Add --with-sandbox-shell configure flag

And add a 116 KiB ash shell from busybox to the release build. This helps to make sandbox builds work out of the box on non-NixOS systems and with diverted stores.
NixOS · May 15, 2017 · a2d92bb20e82a0957067ede60e91fab256948b41 · a2d92bb · bjornfor · May 23, 2017
1 parent b30f578
commit a2d92bb20e82a0957067ede60e91fab256948b41
Unified Split

Showing with 38 additions and 12 deletions.

+1 −0 Makefile.config.in

+6 −0 configure.ac

+21 −0 release-common.nix

+4 −5 release.nix

+3 −4 shell.nix

+2 −2 src/libstore/globals.cc

+1 −1 src/libstore/local.mk
diff --git a/Makefile.config.in b/Makefile.config.in
@@ -28,6 +28,7 @@ localstatedir = @localstatedir@
 mandir = @mandir@
 pkglibdir = $(libdir)/$(PACKAGE_NAME)
 prefix = @prefix@
+sandbox_shell = @sandbox_shell@
 storedir = @storedir@
 sysconfdir = @sysconfdir@
 doc_generate = @doc_generate@
diff --git a/configure.ac b/configure.ac
@@ -240,6 +240,12 @@ fi
 AC_SUBST(tarFlags)


+AC_ARG_WITH(sandbox-shell, AC_HELP_STRING([--with-sandbox-shell=PATH],
+  [path of a statically-linked shell to use as /bin/sh in sandboxes]),
+  sandbox_shell=$withval)
+AC_SUBST(sandbox_shell)
+
+
 # Expand all variables in config.status.
 test "$prefix" = NONE && prefix=$ac_default_prefix
 test "$exec_prefix" = NONE && exec_prefix='${prefix}'
diff --git a/release-common.nix b/release-common.nix
@@ -0,0 +1,21 @@
+{ pkgs }:
+
+rec {
+  sh = pkgs.busybox.override {
+    useMusl = true;
+    enableStatic = true;
+    enableMinimal = true;
+    extraConfig = ''
+      CONFIG_ASH y
+      CONFIG_ASH_BUILTIN_ECHO y
+      CONFIG_ASH_BUILTIN_TEST y
+      CONFIG_ASH_OPTIMIZE_FOR_SIZE y
+    '';
+  };
+
+  configureFlags =
+    [ "--disable-init-state"
+      "--enable-gc"
+      "--with-sandbox-shell=${sh}/bin/busybox"
+    ];
+}
diff --git a/release.nix b/release.nix
@@ -66,6 +66,8 @@ let

      with import <nixpkgs> { inherit system; };

+      with import ./release-common.nix { inherit pkgs; };
+
      releaseTools.nixBuild {
        name = "nix";
        src = tarball;
@@ -83,11 +85,8 @@ let
              customMemoryManagement = false;
            });

-        configureFlags = ''
-          --disable-init-state
-          --enable-gc
-          --sysconfdir=/etc
-        '';
+        configureFlags = configureFlags ++
+          [ "--sysconfdir=/etc" ];

        enableParallelBuilding = true;

diff --git a/shell.nix b/shell.nix
@@ -2,6 +2,8 @@

 with import <nixpkgs> {};

+with import ./release-common.nix { inherit pkgs; };
+
 (if useClang then clangStdenv else stdenv).mkDerivation {
  name = "nix";

@@ -22,10 +24,7 @@ with import <nixpkgs> {};
      perlPackages.DBDSQLite
    ];

-  configureFlags =
-    [ "--disable-init-state"
-      "--enable-gc"
-    ];
+  inherit configureFlags;

  enableParallelBuilding = true;

diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
@@ -47,8 +47,8 @@ Settings::Settings()
    auto s = getEnv("NIX_REMOTE_SYSTEMS");
    if (s != "") builderFiles = tokenizeString<Strings>(s, ":");

-#if __linux__
-    sandboxPaths = tokenizeString<StringSet>("/bin/sh=" BASH_PATH);
+#if defined(__linux__) && defined(SANDBOX_SHELL)
+    sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL);
 #endif

    allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES);
diff --git a/src/libstore/local.mk b/src/libstore/local.mk
@@ -27,7 +27,7 @@ libstore_CXXFLAGS = \
 -DNIX_CONF_DIR=\"$(sysconfdir)/nix\" \
 -DNIX_LIBEXEC_DIR=\"$(libexecdir)\" \
 -DNIX_BIN_DIR=\"$(bindir)\" \
- -DBASH_PATH="\"$(bash)\"" \
+ -DSANDBOX_SHELL="\"$(sandbox_shell)\"" \
 -DLSOF=\"$(lsof)\"

 $(d)/local-store.cc: $(d)/schema.sql.hh