers/w3m/no-x11.patch @@ -0,0 +1,15 @@ +Forget about X11 in fb module. +This breaks w3mimgdisplay under X11, but removes X11 dependency it in pure fb. +diff --git a/w3mimg/fb/fb_imlib2.c b/w3mimg/fb/fb_imlib2.c +index ea36637..d3d7bc3 100644 +--- a/w3mimg/fb/fb_imlib2.c ++++ b/w3mimg/fb/fb_imlib2.c +@@ -3,7 +3,7 @@ + fb_imlib2.c 0.3 Copyright (C) 2002, hito + **************************************************************************/ + +-#include ++#define X_DISPLAY_MISSING + #include + #include "fb.h" + #include "fb_img.h" diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 71535d83167..f372eaad368 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -924,6 +924,7 @@ let asciidoc = callPackage ../tools/typesetting/asciidoc { inherit (pythonPackages) matplotlib numpy aafigure recursivePthLoader; + w3m = w3m-batch; enableStandardFeatures = false; }; @@ -3143,7 +3144,9 @@ let stricat = callPackage ../tools/security/stricat { }; - privoxy = callPackage ../tools/networking/privoxy { }; + privoxy = callPackage ../tools/networking/privoxy { + w3m = w3m-batch; + }; swaks = callPackage ../tools/networking/swaks { }; @@ -3597,7 +3600,7 @@ let xmlstarlet = callPackage ../tools/text/xml/xmlstarlet { }; xmlto = callPackage ../tools/typesetting/xmlto { - w3m = w3m.override { graphicsSupport = false; }; + w3m = w3m-batch; }; xmltv = callPackage ../tools/misc/xmltv { }; @@ -13388,8 +13391,21 @@ let vym = callPackage ../applications/misc/vym { }; - w3m = callPackage ../applications/networking/browsers/w3m { + w3m = callPackage ../applications/networking/browsers/w3m { }; + + # Should always be the version with the most features + w3m-full = w3m; + + # Version without X11 + w3m-nox = w3m.override { + x11Support = false; + }; + + # Version for batch text processing, not a good browser + w3m-batch = w3m.override { graphicsSupport = false; + x11Support = false; + mouseSupport = false; }; weechat = callPackage ../applications/networking/irc/weechat { @@ -13592,7 +13608,9 @@ let xdg-user-dirs = callPackage ../tools/X11/xdg-user-dirs { }; - xdg_utils = callPackage ../tools/X11/xdg-utils { }; + xdg_utils = callPackage ../tools/X11/xdg-utils { + w3m = w3m-batch; + }; xdotool = callPackage ../tools/X11/xdotool { }; From 244fba351c341dfc76efe3f1e7a7711368e36edd Mon Sep 17 00:00:00 2001 From: Jan Malakhovski Date: Wed, 25 Nov 2015 23:35:36 +0000 Subject: [PATCH 59/61] nixos: use w3m-nox for the manual --- nixos/modules/services/misc/nixos-manual.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix index 7534eb0ae6a..3e1f53e79f3 100644 --- a/nixos/modules/services/misc/nixos-manual.nix +++ b/nixos/modules/services/misc/nixos-manual.nix @@ -117,7 +117,7 @@ in services.mingetty.helpLine = mkIf cfg.showManual "\nPress for the NixOS manual."; - services.nixosManual.browser = mkDefault "${pkgs.w3m}/bin/w3m"; + services.nixosManual.browser = mkDefault "${pkgs.w3m-nox}/bin/w3m"; }; From 01eb385346b09f12994c187af835ee72254640d6 Mon Sep 17 00:00:00 2001 From: Philip Potter Date: Tue, 10 Nov 2015 07:20:20 +0000 Subject: [PATCH 60/61] certificate-transparency: init at 2015-11-27 libevhtp: 1.2.10 -> 1.2.11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Package for certificate-transparency This adds openssl support to libevent. Libevent can be compiled without openssl, in which case it just doesn't build the libevent_openssl library. However it seems simpler just to default to including openssl support. This bumps evhtp's version because 1.2.11 provides pkg-config information which makes building certificate-transparency easier. This has been tested with `doCheck = true;`. Signed-off-by: Edward Tjörnhammar --- .../libraries/libevent/default.nix | 4 +- .../libraries/libevhtp/default.nix | 4 +- .../certificate-transparency/default.nix | 57 +++++++++++++++++++ .../protobuf-include-from-env.patch | 14 +++++ pkgs/top-level/all-packages.nix | 2 + 5 files changed, 77 insertions(+), 4 deletions(-) create mode 100644 