Merge pull request #11319 from NixOS/backport-11270-to-2.24-maintenance

[Backport 2.24-maintenance] libstore: fix port binding in __darwinAllowLocalNetworking sandbox
libstore: fix port binding in __darwinAllowLocalNetworking sandbox
2024-08-17 03:17:29 -04:00 · 2024-08-17 03:17:45 +00:00 · 2024-08-16 20:48:49 +02:00 · 2024-08-16 11:46:29 -07:00 · 2024-08-16 11:46:24 -07:00 · 2024-08-08 17:21:00 +02:00
9 changed files with 24 additions and 12 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -49,6 +49,7 @@ jobs:
          done
        ) &
    - run: nix --experimental-features 'nix-command flakes' flake check -L
+    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json

  # Steps to test CI automation in your own fork.
  # Cachix:
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.24.0
+2.24.3
--- a/flake.lock
+++ b/flake.lock
@@ -80,11 +80,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1721548954,
-        "narHash": "sha256-7cCC8+Tdq1+3OPyc3+gVo9dzUNkNIQfwSDJ2HSi2u3o=",
+        "lastModified": 1723688146,
+        "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "63d37ccd2d178d54e7fb691d7ec76000740ea24a",
+        "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -24,7 +24,7 @@
    let
      inherit (nixpkgs) lib;

-      officialRelease = false;
+      officialRelease = true;

      version = lib.fileContents ./.version + versionSuffix;
      versionSuffix =
--- a/src/libexpr-c/nix_api_expr.h
+++ b/src/libexpr-c/nix_api_expr.h
@@ -14,6 +14,16 @@
 #include "nix_api_util.h"
 #include <stddef.h>

+#ifndef __has_c_attribute
+#  define __has_c_attribute(x) 0
+#endif
+
+#if __has_c_attribute(deprecated)
+#  define NIX_DEPRECATED(msg) [[deprecated(msg)]]
+#else
+#  define NIX_DEPRECATED(msg)
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -45,7 +55,7 @@ typedef struct EvalState EvalState; // nix::EvalState
 * @see nix_value_incref, nix_value_decref
 */
 typedef struct nix_value nix_value;
-[[deprecated("use nix_value instead")]] typedef nix_value Value;
+NIX_DEPRECATED("use nix_value instead") typedef nix_value Value;

 // Function prototypes
 /**
--- a/src/libstore/build/substitution-goal.cc
+++ b/src/libstore/build/substitution-goal.cc
@@ -145,8 +145,10 @@ Goal::Co PathSubstitutionGoal::init()
    /* None left.  Terminate this goal and let someone else deal
       with it. */

-    worker.failedSubstitutions++;
-    worker.updateProgress();
+    if (substituterFailed) {
+        worker.failedSubstitutions++;
+        worker.updateProgress();
+    }

    /* Hack: don't indicate failure if there were no substituters.
       In that case the calling derivation should just do a
@@ -158,7 +160,7 @@ Goal::Co PathSubstitutionGoal::init()
 }


-Goal::Co PathSubstitutionGoal::tryToRun(StorePath subPath, nix::ref<Store> sub, std::shared_ptr<const ValidPathInfo> info, bool& substituterFailed)
+Goal::Co PathSubstitutionGoal::tryToRun(StorePath subPath, nix::ref<Store> sub, std::shared_ptr<const ValidPathInfo> info, bool & substituterFailed)
 {
    trace("all references realised");

--- a/src/libstore/build/substitution-goal.hh
+++ b/src/libstore/build/substitution-goal.hh
@@ -66,7 +66,7 @@ public:
     */
    Co init() override;
    Co gotInfo();
-    Co tryToRun(StorePath subPath, nix::ref<Store> sub, std::shared_ptr<const ValidPathInfo> info, bool& substituterFailed);
+    Co tryToRun(StorePath subPath, nix::ref<Store> sub, std::shared_ptr<const ValidPathInfo> info, bool & substituterFailed);
    Co finished();

    /**
--- a/src/libstore/s3-binary-cache-store.cc
+++ b/src/libstore/s3-binary-cache-store.cc
@@ -220,8 +220,6 @@ std::string S3BinaryCacheStoreConfig::doc()

 struct S3BinaryCacheStoreImpl : virtual S3BinaryCacheStoreConfig, public virtual S3BinaryCacheStore
 {
-    std::string bucketName;
-
    Stats stats;

    S3Helper s3Helper;
--- a/src/libstore/unix/build/sandbox-defaults.sb
+++ b/src/libstore/unix/build/sandbox-defaults.sb
@@ -49,6 +49,7 @@ R""(
 (if (param "_ALLOW_LOCAL_NETWORKING")
    (begin
      (allow network* (remote ip "localhost:*"))
+      (allow network-inbound (local ip "*:*")) ; required to bind and listen

      ; Allow access to /etc/resolv.conf (which is a symlink to
      ; /private/var/run/resolv.conf).
Author	SHA1	Message	Date
tomberek	3ac5d736e2	Merge pull request #11319 from NixOS/backport-11270-to-2.24-maintenance [Backport 2.24-maintenance] libstore: fix port binding in __darwinAllowLocalNetworking sandbox	2024-08-17 03:17:29 -04:00
Andrew Marshall	4e707b8e57	libstore: fix port binding in __darwinAllowLocalNetworking sandbox In `d60c3f7f7c`, this was changed to close a hole in the sandbox. Unfortunately, this was too restrictive such that it made local port binding fail, thus making derivations that needed `__darwinAllowLocalNetworking` gain nearly nothing, and thus largely fail (as the primary use for it is to enable port binding). This unfortunately does mean that a sandboxed build process can, in coordination with an actor outside the sandbox, escape the sandbox by binding a port and connecting to it externally to send data. I do not see a way around this with my experimentation and understanding of the (quite undocumented) macOS sandbox profile API. Notably it seems not possible to use the sandbox to do any of: - Restrict the remote IP of inbound network requests - Restrict the address being bound to As such, the `(local ip ":")` here appears to be functionally no different than `(local ip "localhost:")` (however it should* be different than removing the filter entirely, as that would make it also apply to non-IP networking). Doing `(allow network-inbound (require-all (local ip "localhost:") (remote ip "localhost:")))` causes listening to fail. Note that `network-inbound` implies `network-bind`. (cherry picked from commit `00f6db36fd`)	2024-08-17 03:17:45 +00:00
Eelco Dolstra	20cae372f4	Merge pull request #11314 from cole-h/backport-2.24-update-nixpkgs-input-fix-darwin [2.24] Update nixpkgs input to fix darwin ccache evaluation, have CI check that all outputs on all systems evaluate	2024-08-16 20:48:49 +02:00
Cole Helbling	d550139191	ci: check that all outputs for all systems can evaluate (cherry picked from commit `aa3d35c1f4`)	2024-08-16 11:46:29 -07:00
Cole Helbling	5b62a1dbd6	flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/63d37ccd2d178d54e7fb691d7ec76000740ea24a?narHash=sha256-7cCC8%2BTdq1%2B3OPyc3%2BgVo9dzUNkNIQfwSDJ2HSi2u3o%3D' (2024-07-21) → 'github:NixOS/nixpkgs/c3d4ac725177c030b1e289015989da2ad9d56af0?narHash=sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz%2BNG82pbdg%3D' (2024-08-15) (cherry picked from commit `8866d2cd83`)	2024-08-16 11:46:24 -07:00
Eelco Dolstra	450252c92c	Bump version	2024-08-08 17:21:00 +02:00
Eelco Dolstra	4036c3aafb	Bump version	2024-08-08 15:02:48 +02:00
Robert Hensing	935bf1157d	Merge pull request #11267 from NixOS/backport-11244-to-2.24-maintenance [Backport 2.24-maintenance] allow to c api with older c versions	2024-08-08 01:43:24 +02:00
Jörg Thalheim	b1941c9f8a	allow to c api with older c versions In the FFI world we have many tools that are not gcc/clang and therefore not always support the latest C standard. This fixes support with cffi i.e. used in https://github.com/tweag/python-nix (cherry picked from commit `739418504c`)	2024-08-07 23:12:17 +00:00
Eelco Dolstra	40832b0a95	Merge pull request #11262 from NixOS/backport-11257-to-2.24-maintenance [Backport 2.24-maintenance] PathSubstitutionGoal: Fix spurious "failed" count in the progress bar	2024-08-06 11:20:31 +02:00
Eelco Dolstra	fa78d7f72f	PathSubstitutionGoal: Fix spurious "failed" count in the progress bar It is not an error if queryPathInfo() indicates that a path does not exist in the substituter. Fixes #11198. This was broken in `846869da0e`. (cherry picked from commit `0a00bd07b2`)	2024-08-06 08:33:46 +00:00
Eelco Dolstra	2382a52c84	Merge pull request #11239 from NixOS/backport-11237-to-2.24-maintenance [Backport 2.24-maintenance] Fix the S3 store	2024-08-01 17:56:18 +02:00
Eelco Dolstra	fe6a7c805c	Fix the S3 store It was failing with: error: AWS error fetching 'nix-cache-info': The specified bucket does not exist because `S3BinaryCacheStoreImpl` had a `bucketName` field that shadowed the inherited `bucketName from `S3BinaryCacheStoreConfig`. (cherry picked from commit `9b5b7b7963`)	2024-08-01 15:46:45 +00:00
Eelco Dolstra	0a167ffd1f	Bump version	2024-08-01 10:41:11 +02:00
Eelco Dolstra	206e32e2d7	Mark release	2024-07-31 23:37:43 +02:00
@@ -1 +1 @@
 .24.0
 .24.3