2024-02-12 20:28:20 +00:00
|
|
|
# Nix is a sandboxed build system. But Not everything can be handled inside its
|
|
|
|
# sandbox: Network access is normally blocked off, but to download sources, a
|
|
|
|
# trapdoor has to exist. Nix handles this by having "Fixed-output derivations".
|
|
|
|
# The detail here is not important, but in our case it means that the hash of
|
|
|
|
# the output has to be known beforehand. And if you know that, you get a few
|
|
|
|
# rights: you no longer run inside a special network namespace!
|
|
|
|
#
|
|
|
|
# Now, Linux has a special feature, that not many other unices do: Abstract
|
|
|
|
# unix domain sockets! Not only that, but those are namespaced using the
|
|
|
|
# network namespace! That means that we have a way to create sockets that are
|
|
|
|
# available in every single fixed-output derivation, and also all processes
|
|
|
|
# running on the host machine! Now, this wouldn't be that much of an issue, as,
|
|
|
|
# well, the whole idea is that the output is pure, and all processes in the
|
|
|
|
# sandbox are killed before finalizing the output. What if we didn't need those
|
|
|
|
# processes at all? Unix domain sockets have a semi-known trick: you can pass
|
|
|
|
# file descriptors around!
|
|
|
|
# This makes it possible to exfiltrate a file-descriptor with write access to
|
|
|
|
# $out outside of the sandbox. And that file-descriptor can be used to modify
|
|
|
|
# the contents of the store path after it has been registered.
|
|
|
|
|
|
|
|
{ config, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
pkgs = config.nodes.machine.nixpkgs.pkgs;
|
|
|
|
|
|
|
|
# Simple C program that sends a a file descriptor to `$out` to a Unix
|
|
|
|
# domain socket.
|
|
|
|
# Compiled statically so that we can easily send it to the VM and use it
|
|
|
|
# inside the build sandbox.
|
|
|
|
sender = pkgs.runCommandWith {
|
|
|
|
name = "sender";
|
|
|
|
stdenv = pkgs.pkgsStatic.stdenv;
|
|
|
|
} ''
|
|
|
|
$CC -static -o $out ${./sender.c}
|
|
|
|
'';
|
|
|
|
|
|
|
|
# Okay, so we have a file descriptor shipped out of the FOD now. But the
|
|
|
|
# Nix store is read-only, right? .. Well, yeah. But this file descriptor
|
|
|
|
# lives in a mount namespace where it is not! So even when this file exists
|
|
|
|
# in the actual Nix store, we're capable of just modifying its contents...
|
|
|
|
smuggler = pkgs.writeCBin "smuggler" (builtins.readFile ./smuggler.c);
|
|
|
|
|
|
|
|
# The abstract socket path used to exfiltrate the file descriptor
|
|
|
|
socketName = "FODSandboxExfiltrationSocket";
|
|
|
|
in
|
|
|
|
{
|
|
|
|
name = "ca-fd-leak";
|
|
|
|
|
|
|
|
nodes.machine =
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
{ virtualisation.writableStore = true;
|
|
|
|
nix.settings.substituters = lib.mkForce [ ];
|
|
|
|
virtualisation.additionalPaths = [ pkgs.busybox-sandbox-shell sender smuggler pkgs.socat ];
|
|
|
|
};
|
|
|
|
|
|
|
|
testScript = { nodes }: ''
|
|
|
|
start_all()
|
|
|
|
|
|
|
|
machine.succeed("echo hello")
|
|
|
|
# Start the smuggler server
|
|
|
|
machine.succeed("${smuggler}/bin/smuggler ${socketName} >&2 &")
|
|
|
|
|
|
|
|
# Build the smuggled derivation.
|
|
|
|
# This will connect to the smuggler server and send it the file descriptor
|
|
|
|
machine.succeed(r"""
|
|
|
|
nix-build -E '
|
|
|
|
builtins.derivation {
|
|
|
|
name = "smuggled";
|
|
|
|
system = builtins.currentSystem;
|
|
|
|
# look ma, no tricks!
|
|
|
|
outputHashMode = "flat";
|
|
|
|
outputHashAlgo = "sha256";
|
|
|
|
outputHash = builtins.hashString "sha256" "hello, world\n";
|
|
|
|
builder = "${pkgs.busybox-sandbox-shell}/bin/sh";
|
|
|
|
args = [ "-c" "echo \"hello, world\" > $out; ''${${sender}} ${socketName}" ];
|
|
|
|
}'
|
|
|
|
""".strip())
|
|
|
|
|
|
|
|
|
|
|
|
# Tell the smuggler server that we're done
|
|
|
|
machine.execute("echo done | ${pkgs.socat}/bin/socat - ABSTRACT-CONNECT:${socketName}")
|
|
|
|
|
2024-02-21 16:32:36 +00:00
|
|
|
# Check that the file was not modified
|
2024-02-12 20:28:20 +00:00
|
|
|
machine.succeed(r"""
|
|
|
|
cat ./result
|
|
|
|
test "$(cat ./result)" = "hello, world"
|
|
|
|
""".strip())
|
|
|
|
'';
|
|
|
|
|
|
|
|
}
|