Commit Graph

17107 Commits

Author SHA1 Message Date
Eelco Dolstra
99076976fa Merge remote-tracking branch 'nix-ghsa-wf4c-57rh-9pjg/advisory-fix-1-2.22' into 2.22-maintenance 2024-10-30 21:43:58 +01:00
Robert Hensing
9e198a75f7 local-derivation-goal: Move builder preparation to non-builtin code path 2024-10-22 20:27:10 +02:00
Robert Hensing
1b39753f4d local-derivation-goal: Refactor
This works because the `builder` and `args` variables are only used
in the non-builtin code path.

Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
2024-10-22 20:27:10 +02:00
Robert Hensing
f0677f190d local-derivation-goal: Print sandbox error detail on darwin
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
2024-10-22 20:27:10 +02:00
Puck Meerburg
8217054e35 fix: Run all derivation builders inside the sandbox on macOS 2024-10-22 20:27:09 +02:00
Robert Hensing
bec7d95de0
Merge pull request #11647 from NixOS/mergify/bp/2.22-maintenance/pr-11610
fix passing CA files into builtins:fetchurl sandbox (backport #11610)
2024-10-13 12:44:44 +02:00
Jörg Thalheim
95bbf8d8ab tests/nixos/fetchurl: drop unused variables
(cherry picked from commit 410853ddcf)
2024-10-07 12:43:51 +00:00
Puck Meerburg
c3d2c5924f fix passing CA files into builtins:fetchurl sandbox
This patch has been manually adapted from
14dc84ed03

Tested with:

$ NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
Finished at 16:57:50 after 1s
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> error:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>        … writing file '/nix/store/0zynn4n8yx59bczy1mgh1lq2rnprvvrc-google.com'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>        error: unable to download 'https://google.com': Problem with the SSL CA cert (path? access rights?) (77) error setting certificate file: /nix/store/nlgbippbbgn38hynjkp1ghiybcq1dqhx-nss-cacert-3.101.1/etc/ssl/certs/ca-bundle.crt
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
error: builder for '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv' failed with exit code 1

Now returns:

nix-env % NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
Finished at 17:05:48 after 0s
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
error: hash mismatch in fixed-output derivation '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

(cherry picked from commit c1ecf0bee9)
2024-10-07 12:43:50 +00:00
Eelco Dolstra
3faf7bcc46
Merge pull request #11590 from NixOS/mergify/bp/2.22-maintenance/pr-11585
builtin:fetchurl: Enable TLS verification (backport #11585)
2024-09-26 01:21:34 +02:00
Eelco Dolstra
248cf31960 Resolve conflict 2024-09-26 00:20:35 +02:00
Eelco Dolstra
eb17a34586 Typo
(cherry picked from commit ef8987955b)
2024-09-26 00:20:33 +02:00
Eelco Dolstra
3a58bc6f0f Add release note
(cherry picked from commit 7b39cd631e)
2024-09-25 21:54:32 +00:00
Eelco Dolstra
7812c44f4e Add a test for builtin:fetchurl cert verification
(cherry picked from commit f2f47fa725)

# Conflicts:
#	tests/nixos/default.nix
2024-09-25 21:54:32 +00:00
Eelco Dolstra
183ef8c6ab builtin:fetchurl: Enable TLS verification
This is better for privacy and to avoid leaking netrc credentials in a
MITM attack, but also the assumption that we check the hash no longer
holds in some cases (in particular for impure derivations).

Partially reverts 5db358d4d7.

(cherry picked from commit c04bc17a5a)
2024-09-25 21:54:31 +00:00
John Ericson
6c1ab4d105
Merge pull request #11574 from NixOS/mergify/bp/2.22-maintenance/pr-11390
Don't refer to public keys as secret keys in error (backport #11390)
2024-09-23 18:45:57 -04:00
Alyssa Ross
11f65ae7e2 Don't refer to public keys as secret keys in error
This constructor is used for public keys as well.

(cherry picked from commit 9cc550d652)
2024-09-23 22:02:19 +00:00
Robert Hensing
e67d6b6447
Merge pull request #11482 from NixOS/mergify/bp/2.22-maintenance/pr-11473
Fix making the build directory kept by `keep-failed` readable (backport #11473)
2024-09-16 12:40:08 +02:00
Artturin
8aa13b2b4f Fix making the build directory kept by keep-failed readable
Caused by 1d3696f0fb

Without this fix the kept build directory is readable only by root

```
$ sudo ls -ld /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5
drwx------ root root 60 B Wed Sep 11 00:09:48 2024  /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/

$ sudo ls -ld /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/build
drwxr-xr-x nixbld1 nixbld 80 B Wed Sep 11 00:09:58 2024  /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/build/
```

(cherry picked from commit ebebe626ff)
2024-09-11 12:55:14 +00:00
Eelco Dolstra
87e0c222dd
Merge pull request #11419 from NixOS/mergify/bp/2.22-maintenance/pr-10919
install-darwin: fix _nixbld uids for macOS sequoia (backport #10919)
2024-09-10 21:27:58 +02:00
Robert Hensing
fcbd1be142
Merge pull request #11449 from NixOS/backport-11009-to-2.22-maintenance
[Backport 2.22-maintenance] installerScriptForGHA: aarch64-darwin
2024-09-09 17:54:44 +02:00
Robert Hensing
c2a428eac3 installerScriptForGHA: aarch64-darwin
Backport of https://github.com/NixOS/nix/pull/11009
2024-09-09 17:42:20 +02:00
Emily
c00f5bc33e install-darwin: increment base UID by 1 (#15)
(cherry picked from commit 11cf29b15c)
2024-09-03 23:58:14 +00:00
Travis A. Everett
76c9fd17c8 install-darwin: move nixbld gid to match first UID
(cherry picked from commit 75567423fb)
2024-09-03 23:58:14 +00:00
Travis A. Everett
a1cfbe25c8 install-darwin: fix _nixbld uids for macOS sequoia
Starting in macOS 15 Sequoia, macOS daemon UIDs are encroaching on our
default UIDs of 301-332. This commit relocates our range up to avoid
clashing with the current UIDs of 301-304 and buy us a little time
while still leaving headroom for people installing more than 32 users.

