assorted: prefer runCommandLocal over runCommand where it makes sense
This commit is contained in:
parent
8f424dcd5a
commit
6ef729bbaf
|
@ -2,6 +2,7 @@
|
|||
, buildPackages
|
||||
, callPackage
|
||||
, runCommand
|
||||
, runCommandLocal
|
||||
, runtimeShell
|
||||
, sane-sandboxed
|
||||
, symlinkJoin
|
||||
|
@ -143,7 +144,7 @@ let
|
|||
} else {};
|
||||
|
||||
# helper used for `wrapperType == "wrappedDerivation"` which simply symlinks all a package's binaries into a new derivation
|
||||
symlinkBinaries = pkgName: package: (runCommand "${pkgName}-bin-only" {} ''
|
||||
symlinkBinaries = pkgName: package: (runCommandLocal "${pkgName}-bin-only" {} ''
|
||||
set -e
|
||||
if [ -e "${package}/bin" ]; then
|
||||
mkdir -p "$out/bin"
|
||||
|
@ -199,7 +200,7 @@ let
|
|||
# we have to patch those out as a way to whitelist them.
|
||||
checkSandboxed = let
|
||||
sandboxedNonBin = fixHardcodedRefs unsandboxed "/dev/null" unsandboxedNonBin;
|
||||
in runCommand "${sandboxedNonBin.name}-check-sandboxed"
|
||||
in runCommandLocal "${sandboxedNonBin.name}-check-sandboxed"
|
||||
{ disallowedReferences = [ unsandboxed ]; }
|
||||
''
|
||||
# dereference every symlink, ensuring that whatever data is behind it does not reference non-sandboxed binaries.
|
||||
|
@ -215,7 +216,7 @@ let
|
|||
# patch them to use the sandboxed binaries,
|
||||
# and add some passthru metadata to enforce no lingering references to the unsandboxed binaries.
|
||||
sandboxNonBinaries = pkgName: unsandboxed: sandboxedBin: let
|
||||
sandboxedWithoutFixedRefs = (runCommand "${pkgName}-sandboxed-non-binary" {} ''
|
||||
sandboxedWithoutFixedRefs = (runCommandLocal "${pkgName}-sandboxed-non-binary" {} ''
|
||||
set -e
|
||||
mkdir "$out"
|
||||
# link in a limited subset of the directories.
|
||||
|
@ -245,7 +246,7 @@ let
|
|||
priority = ((prevAttrs.meta or {}).priority or 0) - 1;
|
||||
};
|
||||
passthru = (prevAttrs.passthru or {}) // extraPassthru // {
|
||||
checkSandboxed = runCommand "${pkgName}-check-sandboxed" {} ''
|
||||
checkSandboxed = runCommandLocal "${pkgName}-check-sandboxed" {} ''
|
||||
set -e
|
||||
# invoke each binary in a way only the sandbox wrapper will recognize,
|
||||
# ensuring that every binary has in fact been wrapped.
|
||||
|
|
|
@ -61,6 +61,7 @@ in rec {
|
|||
in
|
||||
stdenv.mkDerivation (final: {
|
||||
version = "0.1.0"; # default version
|
||||
preferLocalBuild = true;
|
||||
patchPhase = ''
|
||||
substituteInPlace ${srcPath} \
|
||||
--replace '#!/usr/bin/env nix-shell' '#!${interpreter}' \
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ runCommand
|
||||
{ runCommandLocal
|
||||
, rmDbusServicesInPlace
|
||||
, symlinkJoin
|
||||
}:
|
||||
|
@ -7,7 +7,7 @@
|
|||
# its own package, but otherwise keeping the same path.
|
||||
# this is done by copying the bits, so as to avoid including the item's neighbors
|
||||
# in its runtime closure.
|
||||
copyIntoOwnPackage = pkg: path: runCommand "${pkg.pname or pkg.name}-${path}" {
|
||||
copyIntoOwnPackage = pkg: path: runCommandLocal "${pkg.pname or pkg.name}-${path}" {
|
||||
env.item = path;
|
||||
env.fromPkg = pkg;
|
||||
} ''
|
||||
|
@ -16,7 +16,7 @@
|
|||
runHook postFixup
|
||||
'';
|
||||
|
||||
linkIntoOwnPackage = pkg: path: runCommand "${pkg.pname or pkg.name}-${path}" {
|
||||
linkIntoOwnPackage = pkg: path: runCommandLocal "${pkg.pname or pkg.name}-${path}" {
|
||||
env.item = path;
|
||||
env.fromPkg = pkg;
|
||||
} ''
|
||||
|
|
Loading…
Reference in New Issue