start on sandbox stuff

This commit is contained in:
Jude Taylor 2015-11-06 17:44:02 -08:00
parent c296f64f19
commit 914e9baefe
13 changed files with 251 additions and 64 deletions

View file

@ -17,10 +17,11 @@ let
systems = import ./systems.nix;
customisation = import ./customisation.nix;
licenses = import ./licenses.nix;
sandbox = import ./sandbox.nix;
in
{ inherit trivial lists strings stringsWithDeps attrsets sources options
modules types meta debug maintainers licenses platforms systems;
modules types meta debug maintainers licenses platforms systems sandbox;
}
# !!! don't include everything at top-level; perhaps only the most
# commonly used functions.

40
lib/sandbox.nix Normal file
View file

@ -0,0 +1,40 @@
with import ./strings.nix;
/* Helpers for creating lisp S-exprs for the Apple sandbox
lib.sandbox.allowFileRead [ "/usr/bin/file" ];
# => "(allow file-read* (literal \"/usr/bin/file\"))";
lib.sandbox.allowFileRead {
literal = [ "/usr/bin/file" ];
subpath = [ "/usr/lib/system" ];
}
# => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))"
*/
let
sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")";
generateFileList = files:
if builtins.isList files
then concatMapStringsSep " " (x: sexp [ "literal" x ]) files
else concatStringsSep " " (
(map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++
(map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or []))
);
applyToFiles = f: act: files: f "${act} ${generateFileList files}";
genActions = actionName: let
action = feature: sexp [ actionName feature ];
self = {
"${actionName}" = action;
"${actionName}File" = applyToFiles action "file*";
"${actionName}FileRead" = applyToFiles action "file-read*";
"${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata";
"${actionName}FileWrite" = applyToFiles action "file-write*";
"${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata";
};
in self;
in
genActions "allow" // genActions "deny"

View file

@ -118,6 +118,10 @@ if (!hasHash) then throw "Specify hash for fetchurl fixed-output derivation: ${s
outputHashMode = if recursiveHash then "recursive" else "flat";
__sandboxProfile = ''
(allow network-outbound)
'';
inherit curlOpts showURLs mirrorsFile impureEnvVars postFetch downloadToTemp;
# Doing the download on a remote machine just duplicates network

View file

@ -33,6 +33,8 @@ stdenv.mkDerivation rec {
pwd="$(type -P pwd)"
substituteInPlace dist/Cwd/Cwd.pm \
--replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'"
grep -R /bin/pwd .
exit 1
'';
# Build a thread-safe Perl with a dynamic libperls.o. We need the

View file

@ -44,12 +44,14 @@ stdenv.mkDerivation rec {
# while at the same time erasing the PATH environment variable so it unconditionally
# fails. The code in question is guarded by a check for Mac OS, but the patch below
# doesn't have any runtime effect on other platforms.
postPatch = stdenv.lib.optional (stdenv.isDarwin && !stdenv.cc.nativeLibc) ''
postPatch = stdenv.lib.optional stdenv.isDarwin ''
pwd="$(type -P pwd)"
substituteInPlace dist/PathTools/Cwd.pm \
--replace "pwd_cmd = 'pwd'" "pwd_cmd = '$pwd'"
--replace "/bin/pwd" "$pwd"
'';
__sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem";
# Build a thread-safe Perl with a dynamic libperls.o. We need the
# "installstyle" option to ensure that modules are put under
# $out/lib/perl5 - this is the general default, but because $out

View file

@ -1,7 +1,7 @@
{ stdenv, appleDerivation, unifdef }:
appleDerivation {
buildinputs = [ unifdef ];
buildInputs = [ unifdef ];
phases = [ "unpackPhase" "installPhase" ];

