Add --with-sandbox-shell configure flag

And add a 116 KiB ash shell from busybox to the release build. This helps to make sandbox builds work out of the box on non-NixOS systems and with diverted stores.
NixOS · May 15, 2017 · a2d92bb20e82a0957067ede60e91fab256948b41 · a2d92bb · bjornfor · May 23, 2017
1 parent b30f578
commit a2d92bb20e82a0957067ede60e91fab256948b41
Unified Split

Showing with 38 additions and 12 deletions.

+1 −0 Makefile.config.in

+6 −0 configure.ac

+21 −0 release-common.nix

+4 −5 release.nix

+3 −4 shell.nix

+2 −2 src/libstore/globals.cc

+1 −1 src/libstore/local.mk
diff --git a/Makefile.config.in b/Makefile.config.in
@@ -28,6 +28,7 @@ localstatedir = @localstatedir@
 mandir = @mandir@
 pkglibdir = $(libdir)/$(PACKAGE_NAME)
 prefix = @prefix@
+sandbox_shell = @sandbox_shell@
 storedir = @storedir@
 sysconfdir = @sysconfdir@
 doc_generate = @doc_generate@

diff --git a/configure.ac b/configure.ac
@@ -240,6 +240,12 @@ fi
 AC_SUBST(tarFlags)
 
 
+AC_ARG_WITH(sandbox-shell, AC_HELP_STRING([--with-sandbox-shell=PATH],
+  [path of a statically-linked shell to use as /bin/sh in sandboxes]),
+  sandbox_shell=$withval)
+AC_SUBST(sandbox_shell)
+
+
 # Expand all variables in config.status.
 test "$prefix" = NONE && prefix=$ac_default_prefix
 test "$exec_prefix" = NONE && exec_prefix='${prefix}'

diff --git a/release-common.nix b/release-common.nix
@@ -0,0 +1,21 @@
+{ pkgs }:
+
+rec {
+  sh = pkgs.busybox.override {
+    useMusl = true;
+    enableStatic = true;
+    enableMinimal = true;
+    extraConfig = ''
+      CONFIG_ASH y
+      CONFIG_ASH_BUILTIN_ECHO y
+      CONFIG_ASH_BUILTIN_TEST y
+      CONFIG_ASH_OPTIMIZE_FOR_SIZE y
+    '';
+  };
+
+  configureFlags =
+    [ "--disable-init-state"
+      "--enable-gc"
+      "--with-sandbox-shell=${sh}/bin/busybox"
+    ];
+}
diff --git a/release.nix b/release.nix
@@ -66,6 +66,8 @@ let
 
       with import <nixpkgs> { inherit system; };
 
+      with import ./release-common.nix { inherit pkgs; };
+
       releaseTools.nixBuild {
         name = "nix";
         src = tarball;
@@ -83,11 +85,8 @@ let
               customMemoryManagement = false;
             });
 
-        configureFlags = ''
-          --disable-init-state
-          --enable-gc
-          --sysconfdir=/etc
-        '';
+        configureFlags = configureFlags ++
+          [ "--sysconfdir=/etc" ];
 
         enableParallelBuilding = true;
 

diff --git a/shell.nix b/shell.nix
@@ -2,6 +2,8 @@
 
 with import <nixpkgs> {};
 
+with import ./release-common.nix { inherit pkgs; };
+
 (if useClang then clangStdenv else stdenv).mkDerivation {
   name = "nix";
 
@@ -22,10 +24,7 @@ with import <nixpkgs> {};
       perlPackages.DBDSQLite
     ];
 
-  configureFlags =
-    [ "--disable-init-state"
-      "--enable-gc"
-    ];
+  inherit configureFlags;
 
   enableParallelBuilding = true;
 

diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
@@ -47,8 +47,8 @@ Settings::Settings()
     auto s = getEnv("NIX_REMOTE_SYSTEMS");
     if (s != "") builderFiles = tokenizeString<Strings>(s, ":");
 
-#if __linux__
-    sandboxPaths = tokenizeString<StringSet>("/bin/sh=" BASH_PATH);
+#if defined(__linux__) && defined(SANDBOX_SHELL)
+    sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL);
 #endif
 
     allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES);

diff --git a/src/libstore/local.mk b/src/libstore/local.mk
@@ -27,7 +27,7 @@ libstore_CXXFLAGS = \
  -DNIX_CONF_DIR=\"$(sysconfdir)/nix\" \
  -DNIX_LIBEXEC_DIR=\"$(libexecdir)\" \
  -DNIX_BIN_DIR=\"$(bindir)\" \
- -DBASH_PATH="\"$(bash)\"" \
+ -DSANDBOX_SHELL="\"$(sandbox_shell)\"" \
  -DLSOF=\"$(lsof)\"
 
 $(d)/local-store.cc: $(d)/schema.sql.hh