Merge remote-tracking branch 'origin/single-underscore' into staging

Use zero underscores for sandboxProfile
2015-11-25 13:01:34 -05:00 · 2015-11-25 13:01:34 -05:00 · 8ea29441cf
commit 8ea29441cf
parent 13eca6f79a c9f77f2b48
14 changed files with 39 additions and 94 deletions
--- a/pkgs/applications/editors/vim/default.nix
+++ b/pkgs/applications/editors/vim/default.nix
@ -43,7 +43,7 @@ stdenv.mkDerivation rec {
    ];
  };

-  __sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx";
+  sandboxProfile = stdenv.lib.sandbox.allowFileRead "/dev/ptmx";

  # To fix the trouble in vim73, that it cannot cross-build with this patch
  # to bypass a configure script check that cannot be done cross-building.
--- a/pkgs/applications/version-management/git-and-tools/git/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/git/default.nix
@ -37,7 +37,7 @@ stdenv.mkDerivation {
  NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.isDarwin) "-lgcc_s";

  # without this, git fails when trying to check for /etc/gitconfig existence
-  __propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc";
+  propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc";

  makeFlags = "prefix=\${out} sysconfdir=/etc/ PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} "
      + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1")
--- a/pkgs/development/interpreters/perl/5.20/default.nix
+++ b/pkgs/development/interpreters/perl/5.20/default.nix
@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
      --replace "/bin/pwd" "$pwd"
  '';

-  __sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem";
+  sandboxProfile = stdenv.lib.sandbox.allow "ipc-sysv-sem";

  # Build a thread-safe Perl with a dynamic libperls.o.  We need the
  # "installstyle" option to ensure that modules are put under
--- a/pkgs/os-specific/darwin/apple-sdk/default.nix
+++ b/pkgs/os-specific/darwin/apple-sdk/default.nix
@ -1,7 +1,6 @@
 { stdenv, fetchurl, xar, gzip, cpio, pkgs }:

 let
-  generateFrameworkProfile = pkgs.callPackage ./generate-framework-profile.nix {};
  # sadly needs to be exported because security_tool needs it
  sdk = stdenv.mkDerivation rec {
    version = "10.9";
@ -97,11 +96,11 @@ let
    propagatedBuildInputs = deps;

    # allows building the symlink tree
-    __sandboxProfile = ''
+    sandboxProfile = ''
      (allow file-read* (subpath "/System/Library/Frameworks/${name}.framework"))
    '';

-    __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile name);
+    __propagatedImpureHostDeps = stdenv.lib.optional (name != "Kernel") "/System/Library/Frameworks/${name}.framework/${name}";

    meta = with stdenv.lib; {
      description = "Apple SDK framework ${name}";
@ -182,5 +181,5 @@ in rec {

  frameworks = bareFrameworks // overrides bareFrameworks;

-  inherit sdk generateFrameworkProfile;
+  inherit sdk;
 }
--- a/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix
+++ b/pkgs/os-specific/darwin/apple-sdk/generate-framework-profile.nix
@ -1,64 +0,0 @@
-{ runCommand }:
-
-# In a normal programming language, one might store a hashmap
-# { library name -> runtime dependencies }.
-# associative arrays were only recently added to bash, and even then, bash arrays cannot
-# be multidimensional. instead, the filesystem is the hash table!
-# once every dependency in the tree has been visited, a comprehensive list of libraries
-# will exist inside ./build. then `find ./build -type f` will give you the
-# dependency tree you need!
-
-frameworkName:
-
-let path = "/System/Library/Frameworks/${frameworkName}.framework";
-
-in runCommand "${frameworkName}-profile.sb" {
-  # __noChroot lite
-  __sandboxProfile = ''
-    (allow file* (subpath "/"))
-  '';
-
-  # inconsistencies may exist between self and hydra
-  allowSubstitutes = false;
-} ''
-  if [ ! -f "${path}/${frameworkName}" ]; then
-    touch $out
-    exit
-  fi
-  base=./build
-  find_deps () {
-    if [ -f "$base/$1" ]; then
-      return
-    fi
-    dependencies=$(otool -l -arch x86_64 $1 \
-      | grep 'LC_\w*_DYLIB' -A 2 \
-      | grep name \
-      | sed 's/^ *//' \
-      | cut -d' ' -f2)
-    mkdir -p $base/"$(dirname "$1")"
-    touch $base/"$1"
-    for dep in $dependencies; do
-      find_deps "$dep"
-    done
-  }
-  find_deps "${path}/${frameworkName}" "$out"
-  set -o noglob
-  profile="(allow file-read*"
-  for file in $(find $base -type f); do
-    filename=''${file/$base/}
-    case $filename in
-      /usr/lib/system*) ;;
-      /usr/lib/libSystem.dylib) ;;
-      /usr/lib/libSystem.B.dylib) ;;
-      /usr/lib/libobjc.A.dylib) ;;
-      /usr/lib/libobjc.dylib) ;;
-      /usr/lib/libauto.dylib) ;;
-      /usr/lib/libc++abi.dylib) ;;
-      /usr/lib/libDiagnosticMessagesClient.dylib) ;;
-      *) profile+=" (literal \"$filename\")" ;;
-    esac
-  done
-  profile+=" (literal \"${path}/${frameworkName}\")"
-  profile+=" (literal \"${path}/Versions/Current\")"
-  echo "$profile)" > $out
-''
--- a/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/CF/default.nix
@ -1,4 +1,4 @@
-{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure, generateFrameworkProfile }:
+{ stdenv, appleDerivation, icu, dyld, libdispatch, launchd, libclosure }:

