Fixes <https://issues.guix.gnu.org/77862>.
Previously, the ‘guix-daemon’ account (for unprivileged execution) would
typically have “kvm” as a supplementary group, but that group would not
be mapped in the build user namespace. Consequently, attempts to
‘chown’ a file to that supplementary group would fail with EINVAL.
The test suites of Coreutils, Python, and Go (among others) exercise
this chown-to-supplementary-group behavior, so they would all fail when
started by the unprivileged ‘guix-daemon’ even though they succeed when
started by ‘guix-daemon’ running as root.
Thanks to keinflue <keinflue@posteo.net> and Reepca Russelstein
<reepca@russelstein.xyz> for helping out.
* nix/libstore/build.cc (initializeUserNamespace): Add ‘extraGIDs’ and
‘haveCapSetGID’ parameters. Invoke ‘newgidmap’ when ‘extraGIDs’ is
non-empty and ‘haveCapSetGID’ is false. Honor ‘extraGIDs’ when
‘haveCapSetGID’ is true.
(maxGroups, guestKVMGID): New variables.
(kvmGIDMapping): New function.
(DerivationGoal::startBuilder): Set ‘ctx.lockMountsMapAll’ in the
CLONE_NEWUSER case. Pass ‘extraGIDs’ to ‘initializeUserNamespace’.
* tests/store.scm ("kvm GID is mapped"): New test.
Change-Id: I10ba710fc1b9ca1e3cd3122be1ec8ede5df18b40
This reverts commits 437bb9ece5 and
a57ed987ff, which were reported in
guix/guix#1169 to occasionally cause errors like:
guix shell: error: unshare : 268566528: Invalid argument
While 'url-fetch*' in (guix download) special-cases these URIs, 'git-fetch'
does not. Consequently, the recent changes to (guix scripts perform-download)
that disallow these URIs cause tests that use builtin:git-download to fail.
* guix/tests/git.scm (serve-git-repository, call-with-served-git-repository):
new procedures.
(with-served-git-repository, with-served-temporary-git-repository): new
syntax.
* .dir-locals.el (scheme-mode): add indentation information for
'with-served-git-repository'.
* tests/builders.scm ("git-fetch, file URI"): use git:// URI with
'with-served-temporary-git-repository'.
* tests/derivations.scm ("'git-download' build-in builder, invalid hash",
"'git-download' built-in builder, invalid commit", "'git-download' built-in
builder, not found"): same.
("'git-download' built-in builder"): same, and use a nonce in the repo
contents so that success isn't cached.
Change-Id: Id3e1233bb74d5987faf89c4341e1d37f09c77c80
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Fixes <https://issues.guix.gnu.org/74862>.
In particular, this makes it possible to build guix on Asahi, whose tmpfs has
16KiB blocks by default.
* tests/store-deduplication.scm
("copy-file/deduplicate, sparse files (holes: ~a/~a/~a)"): Scale hole sizes so
the test works with blocks bigger than 4KiB.
Change-Id: I92fee04f6f69d4e5bfea7443991303ad68da7b2c
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
The rpm-for-tests would no longer build, due to the parent package having
migrated to CMake. Use the --dbpath argument instead of a variant test
package.
* tests/pack.scm (rpm-for-tests): Delete variable.
(rpm archive can be installed/uninstalled): Invoke rpm, not rpm-for-tests, but
with the --dbpath location specified.
Change-Id: I1b578db3ef8f1309c32c6ef92615814ca49fd22c
* guix/import/utils.scm: (git-origin, git->origin): Add procedures.
* guix/import/elpa.scm
(download-git-repository): Remove function download-git-repository.
(git-repository->origin): Remove function git-repository->origin.
(ref): Add function ref.
(melpa-recipe->origin): Use functions git->origin and ref.
* guix/import/go.scm
(git-checkout-hash): Remove function git-checkout-hash.
(transform-version): Add function transform-version.
(vcs->origin): Use functions git->origin and transform-version. Add
optional argument transform-version.
* tests/import/go.scm
(go-module->guix-package): Adapt test case to changes in guix/import/go.scm.
* guix/import/luanti.scm
(download-git-repository): Remove function download-git-repository.
(make-luanti-sexp): Use function git->origin.
* tests/luanti.scm
(make-package-sexp): Refresh function accordingly.
* guix/import/composer.scm
(make-php-sexp): Use function git->origin.
Change-Id: Ied05a63bdd60fbafe26fbbb4e115ff6f0bb9db3c
Signed-off-by: Liliana Marie Prikler <liliana.prikler@gmail.com>
This test broke with commit 8c9493cb31.
* tests/packages.scm ("package-transitive-supported-systems, implicit inputs"):
Change ‘%current-system’ to “riscv64-linux”.
Change-Id: Ia6d69f086cffea4144d2f032038b27ec91e904f3
At this point the value of 'st.st_mode' is from before canonicalization, so
restoring to that will undo the permissions aspect of the canonicalization for
a top-level directory store item.
Fixes#1104, introduced in
ae18b3d9e6 (ae18b3d9e6).
* nix/libstore/build.cc (DerivationGoal::registerOutputs): update 'st' with
post-canonicalization permissions before making actualPath
temporarily-writable.
* tests/store.scm ("build outputs aren't writable"): new test.
Change-Id: I5e5eaa79fa6b7f81e1d12fd285883c762a22ce5a
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Fixesguix/guix#2450.
This reverts commit b5745a327e, which introduced
discrepancies in how substitutes are served; in particular, narinfos of
non-substitutable items would still be served, and likewise for narinfos and
nars of dependents of non-substitutable items.
This reverts commit a7db92d9b3, this time with
the more careful command, to avoid a world rebuild:
grep -rl --exclude-dir=build --exclude-dir=patches --exclude=ld-wrapper.in \
--exclude=sitecustomize.py --exclude=guix-emacs.el maxim.cournoyer@gmail.com |
xargs sed -i 's/maxim.cournoyer@gmail.com/maxim@guixotic.coop/g'
Change-Id: I0871f5cf9ace79e34e78e24154d0da6ea95a3a91
The change was automated via:
git grep -l maxim.cournoyer@gmail.com |
xargs sed -i 's/maxim.cournoyer@gmail.com/maxim@guixotic.coop/g'
* .mailmap: New entry.
Change-Id: Iaa88b1e51c94159c49138fb43910badb990eb169
Fixesguix/guix#1975.
When using ‘read’, ‘package-field-location’ would not get source location for
atoms such as symbols, typically making it impossible to get the location of
the value of a field list (build-system gnu-build-system). This fixes that.
* guix/packages.scm (field-value-location): New procedure.
(package-field-location): Use it instead of inline code.
* tests/packages.scm ("package-field-location"): Test the ‘build-system’
field.
Reported-by: Nicolas Graves <ngraves@ngraves.fr>
Change-Id: I98c694bb6f1999fa9ca80e145fa016640067af55
* guix/lint.scm (check-compiler-for-target): Adjust the logic when
checking the make-flags to actually determine if it is a gexp or not.
* tests/lint.scm (compiler-for-target: looks through G-expressions): Fix
test.
Change-Id: I0040cf29c8197d394e63ac90b2fba7ca5bcb5861
Previously, the builder of a fixed-output derivation could communicate with an
external process via an abstract Unix-domain socket. In particular, it could
send an open file descriptor to the store, granting write access to some of
its output files in the store provided the derivation build fails—the fix for
CVE-2024-27297 did not address this specific case. It could also send an open
file descriptor to a setuid program, which could then be executed using
execveat to gain the privileges of the build user.
With this change, fixed-output derivations other than “builtin:download”
and “builtin:git-download” always run in a separate network namespace
and have network access provided by a TAP device backed by slirp4netns,
thereby closing the abstract Unix-domain socket channel.
