buildFHSEnv: disable security features by default

The implicit contract of buildFHSUserEnv was that it allows to run
software built for a typical GNU/Linux distribution (not NixOS) without
patching it (patchelf, autoPatchelfHook, etc.). Note that this does not
inherently imply running untrusted programs.

buildFHSUserEnv was implemented by using chroot and assembling a
standard-compliant FHS environment in the new root. As expected, this
did not provide any kind of isolation between the system and the
programs.

However, when it was later reimplemented using bubblewrap
(PR #225748), which *is* a security tool, several isolation features
involving detaches Linux namespaces were turned on by default.
This decision has introduced a number of breakages that are very
difficult to debug and trace back to this change.
For example: `unshareIPC` breaks software audio mixing in programs using
ALSA (dmix) and `unsharePID` breaks gdb,

Since:

  1. the security features were enable without any clear threat model;
  2. `buildFHSEnvBubblewrap` is supposed to be a drop-in replacement of
     `buildFHSEnvChrootenv` (see the release notes for NixOS 23.05);
  3. the change is breaking in several common cases (security does not
     come for free);
  4. the contract was not changed, or at least communicated in a clear
     way to the users;

all security features should be turned off by default.

P.S. It would be useful to create a variant of buildFHSEnv that does
provide some isolation. This could unshare some namespaces and mount
only limited parts of the filesystem.
Note that buildFHSEnv mounts every directory in / under the new root, so
again, very little is gained by unsharing alone.
This commit is contained in:
rnhmjoj 2023-09-08 08:58:31 +02:00
parent ef14cdd5b9
commit c945723356
No known key found for this signature in database
GPG key ID: BFBAF4C975F76450

View file

@ -17,12 +17,12 @@
, meta ? {}
, passthru ? {}
, extraBwrapArgs ? []
, unshareUser ? true
, unshareIpc ? true
, unsharePid ? true
, unshareUser ? false
, unshareIpc ? false
, unsharePid ? false
, unshareNet ? false
, unshareUts ? true
, unshareCgroup ? true
, unshareUts ? false
, unshareCgroup ? false
, dieWithParent ? true
, ...
} @ args: