From a63346e33ca05f691e6854b896eac5cef99b4ef8 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 11:17:30 -0800 Subject: [PATCH 1/7] use single underscore for sandboxProfile --- pkgs/applications/editors/vim/default.nix | 2 +- .../git-and-tools/git/default.nix | 2 +- .../interpreters/perl/5.20/default.nix | 2 +- pkgs/os-specific/darwin/apple-sdk/default.nix | 6 ++--- .../apple-sdk/generate-framework-profile.nix | 2 +- .../apple-source-releases/CF/default.nix | 2 +- .../adv_cmds/default.nix | 2 +- .../apple-source-releases/configd/default.nix | 2 +- pkgs/stdenv/generic/default.nix | 22 +++++++++---------- pkgs/stdenv/pure-darwin/default.nix | 10 ++++----- 10 files changed, 26 insertions(+), 26 deletions(-) diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 08e0e05590f..42010f15421 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - __sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + _sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 57ebb7397bc..ed963d206e9 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; # without this, git fails when trying to check for /etc/gitconfig existence - __propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + _propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index b2f43d176e8..a85175bf0c3 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { --replace "/bin/pwd" "$pwd" ''; - __sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + _sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index b31e5d043ef..a422bfa6452 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -97,11 +97,11 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - __sandboxProfile = '' + _sandboxProfile = '' (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); + _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -165,7 +165,7 @@ in rec { }); CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: { - __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ ['' + _propagatedSandboxProfile = drv._propagatedSandboxProfile ++ ['' (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd")) '']; }); diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix index eb6228db14d..a0d37c5db38 100644 --- a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix +++ b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix @@ -14,7 +14,7 @@ let path = "/System/Library/Frameworks/${frameworkName}.framework"; in runCommand "${frameworkName}-profile.sb" { # __noChroot lite - __sandboxProfile = '' + _sandboxProfile = '' (allow file* (subpath "/")) ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index 0eac8fcae39..c02129d2afe 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); + _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index d465fa71ff0..2b2a9148f22 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -81,7 +81,7 @@ in appleDerivation { ]; # ps uses this syscall to get process info - __propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; + _propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index c730a409609..5fcb6a24204 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,7 +7,7 @@ appleDerivation { propagatedBuildInputs = [ Security ]; - __propagatedSandboxProfile = '' + _propagatedSandboxProfile = '' (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) ''; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 196c8618c91..e3ba2f27f22 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,8 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] -, __stdenvSandboxProfile ? "" -, __extraSandboxProfile ? "" +, _stdenvSandboxProfile ? "" +, _extraSandboxProfile ? "" }: let @@ -102,8 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] - , __sandboxProfile ? "" - , __propagatedSandboxProfile ? "" + , _sandboxProfile ? "" + , _propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -154,12 +154,12 @@ let (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" "__impureHostDeps" "__propagatedImpureHostDeps" - "__sandboxProfile" "__propagatedSandboxProfile"]) + "_sandboxProfile" "_propagatedSandboxProfile"]) // (let computedSandboxProfile = - lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); + lib.concatMap (input: input._propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + lib.concatMap (input: input._propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,11 +178,11 @@ let (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { # TODO: remove lib.unique once nix has a list canonicalization primitive - __sandboxProfile = - let profiles = [ __extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile __sandboxProfile ]; + _sandboxProfile = + let profiles = [ _extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile _sandboxProfile ]; final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; - __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile ]); + _propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -219,7 +219,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - __sandboxProfile = __stdenvSandboxProfile; + _sandboxProfile = _stdenvSandboxProfile; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index 1770d48278d..39ff3ebddb1 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -50,7 +50,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - __sandboxProfile = binShClosure + libSystemProfile; + _sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -93,8 +93,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - __stdenvSandboxProfile = binShClosure + libSystemProfile; - __extraSandboxProfile = binShClosure + libSystemProfile; + _stdenvSandboxProfile = binShClosure + libSystemProfile; + _extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -269,8 +269,8 @@ in rec { export PATH_LOCALE=${pkgs.darwin.locale}/share/locale ''; - __stdenvSandboxProfile = binShClosure + libSystemProfile; - __extraSandboxProfile = binShClosure + libSystemProfile; + _stdenvSandboxProfile = binShClosure + libSystemProfile; + _extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; From 69e7f3bb7405ad4bf81e6d8c1897116c3a4d77dc Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 12:06:41 -0800 Subject: [PATCH 2/7] switch to zero underscores for sandbox profiles; remove generateFrameworkProfile --- pkgs/applications/editors/vim/default.nix | 2 +- .../git-and-tools/git/default.nix | 2 +- .../interpreters/perl/5.20/default.nix | 2 +- pkgs/os-specific/darwin/apple-sdk/default.nix | 9 ++- .../apple-sdk/generate-framework-profile.nix | 64 ------------------- .../apple-source-releases/CF/default.nix | 4 +- .../adv_cmds/default.nix | 2 +- .../apple-source-releases/configd/default.nix | 2 +- .../darwin/apple-source-releases/default.nix | 6 +- pkgs/stdenv/generic/default.nix | 22 +++---- pkgs/stdenv/pure-darwin/default.nix | 10 +-- 11 files changed, 29 insertions(+), 96 deletions(-) delete mode 100644 pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 42010f15421..363413a698e 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -43,7 +43,7 @@ stdenv.mkDerivation rec { ]; }; - _sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; + sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx"; # To fix the trouble in vim73, that it cannot cross-build with this patch # to bypass a configure script check that cannot be done cross-building. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index ed963d206e9..d060acef53e 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s"; # without this, git fails when trying to check for /etc/gitconfig existence - _propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; + propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc"; makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} " + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1") diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index a85175bf0c3..aa384683728 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { --replace "/bin/pwd" "$pwd" ''; - _sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; + sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem"; # Build a thread-safe Perl with a dynamic libperls.o. We need the # "installstyle" option to ensure that modules are put under diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index a422bfa6452..f1e3556273e 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -1,7 +1,6 @@ { stdenv, fetchurl, xar, gzip, cpio, pkgs }: let - generateFrameworkProfile = pkgs.callPackage ./generate-framework-profile.nix {}; # sadly needs to be exported because security_tool needs it sdk = stdenv.mkDerivation rec { version = "10.9"; @@ -97,11 +96,11 @@ let propagatedBuildInputs = deps; # allows building the symlink tree - _sandboxProfile = '' + sandboxProfile = '' (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name); + __propagatedImpureHostDeps = "/System/Library/Frameworks/${name}.framework/${name}"; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; @@ -165,7 +164,7 @@ in rec { }); CoreServices = stdenv.lib.overrideDerivation super.CoreServices (drv: { - _propagatedSandboxProfile = drv._propagatedSandboxProfile ++ ['' + __propagatedSandboxProfile = drv.__propagatedSandboxProfile ++ ['' (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd")) '']; }); @@ -182,5 +181,5 @@ in rec { frameworks = bareFrameworks // overrides bareFrameworks; - inherit sdk generateFrameworkProfile; + inherit sdk; } diff --git a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix deleted file mode 100644 index a0d37c5db38..00000000000 --- a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ runCommand }: - -# In a normal programming language, one might store a hashmap -# { library name -> runtime dependencies }. -# associative arrays were only recently added to bash, and even then, bash arrays cannot -# be multidimensional. instead, the filesystem is the hash table! -# once every dependency in the tree has been visited, a comprehensive list of libraries -# will exist inside ./build. then `find ./build -type f` will give you the -# dependency tree you need! - -frameworkName: - -let path = "/System/Library/Frameworks/${frameworkName}.framework"; - -in runCommand "${frameworkName}-profile.sb" { - # __noChroot lite - _sandboxProfile = '' - (allow file* (subpath "/")) - ''; - - # inconsistencies may exist between self and hydra - allowSubstitutes = false; -} '' - if [ ! -f "${path}/${frameworkName}" ]; then - touch $out - exit - fi - base=./build - find_deps () { - if [ -f "$base/$1" ]; then - return - fi - dependencies=$(otool -l -arch x86_64 $1 \ - | grep 'LC_\w*_DYLIB' -A 2 \ - | grep name \ - | sed 's/^ *//' \ - | cut -d' ' -f2) - mkdir -p $base/"$(dirname "$1")" - touch $base/"$1" - for dep in $dependencies; do - find_deps "$dep" - done - } - find_deps "${path}/${frameworkName}" "$out" - set -o noglob - profile="(allow file-read*" - for file in $(find $base -type f); do - filename=''${file/$base/} - case $filename in - /usr/lib/system*) ;; - /usr/lib/libSystem.dylib) ;; - /usr/lib/libSystem.B.dylib) ;; - /usr/lib/libobjc.A.dylib) ;; - /usr/lib/libobjc.dylib) ;; - /usr/lib/libauto.dylib) ;; - /usr/lib/libc++abi.dylib) ;; - /usr/lib/libDiagnosticMessagesClient.dylib) ;; - *) profile+=" (literal \"$filename\")" ;; - esac - done - profile+=" (literal \"${path}/${frameworkName}\")" - profile+=" (literal \"${path}/Versions/Current\")" - echo "$profile)" > $out -'' diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index c02129d2afe..aededa1a073 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -1,4 +1,4 @@ -{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure, generateFrameworkProfile }: +{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure }: # this project uses blocks, a clang-only extension assert stdenv.cc.isClang; @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - _propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation"); + __propagatedImpureHostDeps = "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix index 2b2a9148f22..a0261875c10 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix @@ -81,7 +81,7 @@ in appleDerivation { ]; # ps uses this syscall to get process info - _propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; + propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port"; meta = { platforms = stdenv.lib.platforms.darwin; diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index 5fcb6a24204..1fbacfb9284 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -7,7 +7,7 @@ appleDerivation { propagatedBuildInputs = [ Security ]; - _propagatedSandboxProfile = '' + propagatedSandboxProfile = '' (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd")) ''; diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index 6b7858d374a..f1b72b4123f 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -54,11 +54,9 @@ let inherit (adv_cmds) ps locale; architecture = applePackage "architecture" "265" "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {}; bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {}; - bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; + bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {}; CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {}; - CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" { - inherit (pkgs.darwin.apple_sdk) generateFrameworkProfile; - }; + CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {}; CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {}; configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {}; copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {}; diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index e3ba2f27f22..850a2796259 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -12,8 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable ( , extraBuildInputs ? [] , __stdenvImpureHostDeps ? [] , __extraImpureHostDeps ? [] -, _stdenvSandboxProfile ? "" -, _extraSandboxProfile ? "" +, stdenvSandboxProfile ? "" +, extraSandboxProfile ? "" }: let @@ -102,8 +102,8 @@ let , outputs ? [ "out" ] , __impureHostDeps ? [] , __propagatedImpureHostDeps ? [] - , _sandboxProfile ? "" - , _propagatedSandboxProfile ? "" + , sandboxProfile ? "" + , propagatedSandboxProfile ? "" , ... } @ attrs: let pos' = @@ -154,12 +154,12 @@ let (removeAttrs attrs ["meta" "passthru" "crossAttrs" "pos" "__impureHostDeps" "__propagatedImpureHostDeps" - "_sandboxProfile" "_propagatedSandboxProfile"]) + "sandboxProfile" "propagatedSandboxProfile"]) // (let computedSandboxProfile = - lib.concatMap (input: input._propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = - lib.concatMap (input: input._propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); in { builder = attrs.realBuilder or shell; @@ -178,11 +178,11 @@ let (if crossConfig == null then propagatedBuildInputs else []); } // ifDarwin { # TODO: remove lib.unique once nix has a list canonicalization primitive - _sandboxProfile = - let profiles = [ _extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile _sandboxProfile ]; + __sandboxProfile = + let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ]; final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; - _propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ _propagatedSandboxProfile ]); + __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]); } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -219,7 +219,7 @@ let inherit preHook initialPath shell defaultNativeBuildInputs; } // ifDarwin { - _sandboxProfile = _stdenvSandboxProfile; + __sandboxProfile = stdenvSandboxProfile; }) // rec { diff --git a/pkgs/stdenv/pure-darwin/default.nix b/pkgs/stdenv/pure-darwin/default.nix index 39ff3ebddb1..bc3b433e922 100644 --- a/pkgs/stdenv/pure-darwin/default.nix +++ b/pkgs/stdenv/pure-darwin/default.nix @@ -50,7 +50,7 @@ in rec { inherit (bootstrapFiles) mkdir bzip2 cpio; - _sandboxProfile = binShClosure + libSystemProfile; + __sandboxProfile = binShClosure + libSystemProfile; }; stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh", @@ -93,8 +93,8 @@ in rec { }; # The stdenvs themselves don't use mkDerivation, so I need to specify this here - _stdenvSandboxProfile = binShClosure + libSystemProfile; - _extraSandboxProfile = binShClosure + libSystemProfile; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; extraAttrs = { inherit platform; }; overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; }; @@ -269,8 +269,8 @@ in rec { export PATH_LOCALE=${pkgs.darwin.locale}/share/locale ''; - _stdenvSandboxProfile = binShClosure + libSystemProfile; - _extraSandboxProfile = binShClosure + libSystemProfile; + stdenvSandboxProfile = binShClosure + libSystemProfile; + extraSandboxProfile = binShClosure + libSystemProfile; initialPath = import ../common-path.nix { inherit pkgs; }; shell = "${pkgs.bash}/bin/bash"; From f5609a4d2ab02a1a39499e78e65ab2ea1f93ff10 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:51:48 -0800 Subject: [PATCH 3/7] reintroduce impure host deps to all derivations --- pkgs/os-specific/darwin/apple-sdk/default.nix | 2 +- .../darwin/apple-source-releases/CF/default.nix | 2 +- pkgs/stdenv/generic/default.nix | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index f1e3556273e..7c3d1482f81 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -100,7 +100,7 @@ let (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedImpureHostDeps = "/System/Library/Frameworks/${name}.framework/${name}"; + __propagatedImpureHostDeps = [ "/System/Library/Frameworks/${name}.framework/${name}" ]; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; diff --git a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix index aededa1a073..3993a360156 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix @@ -8,7 +8,7 @@ appleDerivation { patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ]; - __propagatedImpureHostDeps = "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"; + __propagatedImpureHostDeps = [ "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation" ]; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index 850a2796259..dbb3e25a147 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -160,6 +160,10 @@ let lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs); computedPropagatedSandboxProfile = lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs); + computedImpureHostDeps = + lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs)); + computedPropagatedImpureHostDeps = + lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs)); in { builder = attrs.realBuilder or shell; @@ -183,6 +187,13 @@ let final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles)); in final; __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]); + __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [ + "/dev/zero" + "/dev/random" + "/dev/urandom" + "/bin/sh" + ]; + __propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps; } // (if outputs' != [ "out" ] then { outputs = outputs'; } else { })))) ( @@ -220,6 +231,7 @@ let } // ifDarwin { __sandboxProfile = stdenvSandboxProfile; + __impureHostDeps = __stdenvImpureHostDeps; }) // rec { From 4cd86cb068558c68308dfeda47fefd7329dd561c Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:55:19 -0800 Subject: [PATCH 4/7] in cf-private, use correct path to CoreFoundation --- pkgs/os-specific/darwin/cf-private/setup-hook.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/darwin/cf-private/setup-hook.sh b/pkgs/os-specific/darwin/cf-private/setup-hook.sh index a83a1323bf8..7594c07977b 100644 --- a/pkgs/os-specific/darwin/cf-private/setup-hook.sh +++ b/pkgs/os-specific/darwin/cf-private/setup-hook.sh @@ -6,7 +6,7 @@ linkWithRealCF() { # gross! many symbols (such as _OBJC_CLASS_$_NSArray) are defined in system CF, but not # in the opensource release # if the package needs private headers, we assume they also want to link with system CF - NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation" + NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation" } preConfigureHooks+=(prependSearchPath linkWithRealCF) From 32cb70bb0743b81a011bb3e4e33f26ea0caca1a1 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Sat, 21 Nov 2015 15:59:43 -0800 Subject: [PATCH 5/7] propagate nothing for Kernel.framework since it exposes no library --- pkgs/os-specific/darwin/apple-sdk/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix index 7c3d1482f81..847738158da 100644 --- a/pkgs/os-specific/darwin/apple-sdk/default.nix +++ b/pkgs/os-specific/darwin/apple-sdk/default.nix @@ -100,7 +100,7 @@ let (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework")) ''; - __propagatedImpureHostDeps = [ "/System/Library/Frameworks/${name}.framework/${name}" ]; + __propagatedImpureHostDeps = stdenv.lib.optional (name != "Kernel") "/System/Library/Frameworks/${name}.framework/${name}"; meta = with stdenv.lib; { description = "Apple SDK framework ${name}"; From 1a3689b87e82a3f4fe38e8b775b4cd865fef71ab Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Mon, 23 Nov 2015 12:24:04 -0800 Subject: [PATCH 6/7] fix an evaluation issue --- pkgs/top-level/all-packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d7a83d8cb21..9364e2c466c 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5493,7 +5493,7 @@ let cmake-2_8 = callPackage ../development/tools/build-managers/cmake/2.8.nix { wantPS = stdenv.isDarwin; - ps = if stdenv.isDarwin then darwin.adv_cmds else null; + inherit (darwin) ps; }; cmake = callPackage ../development/tools/build-managers/cmake { From c9f77f2b487de1b627ee367ef17e25332bdf34a1 Mon Sep 17 00:00:00 2001 From: Jude Taylor Date: Mon, 23 Nov 2015 12:26:50 -0800 Subject: [PATCH 7/7] fix another evaluation issue --- pkgs/top-level/python-packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index b0c5277274d..9d0b04fb740 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -9232,7 +9232,7 @@ let meta = { description = "A module for monitoring memory usage of a python program"; homepage = http://pypi.python.org/pypi/memory_profiler; - license = licenses.bsd; + license = licenses.bsd3; }; };