mirror of
https://github.com/NixOS/nix.git
synced 2024-11-22 14:52:55 +00:00
Run the builds in a daemon-controled directory
Instead of running the builds under `$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}` where the build directory is only readable and traversable by the daemon user. This achieves two things: 1. It prevents builders from making their build directory world-readable (or even writeable), which would allow the outside world to interact with them. 2. It prevents external processes running as the build user (either because that somehow leaked, maybe as a consequence of 1., or because `build-users` isn't in use) from gaining access to the build directory.
This commit is contained in:
parent
21cd71d250
commit
e919c0bf8f
@ -494,10 +494,13 @@ void LocalDerivationGoal::startBuilder()
|
|||||||
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Create a temporary directory where the build will take
|
/* Create a temporary directory where the build will take place.
|
||||||
place. */
|
* That directory is wrapped into a restricted daemon-owned one to make sure
|
||||||
tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
|
* that the builder can't open its build directory to the world.
|
||||||
|
* */
|
||||||
|
auto parentTmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
|
||||||
|
tmpDir = parentTmpDir + "/build";
|
||||||
|
createDir(tmpDir, 0700);
|
||||||
chownToBuilder(tmpDir);
|
chownToBuilder(tmpDir);
|
||||||
|
|
||||||
for (auto & [outputName, status] : initialOutputs) {
|
for (auto & [outputName, status] : initialOutputs) {
|
||||||
|
@ -420,6 +420,11 @@ void deletePath(const Path & path)
|
|||||||
deletePath(path, dummy);
|
deletePath(path, dummy);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void createDir(const Path &path, mode_t mode)
|
||||||
|
{
|
||||||
|
if (mkdir(path.c_str(), mode) == -1)
|
||||||
|
throw SysError("creating directory '%1%'", path);
|
||||||
|
}
|
||||||
|
|
||||||
Paths createDirs(const Path & path)
|
Paths createDirs(const Path & path)
|
||||||
{
|
{
|
||||||
|
@ -165,6 +165,11 @@ inline Paths createDirs(PathView path)
|
|||||||
return createDirs(Path(path));
|
return createDirs(Path(path));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create a single directory.
|
||||||
|
*/
|
||||||
|
void createDir(const Path & path, mode_t mode = 0755);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create a symlink.
|
* Create a symlink.
|
||||||
*/
|
*/
|
||||||
|
@ -16,6 +16,8 @@ let
|
|||||||
set -x
|
set -x
|
||||||
|
|
||||||
chmod 700 .
|
chmod 700 .
|
||||||
|
# Shouldn't be able to open the root build directory
|
||||||
|
(! chmod 700 ..)
|
||||||
|
|
||||||
touch foo
|
touch foo
|
||||||
|
|
||||||
@ -85,15 +87,15 @@ in
|
|||||||
|
|
||||||
# Wait for the build to be ready
|
# Wait for the build to be ready
|
||||||
# This is OK because it runs as root, so we can access everything
|
# This is OK because it runs as root, so we can access everything
|
||||||
machine.wait_for_file("/tmp/nix-build-open-build-dir.drv-0/syncPoint")
|
machine.wait_for_file("/tmp/nix-build-open-build-dir.drv-0/build/syncPoint")
|
||||||
|
|
||||||
# But Alice shouldn't be able to access the build directory
|
# But Alice shouldn't be able to access the build directory
|
||||||
machine.fail("su alice -c 'ls /tmp/nix-build-open-build-dir.drv-0'")
|
machine.fail("su alice -c 'ls /tmp/nix-build-open-build-dir.drv-0/build'")
|
||||||
machine.fail("su alice -c 'touch /tmp/nix-build-open-build-dir.drv-0/bar'")
|
machine.fail("su alice -c 'touch /tmp/nix-build-open-build-dir.drv-0/build/bar'")
|
||||||
machine.fail("su alice -c 'cat /tmp/nix-build-open-build-dir.drv-0/foo'")
|
machine.fail("su alice -c 'cat /tmp/nix-build-open-build-dir.drv-0/build/foo'")
|
||||||
|
|
||||||
# Tell the user to finish the build
|
# Tell the user to finish the build
|
||||||
machine.succeed("echo foo > /tmp/nix-build-open-build-dir.drv-0/syncPoint")
|
machine.succeed("echo foo > /tmp/nix-build-open-build-dir.drv-0/build/syncPoint")
|
||||||
|
|
||||||
with subtest("Being able to execute stuff as the build user doesn't give access to the build dir"):
|
with subtest("Being able to execute stuff as the build user doesn't give access to the build dir"):
|
||||||
machine.succeed(r"""
|
machine.succeed(r"""
|
||||||
@ -105,16 +107,16 @@ in
|
|||||||
args = [ (builtins.storePath "${create-hello-world}") ];
|
args = [ (builtins.storePath "${create-hello-world}") ];
|
||||||
}' >&2 &
|
}' >&2 &
|
||||||
""".strip())
|
""".strip())
|
||||||
machine.wait_for_file("/tmp/nix-build-innocent.drv-0/syncPoint")
|
machine.wait_for_file("/tmp/nix-build-innocent.drv-0/build/syncPoint")
|
||||||
|
|
||||||
# The build ran as `nixbld1` (which is the only build user on the
|
# The build ran as `nixbld1` (which is the only build user on the
|
||||||
# machine), but a process running as `nixbld1` outside the sandbox
|
# machine), but a process running as `nixbld1` outside the sandbox
|
||||||
# shouldn't be able to touch the build directory regardless
|
# shouldn't be able to touch the build directory regardless
|
||||||
machine.fail("su nixbld1 --shell ${pkgs.busybox-sandbox-shell}/bin/sh -c 'ls /tmp/nix-build-innocent.drv-0'")
|
machine.fail("su nixbld1 --shell ${pkgs.busybox-sandbox-shell}/bin/sh -c 'ls /tmp/nix-build-innocent.drv-0/build'")
|
||||||
machine.fail("su nixbld1 --shell ${pkgs.busybox-sandbox-shell}/bin/sh -c 'echo pwned > /tmp/nix-build-innocent.drv-0/result'")
|
machine.fail("su nixbld1 --shell ${pkgs.busybox-sandbox-shell}/bin/sh -c 'echo pwned > /tmp/nix-build-innocent.drv-0/build/result'")
|
||||||
|
|
||||||
# Finish the build
|
# Finish the build
|
||||||
machine.succeed("echo foo > /tmp/nix-build-innocent.drv-0/syncPoint")
|
machine.succeed("echo foo > /tmp/nix-build-innocent.drv-0/build/syncPoint")
|
||||||
|
|
||||||
# Check that the build was not affected
|
# Check that the build was not affected
|
||||||
machine.succeed(r"""
|
machine.succeed(r"""
|
||||||
|
Loading…
Reference in New Issue
Block a user