Closes#17460
Changed the wrapper derivation to produce a second output containing the sandbox.
Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store).
This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it.
Does not trigger a Chromium rebuild.
cc @cleverca22 @joachifm @jasom
The varnish tools (varnishstat, varnishlog, ...) tried to load the VSM
file from a spurious var directory in the Nix store. Fix the default so
the tools "just work" when also keeping services.varnish.stateDir at the
default.
Notes:
- The tools use $localstatedir/$HOSTNAME so I've adapted the default for
stateDir as well to contain hostName.
- Added postStop action to remove the localstatedir. There is no point
in keeping it around when varnish does not run, as it regenerates it
on startup anyway.
Fixes#7495
The name gitlab-runner clashes with a component of Gitlab CI with the
same name and only confuses people. It's now called gitlab-bundle and
a convenience-script gitlab-rake for easier invocation of rake tasks
was added. This was the primary use case of gitlab-runner.
In light of Emacs packaging improvements such as those mentioned
in #11503, and with the addition of a systemd service (#15807
and #16356), and considering that the wiki page is completely
out of date (#13217), it seems that some documentation is in order.
Enabling EFI runtime services provides a venue for injecting code into
the kernel.
When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services. The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).
This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
* Hydra doesn't like spaces in filenames.
* The zip file contained nix/store/.../OEBPS rather than OEBPS at
top-level, causing some programs (like okular) to barf.
* Remove the redundant $dst/epub directory.
Adds a new chain in the raw table for reverse path filtering and optional
logging. A rule to allow serving DHCPv4 was also added as it is commonly
needed and poses no security risk even when no DHCPv4 server is running.
Fixes#10101.
Adds options for tcp streaming and avahi zeroconf support (so that the
server can be easily found by clients).
There is also an option to allow anonymous clients to stream to the
server (by default pulseaudio uses a cookie mechanism, see manpage).
Instead of one package `extra-cmake-modules`, there is now `ecm` and
`ecmNoHooks`. The latter is used when one does not want to incur a Qt 5
dependency; it is also available as a top-level package
`extra-cmake-modules`.