* nix/libstore/globals.hh (Settings)[useHostLoopback, slirp4netns]: new
fields.
* config-daemon.ac (SLIRP4NETNS): new C preprocessor definition.
* nix/libstore/globals.cc (Settings::Settings): initialize them to defaults.
* nix/nix-daemon/guix-daemon.cc (options): add --isolate-host-loopback option.
* doc/guix.texi: document it.
* nix/libstore/build.cc (DerivationGoal)[slirp]: New field.
(setupTap, setupTapAction, waitForSlirpReadyAction, enableRouteLocalnetAction,
prepareSlirpChrootAction, spawnSlirp4netns, haveGlobalIPv6Address,
remapIdsTo0Action): New functions.
(initializeUserNamespace): allow the guest UID and GID to be specified.
(DerivationGoal::killChild): When ‘slirp’ is not -1, call ‘kill’.
(DerivationGoal::startBuilder): Unconditionally add CLONE_NEWNET to FLAGS.
When ‘fixedOutput’ is true, spawn ‘slirp4netns’.
When ‘fixedOutput’ and ‘useChroot’ are true, add setupTapAction,
waitForSlirpReadyAction, and enableRouteLocalnetAction to builder setup
phases.
Create a /etc/resolv.conf for fixed-output derivations that directs them to
slirp4netns's dns address.
When settings.useHostLoopback is true, supply fixed-output derivations with a
/etc/hosts that resolves "localhost" to slirp4netns's address for accessing
the host loopback.
* nix/libutil/util.cc (keepOnExec, decodeOctalEscaped, sendFD, receiveFD,
findProgram): New functions.
* nix/libutil/util.hh (keepOnExec, decodeOctalEscaped, sendFD, receiveFD,
findProgram): New declarations.
* gnu/packages/package-management.scm (guix): add slirp4netns input for linux
targets.
* tests/derivations.scm (builder-network-isolated?): new variable.
("fixed-output derivation, network access, localhost", "fixed-output
derivation, network access, external host"):
skip test case if fixed output derivations are isolated from the network.
Change-Id: Ia3fea2ab7add56df66800071cf15cdafe7bfab96
Signed-off-by: John Kehayias <john.kehayias@protonmail.com>
* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.
(write-cache, fetch-vulnerabilities): Update the format version.
* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.
* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
Signed-off-by: Zheng Junjie <z572@z572.online>
Partly fixes <https://issues.guix.gnu.org/74583>.
Previously, passing an annotated tag to ‘--end’, as can happen when
‘guix git authenticate’ is invoked by the pre-push hook when pushing
tags, would lead to an error:
guix git: error: Git error: the requested type does not match the type in the ODB
* guix/scripts/git/authenticate.scm (ensure-commit-id): New procedure.
(guix-git-authenticate): Use it.
* tests/guix-git-authenticate.sh: Test with $v1_2_0_annotated_tag.
Change-Id: I22e8eb665609522c80c1f0dcb9e77a46c23c0c3c
This commit prevents Guix substitute servers from distributing binaries
which are marked non-substitutable. This prevents substitute servers
from accidentally committing copyright violations by distributing
binaries that are non-substitutable for copyright reasons.
* guix/scripts/publish.scm (render-nar): Query the derivers of
‘store-path’ and do nothing if one of them does not match
‘substitutable-derivation?’.
* tests/publish.scm ("non-substitutable derivation"): New test.
Change-Id: Iaca81f5bdb430a12a3ad41e9b83e0bcc535af607
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Modified-by: Ludovic Courtès <ludo@gnu.org>
* guix/scripts/environment.scm (launch-environment/container): Add
/run/user/UID to ‘file-systems’.
* tests/guix-environment-container.sh: Test it.
Change-Id: I44c70a7554a06f40d073c25929ea7c6ded356d08
