Commit Graph

14979 Commits

Author SHA1 Message Date
Robert Hensing
5bcc7069be Store ref<EvalState> in CachedEvalError
This makes the previous commits work.
Newer versions store it in all EvalErrors.
2024-09-09 00:38:28 +02:00
éclairevoyant
ef63ba10a2
fix 2024-09-08 12:04:26 -04:00
Eelco Dolstra
fc14197935
Typo
(cherry picked from commit eeb4c40867)
2024-09-08 10:31:25 -04:00
Eelco Dolstra
8e5ec819f8
AttrCursor: Remove forceErrors
Instead, force evaluation of the original value only if we need to
show the exception to the user.

(cherry picked from commit 2c88930ef2)
2024-09-08 10:31:23 -04:00
Eelco Dolstra
e3c55dd0d3
Add test for the evaluation cache
(cherry picked from commit 8b86f415c1)
2024-09-08 10:26:47 -04:00
Robert Hensing
e154f412b7
Merge pull request #11336 from NixOS/backport-11332-to-2.18-maintenance
[Backport 2.18-maintenance] [Backport 2.22-maintenance] fix: check to see if there are any lines before
2024-08-19 17:05:38 +02:00
Tom Bereknyei
0d24420f9c fix: check to see if there are any lines before
(cherry picked from commit 59db8fd62b)
(cherry picked from commit aab801db98)
2024-08-19 14:28:08 +00:00
Eelco Dolstra
195c3e931f Bump version 2024-07-08 13:41:12 +02:00
Robert Hensing
217fadd993
Merge pull request #11047 from NixOS/backport-11046-to-2.18-maintenance
[Backport 2.18-maintenance] [Backport 2.21-maintenance] libstore: fix sandboxed builds on macOS
2024-07-05 19:40:45 +02:00
Emily
0b97319ed4 libstore: fix sandboxed builds on macOS
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.

The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.

Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.

Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.

Fixes: 1d3696f0fb
Closes: #11002
(cherry picked from commit af2e1142b1)
(cherry picked from commit 9feee13952)
2024-07-05 15:59:20 +00:00
Emily
ff7b9a1fd3 libstore: clean up the build directory properly
After the fix for CVE-2024-38531, this was only removing the nested
build directory, rather than the top‐level temporary directory.

Fixes: 1d3696f0fb
(cherry picked from commit 76e4adfaac)
(cherry picked from commit 0d68b40dda)
2024-07-05 15:59:20 +00:00
Robert Hensing
5e160c9cfe
Merge pull request #11024 from NixOS/backport-11022-to-2.18-maintenance
[Backport 2.18-maintenance] Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
2024-07-03 19:58:35 +02:00
kn
454adc40f7 Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
getsockopt(2) documents this;  ucred is wrong ("cr_" member prefix, no pid).

(cherry picked from commit 10ccdb7a41)
2024-07-03 15:56:59 +00:00
John Ericson
1836493f67 Ident some CPP in nix daemon
Makes it easier for me to read.

(cherry picked from commit a09360400b)
2024-07-03 15:56:59 +00:00
Eelco Dolstra
ab9f629150 Bump version 2024-06-27 11:24:27 +02:00
tomberek
1ee7a9b84f
Merge pull request from GHSA-q82p-44mg-mgh5
Fix sandbox escape 2.18
2024-06-26 18:49:22 -04:00
Eelco Dolstra
2778076699 Fix --no-sandbox
When sandboxing is disabled, we cannot put $TMPDIR underneath an
inaccessible directory.

(cherry picked from commit 86ca2d6d94c0581fda0c666c5e022784952f3542)
(cherry picked from commit 8f58b98770)
2024-06-21 16:51:11 +02:00
Eelco Dolstra
c211d3d9fe Put the chroot inside a directory that isn't group/world-accessible
Previously, the .chroot directory had permission 750 or 755 (depending
on the uid-range system feature) and was owned by root/nixbld. This
makes it possible for any nixbld user (if uid-range is disabled) or
any user (if uid-range is enabled) to inspect the contents of the
chroot of an active build and maybe interfere with it (e.g. via /tmp
in the chroot, which has 1777 permission).

To prevent this, the root is now a subdirectory of .chroot, which has
permission 700 and is owned by root/root.

(cherry picked from commit af280e72fa0e62e1c2eaccfb992c0dbb6f27f895)
2024-06-21 16:50:12 +02:00
Eelco Dolstra
5d7d7d8648 Bump version 2024-06-19 18:33:05 +02:00
Robert Hensing
c7d35a4a4d
Merge pull request #10889 from NixOS/backport-10883-to-2.18-maintenance
[Backport 2.18-maintenance] fix: remove usage of XDG_RUNTIME_DIR for TMP
2024-06-10 21:01:27 +02:00
Tom Bereknyei
15fe2a81d9 fix: remove usage of XDG_RUNTIME_DIR for TMP
(cherry picked from commit 1363f51bcb)
2024-06-10 15:07:28 +00:00
Robert Hensing
fbe66d11d9
Merge pull request #10887 from NixOS/backport-10303-to-2.18-maintenance
[Backport 2.18-maintenance] fix: Treat empty TMPDIR as unset (#10303)
2024-06-10 16:48:31 +02:00
Robert Hensing
20a46e17a8 Fix includes for cherry-picks 2024-06-10 16:22:11 +02:00
Robert Hensing
45d900f5c2 HttpBinaryCacheStore: Remove *all* trailing slashes
(cherry picked from commit 850c9a6caf)
2024-06-10 16:11:04 +02:00
Robert Hensing
d1848506f8 local-derivation-goal.cc: Remove *all* trailing slashes
(cherry picked from commit dd26f41379)
2024-06-10 16:11:04 +02:00
Robert Hensing
28fc0e4f58 local-derivation-goal.cc: Reuse defaultTempDir()
(cherry picked from commit fd31945742)
2024-06-10 16:11:04 +02:00
Robert Hensing
c1f69dfc5e fix: Treat empty XDG_RUNTIME_DIR as unset
See preceding commit. Not observed in the wild, but is sensible
and consistent with TMPDIR behavior.

(cherry picked from commit b9e7f5aa2d)
2024-06-10 16:11:03 +02:00
Robert Hensing
1a336bf865 fix: Treat empty TMPDIR as unset
Fixes an instance of

    nix: src/libutil/util.cc:139: nix::Path nix::canonPath(PathView, bool): Assertion `path != ""' failed.

... which I've been getting in one of my shells for some reason.
I have yet to find out why TMPDIR was empty, but it's no reason for
Nix to break.

(cherry picked from commit c3fb2aa1f9)
2024-06-10 16:10:59 +02:00
Eelco Dolstra
8e75ad1995
Merge pull request #10609 from Ma27/backport-fchmodat2-fixes
[2.18] prohibit creating setuid/setgid binaries with fchmodat2
2024-04-25 10:27:59 +02:00
Maximilian Bosch
a75c34a2c9
Require at least libseccomp 2.5.5
Closes #10585

As it turns out, libseccomp maintains an internal syscall table and
validates each rule against it. This means that when using libseccomp
2.5.4 or older, one may pass `452` as syscall number against it, but
since it doesn't exist in the internal structure, `libseccomp` will refuse
to create a filter for that. This happens with nixpkgs-23.11, i.e. on
stable NixOS and when building Nix against the project's flake.

To work around that

* a backport of libseccomp 2.5.5 on upstream nixpkgs has been
  scheduled[1].

* the package now uses libseccomp 2.5.5 on its own already. This is to
  provide a quick fix since the correct fix for 23.11 is still a staging cycle
  away.

It must not be possible to build a Nix with an incompatible libseccomp
version (nothing can be built in a sandbox on Linux!), so configure.ac
rejects libseccomp if `__SNR_fchmodat2` is not defined.

We still need the compat header though since `SCMP_SYS(fchmodat2)`
internally transforms this into `__SNR_fchmodat2` which points to
`__NR_fchmodat2` from glibc 2.39, so it wouldn't build on glibc 2.38.
The updated syscall table from libseccomp 2.5.5 is NOT used for that
step, but used later, so we need both, our compat header and their
syscall table 🤷

[1] https://github.com/NixOS/nixpkgs/pull/306070

(cherry picked from commit 73918b0ae4)
2024-04-24 23:41:46 +02:00
Maximilian Bosch
39b08e3766
libstore/local-derivation-goal: prohibit creating setuid/setgid binaries
With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that
isn't filtered away by the libseccomp sandbox.

Being able to use this to bypass that restriction has surprising results
for some builds such as lxc[1]:

> With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2,
> which slips through 9b88e52846/src/libstore/build/local-derivation-goal.cc (L1650-L1663).
> The fixupPhase then uses fchmodat, which fails.
> With older kernel or glibc, setting the suid bit fails in the
> install phase, which is not treated as fatal, and then the
> fixup phase does not try to set it again.

Please note that there are still ways to bypass this sandbox[2] and this is
mostly a fix for the breaking builds.

This change works by creating a syscall filter for the `fchmodat2`
syscall (number 452 on most systems). The problem is that glibc 2.39
and seccomp 2.5.5 are needed to have the correct syscall number available
via `__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on
nixpkgs 23.11. To have this change everywhere and not dependent on the
glibc this package is built against, I added a header
"fchmodat2-compat.hh" that sets the syscall number based on the
architecture. On most platforms its 452 according to glibc with a few
exceptions:

    $ rg --pcre2 'define __NR_fchmodat2 (?!452)'
    sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h
    58:#define __NR_fchmodat2 1073742276

    sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h
    67:#define __NR_fchmodat2 6452

    sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h
    62:#define __NR_fchmodat2 5452

    sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h
    70:#define __NR_fchmodat2 4452

    sysdeps/unix/sysv/linux/alpha/arch-syscall.h
    59:#define __NR_fchmodat2 562

I tested the change by adding the diff below as patch to
`pkgs/tools/package-management/nix/common.nix` & then built a VM from
the following config using my dirty nixpkgs master:

    {
      vm = { pkgs, ... }: {
        virtualisation.writableStore = true;
        virtualisation.memorySize = 8192;
        virtualisation.diskSize = 12 * 1024;
        nix.package = pkgs.nixVersions.nix_2_21;
      };
    }

The original issue can be triggered via

    nix build -L github:nixos/nixpkgs/d6dc19adbda4fd92fe9a332327a8113eaa843894#lxc \
      --extra-experimental-features 'nix-command flakes'

however the problem disappears with this patch applied.

Closes #10424

[1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804
[2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251

(cherry picked from commit ba68045187)
2024-04-24 23:28:23 +02:00
Théophane Hufschmitt
38822ce6d7 Add a release note for the build-dir hardening 2024-04-22 18:37:54 -04:00
Théophane Hufschmitt
3481a9c41d Run the builds in a daemon-controled directory
Instead of running the builds under
`$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them
under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}`
where the build directory is only readable and traversable by the daemon user.

This achieves two things:

1. It prevents builders from making their build directory world-readable
   (or even writeable), which would allow the outside world to interact
   with them.
2. It prevents external processes running as the build user (either
   because that somehow leaked, maybe as a consequence of 1., or because
   `build-users` isn't in use) from gaining access to the build
   directory.

fix: do not use unknown setting

tests: remove build-dir test
2024-04-22 18:37:52 -04:00
Théophane Hufschmitt
d24431dea2 Add a test for the user sandboxing
test: add user-sandboxing to hydraJobs
2024-04-22 09:56:49 -04:00
Valentin Gagarin
6f9d2e46fa
show Nix logo in the manual (#10445)
the location of files is hard-coded by mdBook.
there is also seems to be no way to define custom templates, therefore
all styling has to be done in the CSS override.

