From 6ef729bbaf87fa395be656af7272965e43d8b524 Mon Sep 17 00:00:00 2001 From: Colin Date: Tue, 27 Feb 2024 22:26:56 +0000 Subject: [PATCH] assorted: prefer runCommandLocal over runCommand where it makes sense --- modules/programs/make-sandboxed.nix | 9 +++++---- pkgs/additional/static-nix-shell/default.nix | 1 + pkgs/additional/trivial-builders/default.nix | 6 +++--- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/modules/programs/make-sandboxed.nix b/modules/programs/make-sandboxed.nix index ed5fd4b0..d6a23014 100644 --- a/modules/programs/make-sandboxed.nix +++ b/modules/programs/make-sandboxed.nix @@ -2,6 +2,7 @@ , buildPackages , callPackage , runCommand +, runCommandLocal , runtimeShell , sane-sandboxed , symlinkJoin @@ -143,7 +144,7 @@ let } else {}; # helper used for `wrapperType == "wrappedDerivation"` which simply symlinks all a package's binaries into a new derivation - symlinkBinaries = pkgName: package: (runCommand "${pkgName}-bin-only" {} '' + symlinkBinaries = pkgName: package: (runCommandLocal "${pkgName}-bin-only" {} '' set -e if [ -e "${package}/bin" ]; then mkdir -p "$out/bin" @@ -199,7 +200,7 @@ let # we have to patch those out as a way to whitelist them. checkSandboxed = let sandboxedNonBin = fixHardcodedRefs unsandboxed "/dev/null" unsandboxedNonBin; - in runCommand "${sandboxedNonBin.name}-check-sandboxed" + in runCommandLocal "${sandboxedNonBin.name}-check-sandboxed" { disallowedReferences = [ unsandboxed ]; } '' # dereference every symlink, ensuring that whatever data is behind it does not reference non-sandboxed binaries. @@ -215,7 +216,7 @@ let # patch them to use the sandboxed binaries, # and add some passthru metadata to enforce no lingering references to the unsandboxed binaries. sandboxNonBinaries = pkgName: unsandboxed: sandboxedBin: let - sandboxedWithoutFixedRefs = (runCommand "${pkgName}-sandboxed-non-binary" {} '' + sandboxedWithoutFixedRefs = (runCommandLocal "${pkgName}-sandboxed-non-binary" {} '' set -e mkdir "$out" # link in a limited subset of the directories. @@ -245,7 +246,7 @@ let priority = ((prevAttrs.meta or {}).priority or 0) - 1; }; passthru = (prevAttrs.passthru or {}) // extraPassthru // { - checkSandboxed = runCommand "${pkgName}-check-sandboxed" {} '' + checkSandboxed = runCommandLocal "${pkgName}-check-sandboxed" {} '' set -e # invoke each binary in a way only the sandbox wrapper will recognize, # ensuring that every binary has in fact been wrapped. diff --git a/pkgs/additional/static-nix-shell/default.nix b/pkgs/additional/static-nix-shell/default.nix index dcc010ca..61ea703b 100644 --- a/pkgs/additional/static-nix-shell/default.nix +++ b/pkgs/additional/static-nix-shell/default.nix @@ -61,6 +61,7 @@ in rec { in stdenv.mkDerivation (final: { version = "0.1.0"; # default version + preferLocalBuild = true; patchPhase = '' substituteInPlace ${srcPath} \ --replace '#!/usr/bin/env nix-shell' '#!${interpreter}' \ diff --git a/pkgs/additional/trivial-builders/default.nix b/pkgs/additional/trivial-builders/default.nix index 18320adb..5fb664f2 100644 --- a/pkgs/additional/trivial-builders/default.nix +++ b/pkgs/additional/trivial-builders/default.nix @@ -1,4 +1,4 @@ -{ runCommand +{ runCommandLocal , rmDbusServicesInPlace , symlinkJoin }: @@ -7,7 +7,7 @@ # its own package, but otherwise keeping the same path. # this is done by copying the bits, so as to avoid including the item's neighbors # in its runtime closure. - copyIntoOwnPackage = pkg: path: runCommand "${pkg.pname or pkg.name}-${path}" { + copyIntoOwnPackage = pkg: path: runCommandLocal "${pkg.pname or pkg.name}-${path}" { env.item = path; env.fromPkg = pkg; } '' @@ -16,7 +16,7 @@ runHook postFixup ''; - linkIntoOwnPackage = pkg: path: runCommand "${pkg.pname or pkg.name}-${path}" { + linkIntoOwnPackage = pkg: path: runCommandLocal "${pkg.pname or pkg.name}-${path}" { env.item = path; env.fromPkg = pkg; } ''