View file

@ -1,32 +1,55 @@
{ stdenv, appleDerivation, version }:
{ stdenv, appleDerivation, fetchzip, version, bsdmake, perl, flex, yacc, writeScriptBin
}:
let recentAdvCmds = fetchzip {
url = "http://opensource.apple.com/tarballs/adv_cmds/adv_cmds-158.tar.gz";
sha256 = "0z081kcprzg5jcvqivfnwvvv6wfxzkjg2jc2lagsf8c7j7vgm8nn";
};
in appleDerivation {
buildInputs = [ bsdmake perl yacc flex (writeScriptBin "lex" "exec ${flex}/bin/flex $@") ];
patchPhase = ''
substituteInPlace BSDMakefile \
--replace chgrp true \
--replace /Developer/Makefiles/bin/compress-man-pages.pl true \
--replace "ps.tproj" "" --replace "gencat.tproj" "" --replace "md.tproj" "" \
--replace "tabs.tproj" "" --replace "cap_mkdb.tproj" "" \
--replace "!= tconf --test TARGET_OS_EMBEDDED" "= NO"
substituteInPlace Makefile --replace perl true
substituteInPlace colldef.tproj/BSDmakefile --replace "-ll" "-lfl"
for subproject in colldef mklocale monetdef msgdef numericdef timedef; do
substituteInPlace usr-share-locale.tproj/$subproject/BSDmakefile \
--replace /usr/share/locale "" \
--replace '-o ''${BINOWN} -g ''${BINGRP}' "" \
--replace "rsync -a" "cp -r"
done
'';
appleDerivation {
# Will override the name until we provide all of adv_cmds
buildPhase = ''
pushd ps
cc -Os -Wall -I. -c -o fmt.o fmt.c
cc -Os -Wall -I. -c -o keyword.o keyword.c
cc -Os -Wall -I. -c -o nlist.o nlist.c
cc -Os -Wall -I. -c -o print.o print.c
cc -Os -Wall -I. -c -o ps.o ps.c
cc -Os -Wall -I. -c -o tasks.o tasks.c
cc -o ps fmt.o keyword.o nlist.o print.o ps.o tasks.o
popd
bsdmake -C colldef.tproj
bsdmake -C mklocale.tproj
bsdmake -C usr-share-locale.tproj
pushd locale
c++ -o locale locale.cc
popd
clang ${recentAdvCmds}/ps/*.c -o ps
'';
installPhase = ''
mkdir -p $out/bin $out/share/man/man1
cp ps/ps $out/bin/ps
cp ps/ps.1 $out/share/man/man1
cp locale/locale $out/bin/locale
cp locale/locale.1 $out/share/man/man1
bsdmake -C usr-share-locale.tproj install DESTDIR="$locale/share/locale"
install -d 0755 $ps/bin
install ps $ps/bin/ps
'';
outputs = [
"ps"
"locale"
];
# ps uses this syscall to get process info
__propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port";
meta = {
platforms = stdenv.lib.platforms.darwin;

View file

@ -0,0 +1,45 @@
{ stdenv, appleDerivation, fetchurl, fetchpatch, makeWrapper }:
appleDerivation {
buildInputs = [ makeWrapper ];
patchPhase = ''
substituteInPlace mk/bsd.prog.mk \
--replace '-o ''${BINOWN} -g ''${BINGRP}' "" \
--replace '-o ''${SCRIPTSOWN_''${.ALLSRC:T}}' "" \
--replace '-g ''${SCRIPTSGRP_''${.ALLSRC:T}}' ""
substituteInPlace mk/bsd.lib.mk --replace '-o ''${LIBOWN} -g ''${LIBGRP}' ""
substituteInPlace mk/bsd.info.mk --replace '-o ''${INFOOWN} -g ''${INFOGRP}' ""
substituteInPlace mk/bsd.doc.mk --replace '-o ''${BINOWN} -g ''${BINGRP}' ""
substituteInPlace mk/bsd.man.mk --replace '-o ''${MANOWN} -g ''${MANGRP}' ""
substituteInPlace mk/bsd.files.mk \
--replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \
--replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \
--replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' ""
substituteInPlace mk/bsd.incs.mk \
--replace '-o ''${''${group}OWN_''${.ALLSRC:T}}' "" \
--replace '-g ''${''${group}GRP_''${.ALLSRC:T}}' "" \
--replace '-o ''${''${group}OWN} -g ''${''${group}GRP}' ""
'';
buildPhase = ''
objs=()
for file in $(find . -name '*.c'); do
obj="$(basename "$file" .c).o"
objs+=("$obj")
cc -c "$file" -o "$obj" -DDEFSHELLNAME='"sh"' -D__FBSDID=__RCSID -mdynamic-no-pic -g
done
cc "''${objs[@]}" -o bsdmake
'';
installPhase = ''
install -d 0644 $out/bin
install -m 0755 bsdmake $out/bin
install -d 0644 $out/share/mk
install -m 0755 mk/* $out/share/mk
'';
preFixup = ''
wrapProgram "$out/bin/bsdmake" --add-flags "-m $out/share/mk"
'';
}