 # this project uses blocks, a clang-only extension
 assert stdenv.cc.isClang;
@ -8,7 +8,7 @@ appleDerivation {

  patches = [ ./add-cf-initialize.patch ./add-cfmachport.patch ./cf-bridging.patch ];

-  __propagatedSandboxProfile = stdenv.lib.sandbox.importProfile (generateFrameworkProfile "CoreFoundation");
+  __propagatedImpureHostDeps = [ "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation" ];

  preBuild = ''
    substituteInPlace Makefile \
--- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
@ -81,7 +81,7 @@ in appleDerivation {
  ];

  # ps uses this syscall to get process info
-  __propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port";
+  propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port";

  meta = {
    platforms = stdenv.lib.platforms.darwin;
--- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix
@ -7,7 +7,7 @@ appleDerivation {

  propagatedBuildInputs = [ Security ];

-  __propagatedSandboxProfile = ''
+  propagatedSandboxProfile = ''
    (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))
  '';

--- a/pkgs/os-specific/darwin/apple-source-releases/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix
@ -54,11 +54,9 @@ let
    inherit (adv_cmds) ps locale;
    architecture    = applePackage "architecture"      "265"         "05wz8wmxlqssfp29x203fwfb8pgbdjj1mpz12v508658166yzqj8" {};
    bootstrap_cmds  = applePackage "bootstrap_cmds"    "86"          "0xr0296jm1r3q7kbam98h85g23qlfi763z54ahj563n636kyk2wb" {};
-    bsdmake         = applePackage "bsdmake"           "24" "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {};
+    bsdmake         = applePackage "bsdmake"           "24"          "11a9kkhz5bfgi1i8kpdkis78lhc6b5vxmhd598fcdgra1jw4iac2" {};
    CarbonHeaders   = applePackage "CarbonHeaders"     "9A581"       "1hc0yijlpwq39x5bic6nnywqp2m1wj1f11j33m2q7p505h1h740c" {};
-    CF              = applePackage "CF"                "855.17"      "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {
-      inherit (pkgs.darwin.apple_sdk) generateFrameworkProfile;
-    };
+    CF              = applePackage "CF"                "855.17"      "1sadmxi9fsvsmdyxvg2133sdzvkzwil5fvyyidxsyk1iyfzqsvln" {};
    CommonCrypto    = applePackage "CommonCrypto"      "60049"       "1azin6w7cnzl0iv8kd2qzgwcp6a45zy64y5z1i6jysjcl6xmlw2h" {};
    configd         = applePackage "configd"           "453.19"      "1gxakahk8gallf16xmhxhprdxkh3prrmzxnmxfvj0slr0939mmr2" {};
    copyfile        = applePackage "copyfile"          "103.92.1"    "15i2hw5aqx0fklvmq6avin5s00adacvzqc740vviwc2y742vrdcd" {};
--- a/pkgs/os-specific/darwin/cf-private/setup-hook.sh
+++ b/pkgs/os-specific/darwin/cf-private/setup-hook.sh
@ -6,7 +6,7 @@ linkWithRealCF() {
  # gross! many symbols (such as _OBJC_CLASS_$_NSArray) are defined in system CF, but not
  # in the opensource release
  # if the package needs private headers, we assume they also want to link with system CF
-  NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation"
+  NIX_LDFLAGS+=" /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation"
 }

 preConfigureHooks+=(prependSearchPath linkWithRealCF)
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@ -12,8 +12,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , extraBuildInputs ? []
 , __stdenvImpureHostDeps ? []
 , __extraImpureHostDeps ? []
-, __stdenvSandboxProfile ? ""
-, __extraSandboxProfile ? ""
+, stdenvSandboxProfile ? ""
+, extraSandboxProfile ? ""
 }:

 let
@ -102,8 +102,8 @@ let
    , outputs ? [ "out" ]
    , __impureHostDeps ? []
    , __propagatedImpureHostDeps ? []
-    , __sandboxProfile ? ""
-    , __propagatedSandboxProfile ? ""
+    , sandboxProfile ? ""
+    , propagatedSandboxProfile ? ""
    , ... } @ attrs:
    let
      pos' =
@ -154,12 +154,16 @@ let
        (removeAttrs attrs
          ["meta" "passthru" "crossAttrs" "pos"
           "__impureHostDeps" "__propagatedImpureHostDeps"
-           "__sandboxProfile" "__propagatedSandboxProfile"])
+           "sandboxProfile" "propagatedSandboxProfile"])
        // (let
          computedSandboxProfile =
            lib.concatMap (input: input.__propagatedSandboxProfile or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs);
          computedPropagatedSandboxProfile =
            lib.concatMap (input: input.__propagatedSandboxProfile or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs);
+          computedImpureHostDeps =
+            lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (extraBuildInputs ++ buildInputs ++ nativeBuildInputs));
+          computedPropagatedImpureHostDeps =
+            lib.unique (lib.concatMap (input: input.__propagatedImpureHostDeps or []) (propagatedBuildInputs ++ propagatedNativeBuildInputs));
        in
        {
          builder = attrs.realBuilder or shell;
@ -179,10 +183,17 @@ let
        } // ifDarwin {
          # TODO: remove lib.unique once nix has a list canonicalization primitive
          __sandboxProfile =
-          let profiles = [ __extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile __sandboxProfile ];
+          let profiles = [ extraSandboxProfile ] ++ computedSandboxProfile ++ computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile sandboxProfile ];
              final = lib.concatStringsSep "\n" (lib.filter (x: x != "") (lib.unique profiles));
          in final;
-          __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ __propagatedSandboxProfile ]);
+          __propagatedSandboxProfile = lib.unique (computedPropagatedSandboxProfile ++ [ propagatedSandboxProfile ]);
+          __impureHostDeps = computedImpureHostDeps ++ computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps ++ __impureHostDeps ++ __extraImpureHostDeps ++ [
+            "/dev/zero"
+            "/dev/random"
+            "/dev/urandom"
+            "/bin/sh"
+          ];
+          __propagatedImpureHostDeps = computedPropagatedImpureHostDeps ++ __propagatedImpureHostDeps;
        } // (if outputs' != [ "out" ] then {
          outputs = outputs';
        } else { })))) (
@ -219,7 +230,8 @@ let
      inherit preHook initialPath shell defaultNativeBuildInputs;
    }
    // ifDarwin {
-      __sandboxProfile = __stdenvSandboxProfile;
+      __sandboxProfile = stdenvSandboxProfile;
+      __impureHostDeps = __stdenvImpureHostDeps;
    })

    // rec {
--- a/pkgs/stdenv/pure-darwin/default.nix
+++ b/pkgs/stdenv/pure-darwin/default.nix
@ -93,8 +93,8 @@ in rec {
        };

        # The stdenvs themselves don't use mkDerivation, so I need to specify this here
-        __stdenvSandboxProfile = binShClosure + libSystemProfile;
-        __extraSandboxProfile  = binShClosure + libSystemProfile;
+        stdenvSandboxProfile = binShClosure + libSystemProfile;
+        extraSandboxProfile  = binShClosure + libSystemProfile;

        extraAttrs = { inherit platform; };
        overrides  = pkgs: (overrides pkgs) // { fetchurl = thisStdenv.fetchurlBoot; };
@ -269,8 +269,8 @@ in rec {
      export PATH_LOCALE=${pkgs.darwin.locale}/share/locale
    '';

-    __stdenvSandboxProfile = binShClosure + libSystemProfile;
-    __extraSandboxProfile  = binShClosure + libSystemProfile;
+    stdenvSandboxProfile = binShClosure + libSystemProfile;
+    extraSandboxProfile  = binShClosure + libSystemProfile;

    initialPath = import ../common-path.nix { inherit pkgs; };
    shell       = "${pkgs.bash}/bin/bash";
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -5494,7 +5494,7 @@ let

  cmake-2_8 = callPackage ../development/tools/build-managers/cmake/2.8.nix {
    wantPS = stdenv.isDarwin;
-    ps     = if stdenv.isDarwin then darwin.adv_cmds else null;
+    inherit (darwin) ps;
  };

  cmake = callPackage ../development/tools/build-managers/cmake {
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@ -9232,7 +9232,7 @@ let
    meta = {
      description = "A module for monitoring memory usage of a python program";
      homepage = http://pypi.python.org/pypi/memory_profiler;
-      license = licenses.bsd;
+      license = licenses.bsd3;
    };
  };