libstore/build: set NO_NEW_PRIVS for the sandbox

Change-Id: I711f64e2b68495ed9c85c1a4bd5025405805e43a
This commit is contained in:
K900 2024-04-14 16:41:06 +03:00
parent 8d15e6af4b
commit effc28f6f5
6 changed files with 54 additions and 0 deletions

View file

@ -41,6 +41,7 @@
#include <sched.h> #include <sched.h>
#include <sys/param.h> #include <sys/param.h>
#include <sys/mount.h> #include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/syscall.h> #include <sys/syscall.h>
#if HAVE_SECCOMP #if HAVE_SECCOMP
#include <seccomp.h> #include <seccomp.h>
@ -1949,6 +1950,10 @@ void LocalDerivationGoal::runChild()
throw SysError("setuid failed"); throw SysError("setuid failed");
setUser = false; setUser = false;
// Make sure we can't possibly gain new privileges in the sandbox
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
throw SysError("PR_SET_NO_NEW_PRIVS failed");
} }
#endif #endif

View file

@ -160,4 +160,6 @@ in
fetch-git = runNixOSTestFor "x86_64-linux" ./fetch-git; fetch-git = runNixOSTestFor "x86_64-linux" ./fetch-git;
symlinkResolvconf = runNixOSTestFor "x86_64-linux" ./symlink-resolvconf.nix; symlinkResolvconf = runNixOSTestFor "x86_64-linux" ./symlink-resolvconf.nix;
rootInSandbox = runNixOSTestFor "x86_64-linux" ./root-in-sandbox;
} }

View file

@ -0,0 +1,15 @@
let
inherit (import ../util.nix) mkNixBuildTest;
in mkNixBuildTest {
name = "root-in-sandbox";
extraMachineConfig = { pkgs, ... }: {
security.wrappers.ohno = {
owner = "root";
group = "root";
setuid = true;
source = "${pkgs.coreutils}/bin/whoami";
};
nix.settings.extra-sandbox-paths = ["/run/wrappers/bin"];
};
expressionFile = ./package.nix;
}

View file

@ -0,0 +1,8 @@
{ runCommand }:
runCommand "cant-get-root-in-sandbox" {} ''
if /run/wrappers/bin/ohno; then
echo "Oh no! We're root in the sandbox!"
exit 1
fi
touch $out
''

View file

@ -1,5 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
let let
# Can't use the cool helper because inputDerivation does not work with FODs :(
checkResolvconfInSandbox = pkgs.runCommand "resolvconf-works-in-sandbox" { checkResolvconfInSandbox = pkgs.runCommand "resolvconf-works-in-sandbox" {
# must be an FOD to have a resolv.conf in the first place # must be an FOD to have a resolv.conf in the first place
outputHash = "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; outputHash = "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=";

23
tests/nixos/util.nix Normal file
View file

@ -0,0 +1,23 @@
{
mkNixBuildTest = { name, expressionFile, extraMachineConfig ? {} }:
{ lib, pkgs, ... }:
{
inherit name;
nodes.machine = {
imports = [extraMachineConfig];
nix.nixPath = ["nixpkgs=${pkgs.path}"];
nix.settings.substituters = lib.mkForce [];
virtualisation.additionalPaths = [
expressionFile
(pkgs.callPackage expressionFile {}).inputDerivation
];
};
testScript = { nodes }: ''
start_all()
machine.succeed('nix-build --expr "let pkgs = import <nixpkgs> {}; in pkgs.callPackage ${expressionFile} {}"')
'';
};
}