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2024-04-09 09:37:44 +00:00
Eelco Dolstra
76364a847d
Merge pull request #10327 from thufschmitt/allow-leading-dot-2.18
[Backport 2.18-maintenance] allow leading period
2024-03-26 18:08:58 +01:00
Robert Hensing
6e3548f866 Disallow store path names that are . or .. (plus opt. -)
As discussed in the maintainer meeting on 2024-01-29.

Mainly this is to avoid a situation where the name is parsed and
treated as a file name, mostly to protect users.
.-* and ..-* are also considered invalid because they might strip
on that separator to remove versions. Doesn't really work, but that's
what we decided, and I won't argue with it, because .-* probably
doesn't seem to have a real world application anyway.
We do still permit a 1-character name that's just "-", which still
poses a similar risk in such a situation. We can't start disallowing
trailing -, because a non-zero number of users will need it and we've
seen how annoying and painful such a change is.

What matters most is preventing a situation where . or .. can be
injected, and to just get this done.
2024-03-26 13:47:41 +01:00
Robert Hensing
80ea2dcc25 test: Generate distinct hashes
Gen::just is the constant generator. Don't just return that!
2024-03-26 13:47:41 +01:00
Robert Hensing
51332020c0 test: Generate distinct path names
Gen::just is the constant generator. Don't just return that!
2024-03-26 10:20:43 +00:00
Robert Hensing
752e8e4acd parseStorePath: Support leading period 2024-03-26 10:20:43 +00:00
Robert Hensing
379274fd7f Revert "StorePath: reject names starting with '.'"
This reverts commit 24bda0c7b3.
2024-03-26 10:20:43 +00:00
Eelco Dolstra
d137077271 Bump version 2024-03-07 15:03:40 +01:00
Eelco Dolstra
0bd62229cd Bump version 2024-03-07 13:10:53 +01:00
Eelco Dolstra
17a598e644
Merge pull request from GHSA-2ffj-w4mj-pg37
Sandbox escape 2.18
2024-03-07 11:56:24 +01:00
Tom Bereknyei
9e7065bef5 Add release notes
Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io>
2024-03-07 09:33:44 +01:00
Tom Bereknyei
4bc5a3510f Copy the output of fixed-output derivations before registering them
It is possible to exfiltrate a file descriptor out of the build sandbox
of FODs, and use it to modify the store path after it has been
registered.
To avoid that issue, don't register the output of the build, but a copy
of it (that will be free of any leaked file descriptor).

Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io>
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2024-03-07 09:33:44 +01:00
Tom Bereknyei
f8d20e91a4 Add a NixOS test for the sandbox escape
Test that we can't leverage abstract unix domain sockets to leak file
descriptors out of the sandbox and modify the path after it has been
registered.

Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io>
2024-03-07 09:33:40 +01:00
tomberek
ec177b98f3
Merge pull request #10170 from johnrichardrinehart/jrinehart/2_18-faster-flake-lock-parsing
2.18 faster flake lock parsing
2024-03-07 00:11:54 -05:00
Graham Dennis
7b237ebe5c Faster flake.lock parsing
This PR reduces the creation of short-lived basic_json objects while
parsing flake.lock files. For large flake.lock files (~1.5MB) I was
observing ~60s being spent for trivial nix build operations while
after this change it is now taking ~1.6s.

(cherry picked from commit 7fd0de38c6)
2024-03-06 17:57:15 -08:00
github-actions[bot]
afb55f36df
Fix bad_format_string error when builder stdout contains % (#10063)
(cherry picked from commit e2b6821ca0)

Co-authored-by: roblabla <unfiltered@roblab.la>
2024-02-22 23:12:29 +01:00