View file

@ -48,16 +48,19 @@ let
IOKitSrcs = stdenv.lib.mapAttrs (name: value: if builtins.isFunction value then value name else value) IOKitSpecs;
adv_cmds = applePackage "adv_cmds" "119" "102ssayxbg9wb35mdmhswbnw0bg7js3pfd8fcbic83c5q3bqa6c6" {};
packages = {
adv_cmds = applePackage "adv_cmds" "153" "174v6a4zkcm2pafzgdm6kvs48z5f911zl7k49hv7kjq6gm58w99v" {};
inherit (adv_cmds) ps locale;
architecture = applePackage "architecture" "265" "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {};
bootstrap_cmds = applePackage "bootstrap_cmds" "86" "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {};
bsdmake = applePackage "bsdmake" "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {};
CarbonHeaders = applePackage "CarbonHeaders" "9A581" "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {};
CF = applePackage "CF" "855.17" "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {};
CommonCrypto = applePackage "CommonCrypto" "60049" "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {};
configd = applePackage "configd" "453.19" "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {};
copyfile = applePackage "copyfile" "103.92.1" "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {};
CoreOSMakefiles = applePackage "CoreOSMakefiles" "76" "0sw3w3sjil0kvxz8y86b81sz82rcd1nijayki1a1bsnsf0hz6qbf" {};
CoreOSMakefiles = applePackage "CoreOSMakefiles" "40" "0kxp53spbn7109l7cvhi88pmfsi81lwmbws819b6wr3hm16v84f4" {};
Csu = applePackage "Csu" "79" "1hif4dz23isgx85sgh11yg8amvp2ksvvhz3y5v07zppml7df2lnh" {};
dtrace = applePackage "dtrace" "118.1" "0pp5x8dgvzmg9vvg32hpy2brm17dpmbwrcr4prsmdmfvd4767wcf" {};
dyld = applePackage "dyld" "239.4" "07z7lyv6x0f6gllb5hymccl31zisrdhz4gqp722xcs9nhsqaqvn7" {};

View file

@ -12,6 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
, extraBuildInputs ? []
, __stdenvImpureHostDeps ? []
, __extraImpureHostDeps ? []
, __stdenvSandboxProfile ? ""
, __extraSandboxProfile ? ""
}:
let
@ -100,6 +102,8 @@ let
, outputs ? [ "out" ]
, __impureHostDeps ? []
, __propagatedImpureHostDeps ? []
, __sandboxProfile ? ""
, __propagatedSandboxProfile ? ""
, ... } @ attrs:
let
pos' =
@ -149,13 +153,14 @@ let
lib.addPassthru (derivation (
(removeAttrs attrs
["meta" "passthru" "crossAttrs" "pos"
"__impureHostDeps" "__propagatedImpureHostDeps"])
"__impureHostDeps" "__propagatedImpureHostDeps"
"__sandboxProfile" "__propagatedSandboxProfile"])
// (let
# TODO: remove lib.unique once nix has a list canonicalization primitive
computedImpureHostDeps =
lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs));
computedPropagatedImpureHostDeps =
lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs));
computedSandboxProfile =
lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (extraBuildInputs ++ buildInputs ++ nativeBuildInputs)));
computedPropagatedSandboxProfile =
lib.concatStrings (lib.unique (builtins.map (input: input.__propagatedSandboxProfile or "") (propagatedBuildInputs ++ propagatedNativeBuildInputs)));
in
{
builder = attrs.realBuilder or shell;
@ -173,13 +178,8 @@ let
propagatedNativeBuildInputs = propagatedNativeBuildInputs ++
(if crossConfig == null then propagatedBuildInputs else []);
} // ifDarwin {
__impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [
"/dev/zero"
"/dev/random"
"/dev/urandom"
"/bin/sh"
];
__propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps;
__sandboxProfile = computedSandboxProfile + computedPropagatedSandboxProfile + __propagatedSandboxProfile + __sandboxProfile + __extraSandboxProfile;
__propagatedSandboxProfile = computedPropagatedSandboxProfile + __propagatedSandboxProfile;
} // (if outputs' != [ "out" ] then {
outputs = outputs';
} else { })))) (
@ -216,7 +216,7 @@ let
inherit preHook initialPath shell defaultNativeBuildInputs;
}
// ifDarwin {
__impureHostDeps = __stdenvImpureHostDeps;
__sandboxProfile = __stdenvSandboxProfile;
})
// rec {

View file

@ -5,18 +5,7 @@
}:
let
# libSystem and its transitive dependencies. Get used to this; it's a recurring theme in darwin land
libSystemClosure = [
"/usr/lib/libSystem.dylib"
"/usr/lib/libSystem.B.dylib"
"/usr/lib/libobjc.A.dylib"
"/usr/lib/libobjc.dylib"
"/usr/lib/libauto.dylib"
"/usr/lib/libc++abi.dylib"
"/usr/lib/libc++.1.dylib"
"/usr/lib/libDiagnosticMessagesClient.dylib"
"/usr/lib/system"
];
libSystemProfile = builtins.readFile ./standard-sandbox.sb;
fetch = { file, sha256, executable ? true }: import <nix/fetchurl.nix> {
url = "http://tarballs.nixos.org/stdenv-darwin/x86_64/4f07c88d467216d9692fefc951deb5cd3c4cc722/${file}";
@ -46,7 +35,9 @@ in rec {
'';
# The one dependency of /bin/sh :(
binShClosure = [ "/usr/lib/libncurses.5.4.dylib" ];
binShClosure = ''
(allow file-read* (literal "/usr/lib/libncurses.5.4.dylib"))
'';
bootstrapTools = derivation rec {
inherit system tarball;
@ -57,7 +48,7 @@ in rec {
inherit (bootstrapFiles) mkdir bzip2 cpio;
__impureHostDeps = binShClosure ++ libSystemClosure;
__sandboxProfile = binShClosure + libSystemProfile;
};
stageFun = step: last: {shell ? "${bootstrapTools}/bin/sh",
@ -100,8 +91,8 @@ in rec {
};
# The stdenvs themselves don't use mkDerivation, so I need to specify this here
__stdenvImpureHostDeps = binShClosure ++ libSystemClosure;
__extraImpureHostDeps = binShClosure ++ libSystemClosure;
__stdenvSandboxProfile = binShClosure + libSystemProfile;
__extraSandboxProfile = binShClosure + libSystemProfile;
extraAttrs = { inherit platform; };
overrides = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; };
@ -178,10 +169,14 @@ in rec {
};
stage2 = with stage1; stageFun 2 stage1 {
extraPreHook = ''
export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
'';
allowedRequisites =
[ bootstrapTools ] ++
(with pkgs; [ xz libcxx libcxxabi icu ]) ++
(with pkgs.darwin; [ dyld Libsystem CF ]);
(with pkgs.darwin; [ dyld Libsystem CF locale ]);
overrides = persistent1;
};
@ -196,7 +191,7 @@ in rec {
darwin = orig.darwin // {
inherit (darwin)
dyld Libsystem xnu configd libdispatch libclosure launchd libiconv;
dyld Libsystem xnu configd libdispatch libclosure launchd libiconv locale;
};
};
@ -209,10 +204,14 @@ in rec {
# patches our shebangs back to point at bootstrapTools. This makes sure bash comes first.
extraInitialPath = [ pkgs.bash ];
extraPreHook = ''
export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
'';
allowedRequisites =
[ bootstrapTools ] ++
(with pkgs; [ icu bash libcxx libcxxabi ]) ++
(with pkgs.darwin; [ dyld Libsystem ]);
(with pkgs.darwin; [ dyld Libsystem locale ]);
overrides = persistent2;
};
@ -230,13 +229,16 @@ in rec {
};
darwin = orig.darwin // {
inherit (darwin) dyld Libsystem libiconv;
inherit (darwin) dyld Libsystem libiconv locale;
};
};
stage4 = with stage3; stageFun 4 stage3 {
shell = "${pkgs.bash}/bin/bash";
extraInitialPath = [ pkgs.bash ];
extraPreHook = ''
export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
'';
overrides = persistent3;
};
@ -263,8 +265,8 @@ in rec {
preHook = commonPreHook;
__stdenvImpureHostDeps = binShClosure ++ libSystemClosure;
__extraImpureHostDeps = binShClosure ++ libSystemClosure;
__stdenvSandboxProfile = binShClosure + libSystemProfile;
__extraSandboxProfile = binShClosure + libSystemProfile;
initialPath = import ../common-path.nix { inherit pkgs; };
shell = "${pkgs.bash}/bin/bash";

View file

@ -0,0 +1,65 @@
(define TMPDIR (param "_GLOBAL_TMP_DIR"))
; obvious
(allow process-fork)
; allow reading system information like #CPUs, etc.
(allow sysctl-read)
; IPC
(allow ipc-posix-sem)
; Unix sockets
(allow system-socket)
; all runtime dependencies of libSystem.dylib
(allow file-read*
(literal "/usr/lib/libSystem.dylib")
(literal "/usr/lib/libSystem.B.dylib")
(literal "/usr/lib/libobjc.A.dylib")
(literal "/usr/lib/libobjc.dylib")
(literal "/usr/lib/libauto.dylib")
(literal "/usr/lib/libc++abi.dylib")
(literal "/usr/lib/libc++.1.dylib")
(literal "/usr/lib/libDiagnosticMessagesClient.dylib")
(subpath "/usr/lib/system"))
; tmp
(allow file* process-exec (literal "/tmp") (subpath TMPDIR))
; clang likes to read the system version
(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist"))
; used for bootstrap builders
(allow process-exec* (literal "/bin/sh"))
; standard devices
(allow file*
(literal "/dev/null")
(literal "/dev/random")
(literal "/dev/stdin")
(literal "/dev/stdout")
(literal "/dev/tty")
(literal "/dev/urandom")
(literal "/dev/zero")
(subpath "/dev/fd"))
; does nothing, but reduces build noise
(allow file* (literal "/dev/dtracehelper"))
; ICU data and zoneinfo data are hardcoded
; both are in libicucore and zoneinfo is in libsystem_c as well
(allow file-read* (subpath "/usr/share/icu") (subpath "/usr/share/zoneinfo"))
; lots of autoconf projects want to list this directory
(allow file-read-metadata (literal "/var") (literal "/private/var/tmp"))
; mute annoying failures
(deny file-read-metadata (with no-log)
(literal "/etc")
(subpath "/usr/bin"))
(deny process-exec* (with no-log)
(literal "/usr/bin/arch")
(literal "/usr/bin/hostinfo")
(literal "/usr/bin/uname"))

View file

@ -1553,7 +1553,7 @@ let
garmintools = callPackage ../development/libraries/garmintools {};
gawk = callPackage ../tools/text/gawk {
locale = darwin.adv_cmds;
inherit (darwin) locale;
};
gawkInteractive = appendToName "interactive"
@ -5486,7 +5486,7 @@ let
cmake = callPackage ../development/tools/build-managers/cmake {
wantPS = stdenv.isDarwin;
ps = if stdenv.isDarwin then darwin.adv_cmds else null;
inherit (darwin) ps;
};
cmakeCurses = cmake.override { useNcurses = true; };