pkgs/servers/certificate-transparency/default.nix create mode 100644 pkgs/servers/certificate-transparency/protobuf-include-from-env.patch diff --git a/pkgs/development/libraries/libevent/default.nix b/pkgs/development/libraries/libevent/default.nix index 284a09bc927..bddda9f3ead 100644 --- a/pkgs/development/libraries/libevent/default.nix +++ b/pkgs/development/libraries/libevent/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, autoreconfHook, python, findutils }: +{ stdenv, fetchurl, autoreconfHook, openssl, python, findutils }: let version = "2.0.22"; in stdenv.mkDerivation { @@ -10,7 +10,7 @@ stdenv.mkDerivation { }; nativeBuildInputs = [ autoreconfHook ]; - buildInputs = [ python ] ++ stdenv.lib.optional stdenv.isCygwin findutils; + buildInputs = [ openssl python ] ++ stdenv.lib.optional stdenv.isCygwin findutils; patchPhase = '' patchShebangs event_rpcgen.py diff --git a/pkgs/development/libraries/libevhtp/default.nix b/pkgs/development/libraries/libevhtp/default.nix index f909d6d8ff2..4765f0b7d9a 100644 --- a/pkgs/development/libraries/libevhtp/default.nix +++ b/pkgs/development/libraries/libevhtp/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { name = "libevhtp-${version}"; - version = "1.2.10"; + version = "1.2.11"; src = fetchFromGitHub { owner = "ellzey"; repo = "libevhtp"; rev = version; - sha256 = "0z5cxa65zp89vkaj286gp6fpmc5fylr8bmd17g3j1rgc42nysm6a"; + sha256 = "1rlxdp8w4alcy5ryr7pmw5wi6hv7d64885wwbk1zxhvi64s4x4rg"; }; buildInputs = [ cmake openssl libevent ]; diff --git a/pkgs/servers/certificate-transparency/default.nix b/pkgs/servers/certificate-transparency/default.nix new file mode 100644 index 00000000000..ebfa7427fc0 --- /dev/null +++ b/pkgs/servers/certificate-transparency/default.nix @@ -0,0 +1,57 @@ +{ stdenv, pkgs, ...}: + +stdenv.mkDerivation rec { + name = "certificate-transparency-${version}"; + + version = "2015-11-27"; + rev = "dc5a51e55af989ff5871a6647166d00d0de478ab"; + + meta = with stdenv.lib; { + homepage = https://www.certificate-transparency.org/; + description = "Auditing for TLS certificates."; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ philandstuff ]; + }; + + src = pkgs.fetchFromGitHub { + owner = "google"; + repo = "certificate-transparency"; + rev = rev; + sha256 = "14sgc2kcjjsnrykwcjin21h1f3v4kg83w6jqiq9qdm1ha165yhvx"; + }; + + # need to disable regex support in evhtp or building will fail + libevhtp_without_regex = stdenv.lib.overrideDerivation pkgs.libevhtp + (oldAttrs: { + cmakeFlags="-DEVHTP_DISABLE_REGEX:STRING=ON -DCMAKE_C_FLAGS:STRING=-fPIC"; + }); + + buildInputs = with pkgs; [ + autoconf automake clang_34 pkgconfig + glog gmock google-gflags gperftools gtest json_c leveldb + libevent libevhtp_without_regex openssl protobuf sqlite + ]; + + patches = [ + ./protobuf-include-from-env.patch + ]; + + doCheck = false; + + preConfigure = '' + ./autogen.sh + configureFlagsArray=( + CC=clang + CXX=clang++ + GMOCK_DIR=${pkgs.gmock} + GTEST_DIR=${pkgs.gtest} + ) + ''; + + # the default Makefile constructs BUILD_VERSION from `git describe` + # which isn't available in the nix build environment + makeFlags = "BUILD_VERSION=${version}-${rev}"; + + protocFlags = "-I ${pkgs.protobuf}/include"; +} diff --git a/pkgs/servers/certificate-transparency/protobuf-include-from-env.patch b/pkgs/servers/certificate-transparency/protobuf-include-from-env.patch new file mode 100644 index 00000000000..a1f9a1849b6 --- /dev/null +++ b/pkgs/servers/certificate-transparency/protobuf-include-from-env.patch @@ -0,0 +1,14 @@ +Get protobuf include path from environment + +--- a/python/Makefile ++++ b/python/Makefile +@@ -5,7 +5,7 @@ all: ct/proto/client_pb2.py ct/proto/ct_pb2.py ct/proto/tls_options_pb2.py \ + ct/proto/test_message_pb2.py ct/proto/certificate_pb2.py + + ct/proto/%_pb2.py: ct/proto/%.proto +- $(PROTOC) $^ -I/usr/include/ -I/usr/local/include -I$(INSTALL_DIR)/include -I. --python_out=. ++ $(PROTOC) $^ $(protocFlags) -I. --python_out=. + + ct/proto/ct_pb2.py: ../proto/ct.proto + $(PROTOC) --python_out=ct/proto -I../proto ../proto/ct.proto + diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index f372eaad368..8164085003b 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -760,6 +760,8 @@ let gcdemu = callPackage ../misc/emulators/cdemu/gui.nix { }; + certificate-transparency = callPackage ../servers/certificate-transparency { }; + image-analyzer = callPackage ../misc/emulators/cdemu/analyzer.nix { }; ccnet = callPackage ../tools/networking/ccnet { }; From c20b6846f2ec4b1fe70d62fe99d165476aed65d0 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Mon, 30 Nov 2015 12:54:04 -0800 Subject: [PATCH 61/61] rustc: build on darwin --- pkgs/development/compilers/llvm/3.7/llvm.nix | 6 ++++-- pkgs/development/compilers/rustc/generic.nix | 13 ++++++++----- pkgs/top-level/all-packages.nix | 6 +++++- 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/pkgs/development/compilers/llvm/3.7/llvm.nix b/pkgs/development/compilers/llvm/3.7/llvm.nix index ff038024d10..060c0f3e867 100644 --- a/pkgs/development/compilers/llvm/3.7/llvm.nix +++ b/pkgs/development/compilers/llvm/3.7/llvm.nix @@ -14,6 +14,7 @@ , compiler-rt_src , libcxxabi , debugVersion ? false +, enableSharedLibraries ? !stdenv.isDarwin }: let @@ -46,10 +47,11 @@ in stdenv.mkDerivation rec { "-DLLVM_BUILD_TESTS=ON" "-DLLVM_ENABLE_FFI=ON" "-DLLVM_ENABLE_RTTI=ON" - ] ++ stdenv.lib.optionals (!isDarwin) [ + ] ++ stdenv.lib.optional enableSharedLibraries "-DBUILD_SHARED_LIBS=ON" + ++ stdenv.lib.optional (!isDarwin) "-DLLVM_BINUTILS_INCDIR=${binutils}/include" - ] ++ stdenv.lib.optionals ( isDarwin) [ + ++ stdenv.lib.optionals ( isDarwin) [ "-DLLVM_ENABLE_LIBCXX=ON" "-DCAN_TARGET_i386=false" ]; diff --git a/pkgs/development/compilers/rustc/generic.nix b/pkgs/development/compilers/rustc/generic.nix index 9b3dca42b62..d578facad69 100644 --- a/pkgs/development/compilers/rustc/generic.nix +++ b/pkgs/development/compilers/rustc/generic.nix @@ -37,6 +37,8 @@ let version = if isRelease then name = "rustc-${version}"; + llvmShared = llvmPackages_37.llvm.override { enableSharedLibraries = true; }; + platform = if stdenv.system == "i686-linux" then "linux-i386" else if stdenv.system == "x86_64-linux" @@ -84,6 +86,8 @@ with stdenv.lib; stdenv.mkDerivation { __impureHostDeps = [ "/usr/lib/libedit.3.dylib" ]; + NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isDarwin "-rpath ${llvmShared}/lib"; + src = if isRelease then fetchzip { url = "http://static.rust-lang.org/dist/rustc-${version}-src.tar.gz"; @@ -119,7 +123,7 @@ with stdenv.lib; stdenv.mkDerivation { # ++ [ "--jemalloc-root=${jemalloc}/lib" ++ [ "--default-linker=${stdenv.cc}/bin/cc" "--default-ar=${stdenv.cc.binutils}/bin/ar" ] ++ optional (stdenv.cc.cc ? isClang) "--enable-clang" - ++ optional (!forceBundledLLVM) "--llvm-root=${llvmPackages_37.llvm}"; + ++ optional (!forceBundledLLVM) "--llvm-root=${llvmShared}"; inherit patches; @@ -155,11 +159,10 @@ with stdenv.lib; stdenv.mkDerivation { configureFlagsArray+=("--infodir=$out/share/info") ''; - # Procps is needed for one of the test cases - nativeBuildInputs = [ file python2 ] - ++ optionals stdenv.isLinux [ procps ]; + # ps is needed for one of the test cases + nativeBuildInputs = [ file python2 procps ]; buildInputs = [ ncurses ] - ++ optional (!forceBundledLLVM) llvmPackages_37.llvm; + ++ optional (!forceBundledLLVM) llvmShared; enableParallelBuilding = true; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 8164085003b..6d14317e403 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -4775,7 +4775,11 @@ let rtags = callPackage ../development/tools/rtags/default.nix {}; rustcMaster = callPackage ../development/compilers/rustc/head.nix {}; - rustc = callPackage ../development/compilers/rustc {}; + rustc = callPackage ../development/compilers/rustc { + callPackage = newScope ({ + procps = if stdenv.isDarwin then darwin.ps else procps; + }); + }; rustPlatform = rustStable;