Skip to content

Commit

Permalink
Only build libseccomp on supported systems
Browse files Browse the repository at this point in the history
  • Loading branch information
@shlevy
shlevy committed Feb 25, 2018
1 parent 1c1a6df commit 3c57e77
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 3 deletions.
2 changes: 2 additions & 0 deletions lib/systems/inspect.nix
View file
Expand Up @@ -40,6 +40,8 @@ rec {
[ "x86" "arm" "aarch64" "mips" ];
Efi = map (family: { cpu.family = family; })
[ "x86" "arm" "aarch64" ];
Seccomputable = map (family: { kernel = kernels.linux; cpu.family = family; })

This comment has been minimized.

Sign in to view

Copy link
@shlevy

shlevy Mar 24, 2018

Author Member

@Ericson2314 What would be needed to make this a blacklist instead of a whitelist?

This comment has been minimized.

Sign in to view

Copy link
@Ericson2314

Ericson2314 Mar 24, 2018

Member

It wouldn't be hard, but I don't like negative reasoning because it's closed-world so I didn't bother. Maybe tell me why you want it?

I need to go document the meta.platform language I just made somewhere, and how it ties in to this. Basically the list is an or expressions, so we'd just need tagged lists for other non-terminals.

This comment has been minimized.

Sign in to view

Copy link
@shlevy

shlevy Mar 24, 2018

Author Member

Not having seccomp is a short-lived property of new ports and IMO should count as part of the "complexity debt" of those ports, so we should explicitly account for it

This comment has been minimized.

Sign in to view

Copy link
@Ericson2314

Ericson2314 Mar 24, 2018

Member

Tracking debt with blacklists convinces me! I still don't want to allow freeform negative reasoning, but just specially curated debt blacklists, though. Maybe we can post-process the parse.nix metadata?

This comment has been minimized.

Sign in to view

Copy link
@shlevy

shlevy Mar 24, 2018

Author Member

I'm completely agnostic on implementation details (and willing to implement this myself if desired), just wanted to get your thoughts. Whatever seems good to you!

This comment has been minimized.

Sign in to view

Copy link
@Ericson2314

Ericson2314 Mar 24, 2018

Member

Yeah how about you give it a shot? The parse.nix ideacwas just a first shot, feel free to try whatever!

This comment has been minimized.

Sign in to view

Copy link
@shlevy

shlevy Mar 25, 2018

Author Member

@Ericson2314 #37803
[ "x86" "arm" "aarch64" "mips" ];
};

matchAnyAttrs = patterns:
Expand Down
4 changes: 2 additions & 2 deletions pkgs/tools/package-management/nix/default.nix
View file
Expand Up @@ -30,7 +30,7 @@ let
buildInputs = [ curl openssl sqlite xz bzip2 ]
++ lib.optional (stdenv.isLinux || stdenv.isDarwin) libsodium
++ lib.optionals fromGit [ brotli ] # Since 1.12
++ lib.optional (stdenv.isLinux && !hostPlatform.isRiscV) libseccomp
++ lib.optional (hostPlatform.isSeccomputable) libseccomp
++ lib.optional ((stdenv.isLinux || stdenv.isDarwin) && is20)
(aws-sdk-cpp.override {
apis = ["s3"];
Expand All @@ -57,7 +57,7 @@ let
hostPlatform != buildPlatform && hostPlatform ? nix && hostPlatform.nix ? system
) ''--with-system=${hostPlatform.nix.system}''
# RISC-V support in progress https://github.com/seccomp/libseccomp/pull/50
++ lib.optional hostPlatform.isRiscV "--disable-seccomp-sandboxing";
++ lib.optional (!hostPlatform.isSeccomputable) "--disable-seccomp-sandboxing";

makeFlags = "profiledir=$(out)/etc/profile.d";

Expand Down
4 changes: 3 additions & 1 deletion pkgs/top-level/all-packages.nix
View file
Expand Up @@ -9644,7 +9644,9 @@ with pkgs;

libgroove = callPackage ../development/libraries/libgroove { };

libseccomp = callPackage ../development/libraries/libseccomp { };
libseccomp = if hostPlatform.isSeccomputable
then callPackage ../development/libraries/libseccomp { }
else null;

libsecret = callPackage ../development/libraries/libsecret { };

Expand Down

0 comments on commit 3c57e77

Please sign in to comment.