libstore/build: set NO_NEW_PRIVS for the sandbox
Change-Id: I711f64e2b68495ed9c85c1a4bd5025405805e43a
This commit is contained in:
parent
8d15e6af4b
commit
effc28f6f5
6 changed files with 54 additions and 0 deletions
|
@ -41,6 +41,7 @@
|
||||||
#include <sched.h>
|
#include <sched.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/mount.h>
|
#include <sys/mount.h>
|
||||||
|
#include <sys/prctl.h>
|
||||||
#include <sys/syscall.h>
|
#include <sys/syscall.h>
|
||||||
#if HAVE_SECCOMP
|
#if HAVE_SECCOMP
|
||||||
#include <seccomp.h>
|
#include <seccomp.h>
|
||||||
|
@ -1949,6 +1950,10 @@ void LocalDerivationGoal::runChild()
|
||||||
throw SysError("setuid failed");
|
throw SysError("setuid failed");
|
||||||
|
|
||||||
setUser = false;
|
setUser = false;
|
||||||
|
|
||||||
|
// Make sure we can't possibly gain new privileges in the sandbox
|
||||||
|
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
|
||||||
|
throw SysError("PR_SET_NO_NEW_PRIVS failed");
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
|
@ -160,4 +160,6 @@ in
|
||||||
fetch-git = runNixOSTestFor "x86_64-linux" ./fetch-git;
|
fetch-git = runNixOSTestFor "x86_64-linux" ./fetch-git;
|
||||||
|
|
||||||
symlinkResolvconf = runNixOSTestFor "x86_64-linux" ./symlink-resolvconf.nix;
|
symlinkResolvconf = runNixOSTestFor "x86_64-linux" ./symlink-resolvconf.nix;
|
||||||
|
|
||||||
|
rootInSandbox = runNixOSTestFor "x86_64-linux" ./root-in-sandbox;
|
||||||
}
|
}
|
||||||
|
|
15
tests/nixos/root-in-sandbox/default.nix
Normal file
15
tests/nixos/root-in-sandbox/default.nix
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
let
|
||||||
|
inherit (import ../util.nix) mkNixBuildTest;
|
||||||
|
in mkNixBuildTest {
|
||||||
|
name = "root-in-sandbox";
|
||||||
|
extraMachineConfig = { pkgs, ... }: {
|
||||||
|
security.wrappers.ohno = {
|
||||||
|
owner = "root";
|
||||||
|
group = "root";
|
||||||
|
setuid = true;
|
||||||
|
source = "${pkgs.coreutils}/bin/whoami";
|
||||||
|
};
|
||||||
|
nix.settings.extra-sandbox-paths = ["/run/wrappers/bin"];
|
||||||
|
};
|
||||||
|
expressionFile = ./package.nix;
|
||||||
|
}
|
8
tests/nixos/root-in-sandbox/package.nix
Normal file
8
tests/nixos/root-in-sandbox/package.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{ runCommand }:
|
||||||
|
runCommand "cant-get-root-in-sandbox" {} ''
|
||||||
|
if /run/wrappers/bin/ohno; then
|
||||||
|
echo "Oh no! We're root in the sandbox!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
touch $out
|
||||||
|
''
|
|
@ -1,5 +1,6 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
let
|
let
|
||||||
|
# Can't use the cool helper because inputDerivation does not work with FODs :(
|
||||||
checkResolvconfInSandbox = pkgs.runCommand "resolvconf-works-in-sandbox" {
|
checkResolvconfInSandbox = pkgs.runCommand "resolvconf-works-in-sandbox" {
|
||||||
# must be an FOD to have a resolv.conf in the first place
|
# must be an FOD to have a resolv.conf in the first place
|
||||||
outputHash = "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=";
|
outputHash = "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=";
|
||||||
|
|
23
tests/nixos/util.nix
Normal file
23
tests/nixos/util.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{
|
||||||
|
mkNixBuildTest = { name, expressionFile, extraMachineConfig ? {} }:
|
||||||
|
{ lib, pkgs, ... }:
|
||||||
|
{
|
||||||
|
inherit name;
|
||||||
|
|
||||||
|
nodes.machine = {
|
||||||
|
imports = [extraMachineConfig];
|
||||||
|
nix.nixPath = ["nixpkgs=${pkgs.path}"];
|
||||||
|
nix.settings.substituters = lib.mkForce [];
|
||||||
|
virtualisation.additionalPaths = [
|
||||||
|
expressionFile
|
||||||
|
(pkgs.callPackage expressionFile {}).inputDerivation
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = { nodes }: ''
|
||||||
|
start_all()
|
||||||
|
|
||||||
|
machine.succeed('nix-build --expr "let pkgs = import <nixpkgs> {}; in pkgs.callPackage ${expressionFile} {}"')
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue