Don't allow writing to /etc

(cherry picked from commit db41f74af3)
2024-11-22 06:42:28 +00:00 · 2023-02-14 12:03:34 +01:00 · 2023-02-14 12:03:34 +01:00 · 58210e5306
commit 58210e5306
parent 9157f94e77
2 changed files with 6 additions and 1 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -663,7 +663,6 @@ void LocalDerivationGoal::startBuilder()
           nobody account.  The latter is kind of a hack to support
           Samba-in-QEMU. */
        createDirs(chrootRootDir + "/etc");
-        chownToBuilder(chrootRootDir + "/etc");

        if (parsedDrv->useUidRange() && (!buildUser || buildUser->getUIDCount() < 65536))
            throw Error("feature 'uid-range' requires the setting '%s' to be enabled", settings.autoAllocateUids.name);
@ -1023,6 +1022,9 @@ void LocalDerivationGoal::startBuilder()
                "nobody:x:65534:65534:Nobody:/:/noshell\n",
                sandboxUid(), sandboxGid(), settings.sandboxBuildDir));

+        /* Make /etc unwritable */
+        chmod_(chrootRootDir + "/etc", 0555);
+
        /* Save the mount- and user namespace of the child. We have to do this
           *before* the child does a chroot. */
        sandboxMountNamespace = open(fmt("/proc/%d/ns/mnt", (pid_t) pid).c_str(), O_RDONLY);
--- a/tests/linux-sandbox.sh
+++ b/tests/linux-sandbox.sh
@ -37,3 +37,6 @@ nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link
 (! nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link --check -K 2> $TEST_ROOT/log)
 if grep -q 'error: renaming' $TEST_ROOT/log; then false; fi
 grep -q 'may not be deterministic' $TEST_ROOT/log
+
+# Test that sandboxed builds cannot write to /etc easily
+(! nix-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' --no-out-link --sandbox-paths /nix/store)