Wojtek's customized Guix https://git.koszko.org/guix/atom?h=koszko 2025-03-26T16:57:43Z 2025-03-26T16:57:43Z Ludovic Courtès ludo@gnu.org 2025-03-17T10:23:21Z urn:sha1:7bad04fac09173f63800464ca0868225f6a99bd1 * nix/libutil/util.cc (commonChildInit): Close ‘logPipe.readSide’. Reported-by: Reepca Russelstein <reepca@russelstein.xyz> Change-Id: Ia9e48d1afb85d7af52770e016f2b6832792044dd 2025-03-26T16:57:42Z Ludovic Courtès ludo@gnu.org 2025-02-11T16:42:37Z urn:sha1:f03e6eff2f491fbf1a38b36d46c0fe2fdd3e6886 * nix/libutil/util.cc (closeMostFDs) [HAVE_CLOSE_RANGE]: Use ‘close_range’ when ‘exceptions’ is empty. * config-daemon.ac: Check for <linux/close_range.h> and the ‘close_range’ symbol. Change-Id: I12fa3bde58b003fcce5ea5a1fee1dcf9a92c0359 2024-05-13T14:31:34Z Ludovic Courtès ludo@gnu.org 2024-05-13T10:02:30Z urn:sha1:7757fdd491862fa5c33f1f894503346b89898a01 Fixes <https://issues.guix.gnu.org/70877>. * nix/libutil/util.cc (copyFile): Loop over ‘copy_file_range’ instead of throwing upon short write. Reported-by: Ricardo Wurmus <rekado@elephly.net> Change-Id: Id7b8a65ea59006c2d91bc23732309a68665b9ca0 2024-03-12T13:07:28Z Ludovic Courtès ludo@gnu.org 2024-03-12T10:53:35Z urn:sha1:ff1251de0bc327ec478fc66a562430fbf35aef42 This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two ways: (1) it didn’t have any effet for fixed-output derivations performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156 2024-03-11T21:12:34Z Ludovic Courtès ludo@gnu.org 2024-03-11T09:59:42Z urn:sha1:8f4ffb3fae133bb21d7991e97c2f19a7108b1143 This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Vulnerability discovered by puck <https://github.com/puckipedia>. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 Nix fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 2023-01-09T16:40:54Z Ludovic Courtès ludo@gnu.org 2023-01-09T15:48:01Z urn:sha1:407175a1d0e29f45639e7f28a531b3981cd20085 * nix/libutil/hash.cc (parseHash): Show the hash algorithm name and expected size in the error message. * tests/derivations.scm ("fixed-output derivation, invalid hash size"): New test. 2022-12-18T00:16:47Z Ludovic Courtès ludo@gnu.org 2022-12-17T11:25:47Z urn:sha1:2d4d26769d6a3be1b21302b0bb2bd099fd55ccf8 * nix/libstore/build.cc (DerivationGoal::openLogFile): Customize "opening file" error message. * nix/libutil/hash.cc (hashFile): Likewise. * nix/libutil/util.cc (readFile, writeFile): Likewise. 2021-11-19T22:04:19Z Ludovic Courtès ludo@gnu.org 2021-11-19T13:53:25Z urn:sha1:24224530d1f4a70808d003ba8dce849b77625b79 'remove' calls 'unlink' first and falls back to 'rmdir' upon EISDIR. This change gets rid of the 'unlink' call for every directory being removed. * nix/libutil/util.cc (_deletePath): Call 'unlink' or 'rmdir' depending on 'st.st_mode', rather than call 'remove'. 2020-12-08T21:30:07Z Ludovic Courtès ludo@gnu.org 2020-12-01T14:00:14Z urn:sha1:2e308238ad09e9527f9b8c3ec4a90b6b05a93367 * nix/libutil/util.hh (struct Agent)[Agent]: Add 'env' parameter. * nix/libutil/util.cc (Agent::Agent): Honor it. 2020-09-14T13:42:55Z Ludovic Courtès ludo@gnu.org 2020-09-11T10:34:25Z urn:sha1:ee9dff34f9317509cb2b833d07a0d5e01a36a4ae * nix/libstore/build.cc (DerivationGoal::tryBuildHook): Add "offload" to 'args' and pass settings.guixProgram as the first argument to Agent::Agent. (pathNullDevice, commonChildInit, Agent, Agent::Agent) (Agent::~Agent): Move to... * nix/libutil/util.cc: ... here. * nix/libutil/util.hh (struct Agent, commonChildInit): New declarations.