Commit Graph

16544 Commits

Author SHA1 Message Date
Emily
5ed25013f3 install-darwin: increment base UID by 1 (#15)
(cherry picked from commit 11cf29b15c)
2024-09-03 23:58:12 +00:00
Travis A. Everett
68dedc533b install-darwin: move nixbld gid to match first UID
(cherry picked from commit 75567423fb)
2024-09-03 23:58:11 +00:00
Travis A. Everett
1f8c3fa443 install-darwin: fix _nixbld uids for macOS sequoia
Starting in macOS 15 Sequoia, macOS daemon UIDs are encroaching on our
default UIDs of 301-332. This commit relocates our range up to avoid
clashing with the current UIDs of 301-304 and buy us a little time
while still leaving headroom for people installing more than 32 users.

(cherry picked from commit df36ff0d1e)
2024-09-03 23:58:10 +00:00
tomberek
2046691498
Merge pull request #11339 from NixOS/backport-11332-to-2.21-maintenance
[Backport 2.21-maintenance] [Backport 2.22-maintenance] fix: check to see if there are any lines before
2024-08-20 00:11:53 -04:00
Tom Bereknyei
1842768c04 fix: check to see if there are any lines before
(cherry picked from commit 59db8fd62b)
(cherry picked from commit aab801db98)
2024-08-19 14:28:18 +00:00
tomberek
a4c921829b
Merge pull request #11316 from NixOS/backport-11270-to-2.21-maintenance
[Backport 2.21-maintenance] libstore: fix port binding in __darwinAllowLocalNetworking sandbox
2024-08-17 03:26:04 -04:00
Andrew Marshall
53ce99f27b libstore: fix port binding in __darwinAllowLocalNetworking sandbox
In d60c3f7f7c, this was changed to close a
hole in the sandbox. Unfortunately, this was too restrictive such that it
made local port binding fail, thus making derivations that needed
`__darwinAllowLocalNetworking` gain nearly nothing, and thus largely
fail (as the primary use for it is to enable port binding).

This unfortunately does mean that a sandboxed build process can, in
coordination with an actor outside the sandbox, escape the sandbox by
binding a port and connecting to it externally to send data. I do not
see a way around this with my experimentation and understanding of the
(quite undocumented) macOS sandbox profile API. Notably it seems not
possible to use the sandbox to do any of:

- Restrict the remote IP of inbound network requests
- Restrict the address being bound to

As such, the `(local ip "*:*")` here appears to be functionally no
different than `(local ip "localhost:*")` (however it *should* be
different than removing the filter entirely, as that would make it also
apply to non-IP networking). Doing `(allow network-inbound (require-all
(local ip "localhost:*") (remote ip "localhost:*")))` causes listening
to fail.

Note that `network-inbound` implies `network-bind`.

(cherry picked from commit 00f6db36fd)
2024-08-17 03:17:38 +00:00
Eelco Dolstra
8ac1a39722
Merge pull request #11212 from NixOS/backport-11171-to-2.21-maintenance
[Backport 2.21-maintenance] Increase download buffer size and improve tarball import logging
2024-07-29 16:22:32 +02:00
Eelco Dolstra
ea37d81a0f Show when we're unpacking an archive into the Git cache
This happens in parallel with the download (which starts later), so
you only see this message when the download has finished but the
import hasn't.

(cherry picked from commit 01839b525c)
2024-07-29 13:02:52 +00:00
Eelco Dolstra
682f60b4f7 Warn if the download buffer is full
(cherry picked from commit f6a9a71b38)
2024-07-29 13:02:52 +00:00
Eelco Dolstra
56140d974e Add 'download-buffer-size' setting
We are piping curl downloads into `unpackTarfileToSink()`, but the
latter is typically slower than the former if you're on a fast
connection. So the download could appear unnecessarily slow. (There is
even a risk that if the Git import is *really* slow for whatever
reason, the TCP connection could time out.)

So let's make the download buffer bigger by default - 64 MiB is big
enough for the Nixpkgs tarball. Perhaps in the future, we could have
an unlimited buffer that spills data to disk beyond a certain
threshold, but that's probably overkill.

(cherry picked from commit 8ffea0a018)
2024-07-29 13:02:52 +00:00
Eelco Dolstra
211b0d4e13 Log download durations
(cherry picked from commit caf4e98f0c)
2024-07-29 13:02:52 +00:00
Eelco Dolstra
60b62b52d8 Bump version 2024-07-10 13:50:22 +02:00
Robert Hensing
09e46fef00
Merge pull request #11046 from NixOS/backport-11031-to-2.21-maintenance
[Backport 2.21-maintenance] libstore: fix sandboxed builds on macOS
2024-07-05 17:59:05 +02:00
Emily
9feee13952 libstore: fix sandboxed builds on macOS
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.

The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.

Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.

Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.

Fixes: 1d3696f0fb
Closes: #11002
(cherry picked from commit af2e1142b1)
2024-07-05 17:17:47 +02:00
Emily
0d68b40dda libstore: clean up the build directory properly
After the fix for CVE-2024-38531, this was only removing the nested
build directory, rather than the top‐level temporary directory.

Fixes: 1d3696f0fb
(cherry picked from commit 76e4adfaac)
2024-07-05 17:16:51 +02:00
Robert Hensing
8097437bd0
Merge pull request #11027 from NixOS/backport-11022-to-2.21-maintenance
[Backport 2.21-maintenance] Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
2024-07-03 20:30:27 +02:00
John Ericson
9c5f0fbb82 Remove invalid release notes YAML field
There is no PR for this, since it was an embargoed fix before
disclosure.

(cherry picked from commit 32e67eba8b)
2024-07-03 20:02:12 +02:00
kn
99951d5628 Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
getsockopt(2) documents this;  ucred is wrong ("cr_" member prefix, no pid).

(cherry picked from commit 10ccdb7a41)
2024-07-03 15:57:10 +00:00
John Ericson
ca953d5869 Ident some CPP in nix daemon
Makes it easier for me to read.

(cherry picked from commit a09360400b)
2024-07-03 15:57:10 +00:00
Eelco Dolstra
822519916c Bump version 2024-06-27 10:57:53 +02:00
tomberek
30fe48b886
Merge pull request from GHSA-q82p-44mg-mgh5
Fix sandbox escape 2.21
2024-06-26 18:49:22 -04:00
Eelco Dolstra
8f58b98770 Fix --no-sandbox
When sandboxing is disabled, we cannot put $TMPDIR underneath an
inaccessible directory.

(cherry picked from commit 86ca2d6d94c0581fda0c666c5e022784952f3542)
2024-06-21 16:25:53 +02:00
Eelco Dolstra
409d5c60b6 Formatting
(cherry picked from commit 3af22860759509d5040ff70618247031d96a095c)
2024-06-21 16:16:17 +02:00
Eelco Dolstra
ba13559bd9 Put the chroot inside a directory that isn't group/world-accessible
Previously, the .chroot directory had permission 750 or 755 (depending
on the uid-range system feature) and was owned by root/nixbld. This
makes it possible for any nixbld user (if uid-range is disabled) or
any user (if uid-range is enabled) to inspect the contents of the
chroot of an active build and maybe interfere with it (e.g. via /tmp
in the chroot, which has 1777 permission).

To prevent this, the root is now a subdirectory of .chroot, which has
permission 700 and is owned by root/root.

(cherry picked from commit af280e72fa0e62e1c2eaccfb992c0dbb6f27f895)
2024-06-21 16:16:17 +02:00
John Ericson
520a66f201
Merge pull request #10851 from NixOS/backport-10549-to-2.21-maintenance
[Backport 2.21-maintenance] Fix exportReferencesGraph when given store subpath
2024-06-04 06:50:42 -04:00
Alyssa Ross
5342d27f0b Fix exportReferencesGraph when given store subpath
With Nix 2.3, it was possible to pass a subpath of a store path to
exportReferencesGraph:

	with import <nixpkgs> {};

	let
	  hello = writeShellScriptBin "hello" ''
	    echo ${toString builtins.currentTime}
	  '';
	in

	writeClosure [ "${hello}/bin/hello" ]

This regressed with Nix 2.4, with a very confusing error message, that
presumably indicates it was unintentional:

	error: path '/nix/store/3gl7kgjr4pwf03f0x70dgx9ln3bhl7zc-hello/bin/hello' is not in the Nix store

(cherry picked from commit 0774e8ba33)
2024-06-04 10:26:20 +00:00
Robert Hensing
46b6cfbfc6
Merge pull request #10845 from NixOS/backport-9897-to-2.21-maintenance
[Backport 2.21-maintenance] libutil/url: fix git+file:./ parse error
2024-06-04 11:09:18 +02:00
Bryan Lai
03eb7111fa libutil/url: fix git+file:./ parse error
Previously, the "file:./" prefix was not correctly recognized in
fixGitURL; instead, it was mistaken as a file path, which resulted in a
parsed url of the form "file://file:./".

This commit fixes the issue by properly detecting the "file:" prefix.
Note, however, that unlike "file://", the "file:./" URI is _not_
standardized, but has been widely used to referred to relative file
paths. In particular, the "git+file:./" did work for nix<=2.18, and was
broken since nix 2.19.0.

Finally, this commit fixes the issue completely for the 2.19 series, but
is still inadequate for the 2.20 series due to new behaviors from the
switch to libgit2. However, it does improve the correctness of parsing
even though it is not yet a complete solution.

(cherry picked from commit 8594f3cd5a)
2024-06-04 08:27:12 +00:00
Eelco Dolstra
1ebc34e9c5
Merge pull request #10720 from NixOS/backport-10675-to-2.21-maintenance
[Backport 2.21-maintenance] Handle zip files containing symlinks
2024-05-16 09:51:47 +02:00
github-actions[bot]
1248da4423
remove link to relocated manual page (#10706)
fix old anchor redirects to point to the correct location

(cherry picked from commit 45697ba502)

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2024-05-15 22:41:26 +02:00
github-actions[bot]
3c10c6f15d
Revert "manual: fold sidebar sections" (#10699)
(cherry picked from commit 937e7bae48)

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2024-05-15 22:40:44 +02:00
Eelco Dolstra
6f6a772da6 Handle zip files containing symlinks
In streaming mode, libarchive doesn't handle symlinks in zip files
correctly. So write the entire file to disk so libarchive can access
it in random-access mode.

Fixes #10649. This was broken in cabee98152.

(cherry picked from commit 9951e14ae0)
2024-05-15 20:07:38 +00:00
Robert Hensing
375acc48ea
Merge pull request #10670 from NixOS/backport-10588-to-2.21-maintenance
[Backport 2.21-maintenance] Fix fetchGit/fetchTree for nested submodules
2024-05-09 11:32:38 +02:00
Robert Hensing
7d1af2cf79 Fix fetchGit nested submodules
(cherry picked from commit 750bcaa330)
2024-05-09 09:09:37 +00:00
Théophane Hufschmitt
8a91b5e1bc Add a release note for the build-dir hardening 2024-04-22 15:30:52 +02:00
Théophane Hufschmitt
64d7f56eaa Run the builds in a daemon-controled directory
Instead of running the builds under
`$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them
under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}`
where the build directory is only readable and traversable by the daemon user.

This achieves two things:

1. It prevents builders from making their build directory world-readable
   (or even writeable), which would allow the outside world to interact
   with them.
2. It prevents external processes running as the build user (either
   because that somehow leaked, maybe as a consequence of 1., or because
   `build-users` isn't in use) from gaining access to the build
   directory.
2024-04-22 15:30:50 +02:00
Théophane Hufschmitt
1b8ff553bd Add a test for the user sandboxing 2024-04-22 15:27:32 +02:00
Théophane Hufschmitt
93e8660bba
Merge pull request #10529 from NixOS/backport-10467-to-2.21-maintenance
[Backport 2.21-maintenance] nix shell: Handle output paths that are symlinks
2024-04-17 16:12:10 +02:00
Eelco Dolstra
b1044d52ce nix shell: Test that store paths cannot link outside of the store
(cherry picked from commit 26a4688a86)
2024-04-17 13:25:06 +00:00
Eelco Dolstra
c8905a8747 Doh
(cherry picked from commit 9d50f57fa3)
2024-04-17 13:25:06 +00:00
Eelco Dolstra
3e138de2e0 nix shell: Handle output paths that are symlinks
This requires moving resolveSymlinks() into SourceAccessor. Also, it
requires LocalStoreAccessor::maybeLstat() to work on parents of the
store (to avoid an error like "/nix is not in the store").

Fixes #10375.

(cherry picked from commit 85b9f4ef4f)
2024-04-17 13:25:06 +00:00
Théophane Hufschmitt
60824fa97c
Merge pull request #10475 from tweag/backport-10244-to-2.21-maintenance
Backport #10244 to 2.21 maintenance
2024-04-11 17:29:58 +02:00
Bouke van der Bijl
d5e029a62e Add nixos test
(cherry picked from commit cd06193d13)
2024-04-11 17:00:15 +02:00
Bouke van der Bijl
ed6dc569bb Set the origin instead of hacking in the URL resolving
(cherry picked from commit 1a76ca4161)
2024-04-11 17:00:15 +02:00
Bouke van der Bijl
3f2150dcd1 git fetcher: relax absolute URL check of resolveSubmoduleUrl
This matches up the behavior with the internals of libgit2

Fixes #9979

(cherry picked from commit 1f73de2629)
2024-04-11 17:00:15 +02:00
Théophane Hufschmitt
0c1fcc2a97
Merge pull request #10470 from NixOS/backport-10456-to-2.21-maintenance
[Backport 2.21-maintenance] Fix adding symlink to the sandbox paths
2024-04-11 15:14:48 +02:00
Théophane Hufschmitt
4c7f69f531 Fix permission denied when building symlink derivation which points to a symlink out of the store
Bind-mounting symlinks is apparently not possible, which is why the
thing was failing.

Fortunately, symlinks are small, so we can fallback to copy them at no cost.

Fix https://github.com/NixOS/nix/issues/9579

Co-authored-by: Artturin <Artturin@artturin.com>
(cherry picked from commit 913db9f738)
2024-04-11 12:17:37 +00:00
Théophane Hufschmitt
2e93272f19 Add a test for depending on a symlink store path
Regression test for https://github.com/NixOS/nix/issues/9579

(cherry picked from commit 872d93eb13)
2024-04-11 12:17:36 +00:00
John Ericson
45b2789dc8
Merge pull request #10466 from NixOS/backport-10458-to-2.21-maintenance
[Backport 2.21-maintenance] doc/rl-2.20: clarify builders-use-substitutes vs. substitute-on-destion
2024-04-11 03:16:31 -04:00