(cherry picked from commit df36ff0d1e)
2024-09-03 23:58:14 +00:00
Robert Hensing
12e2efa384
Merge pull request #11332 from NixOS/backport-11329-to-2.22-maintenance
[Backport 2.22-maintenance] fix: check to see if there are any lines before
2024-08-19 16:27:20 +02:00
Tom Bereknyei
aab801db98 fix: check to see if there are any lines before
(cherry picked from commit 59db8fd62b)
2024-08-19 13:40:32 +00:00
tomberek
7e0f102afb
Merge pull request #11317 from NixOS/backport-11270-to-2.22-maintenance
[Backport 2.22-maintenance] libstore: fix port binding in __darwinAllowLocalNetworking sandbox
2024-08-17 02:53:49 -04:00
Andrew Marshall
7043e7311f libstore: fix port binding in __darwinAllowLocalNetworking sandbox
In d60c3f7f7c, this was changed to close a
hole in the sandbox. Unfortunately, this was too restrictive such that it
made local port binding fail, thus making derivations that needed
`__darwinAllowLocalNetworking` gain nearly nothing, and thus largely
fail (as the primary use for it is to enable port binding).

This unfortunately does mean that a sandboxed build process can, in
coordination with an actor outside the sandbox, escape the sandbox by
binding a port and connecting to it externally to send data. I do not
see a way around this with my experimentation and understanding of the
(quite undocumented) macOS sandbox profile API. Notably it seems not
possible to use the sandbox to do any of:

- Restrict the remote IP of inbound network requests
- Restrict the address being bound to

As such, the `(local ip "*:*")` here appears to be functionally no
different than `(local ip "localhost:*")` (however it *should* be
different than removing the filter entirely, as that would make it also
apply to non-IP networking). Doing `(allow network-inbound (require-all
(local ip "localhost:*") (remote ip "localhost:*")))` causes listening
to fail.

Note that `network-inbound` implies `network-bind`.

(cherry picked from commit 00f6db36fd)
2024-08-17 03:17:40 +00:00
Eelco Dolstra
184b10f3d6
Merge pull request #11213 from NixOS/backport-11171-to-2.22-maintenance
[Backport 2.22-maintenance] Increase download buffer size and improve tarball import logging
2024-07-29 16:20:36 +02:00
Eelco Dolstra
8a80f8a6ac Show when we're unpacking an archive into the Git cache
This happens in parallel with the download (which starts later), so
you only see this message when the download has finished but the
import hasn't.

(cherry picked from commit 01839b525c)
2024-07-29 13:02:55 +00:00
Eelco Dolstra
331bcdb831 Warn if the download buffer is full
(cherry picked from commit f6a9a71b38)
2024-07-29 13:02:55 +00:00
Eelco Dolstra
a57ded2403 Add 'download-buffer-size' setting
We are piping curl downloads into `unpackTarfileToSink()`, but the
latter is typically slower than the former if you're on a fast
connection. So the download could appear unnecessarily slow. (There is
even a risk that if the Git import is *really* slow for whatever
reason, the TCP connection could time out.)

So let's make the download buffer bigger by default - 64 MiB is big
enough for the Nixpkgs tarball. Perhaps in the future, we could have
an unlimited buffer that spills data to disk beyond a certain
threshold, but that's probably overkill.

(cherry picked from commit 8ffea0a018)
2024-07-29 13:02:55 +00:00
Eelco Dolstra
cfef5cacda Log download durations
(cherry picked from commit caf4e98f0c)
2024-07-29 13:02:55 +00:00
Eelco Dolstra
aaed4a90b5 Bump version 2024-07-05 19:55:46 +02:00
Eelco Dolstra
fcaa72bdc7
Merge pull request #11044 from NixOS/backport-11031-to-2.22-maintenance
[Backport 2.22-maintenance] libstore: fix sandboxed builds on macOS
2024-07-05 17:39:27 +02:00
Emily
a500c90375 libstore: fix sandboxed builds on macOS
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.

The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.

Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.

Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.

Fixes: 1d3696f0fb
Closes: #11002
(cherry picked from commit af2e1142b1)
2024-07-05 15:09:00 +00:00
Emily
1a46fb95dd libstore: clean up the build directory properly
After the fix for CVE-2024-38531, this was only removing the nested
build directory, rather than the top‐level temporary directory.

Fixes: 1d3696f0fb
(cherry picked from commit 76e4adfaac)
2024-07-05 15:09:00 +00:00
Robert Hensing
5911f66eba
Merge pull request #11028 from NixOS/backport-11022-to-2.22-maintenance
[Backport 2.22-maintenance] Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
2024-07-03 20:27:41 +02:00
John Ericson
ca78fd9304 Remove invalid release notes YAML field
There is no PR for this, since it was an embargoed fix before
disclosure.

(cherry picked from commit 32e67eba8b)
2024-07-03 20:01:49 +02:00
kn
a06453e45f Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
getsockopt(2) documents this;  ucred is wrong ("cr_" member prefix, no pid).

(cherry picked from commit 10ccdb7a41)
2024-07-03 15:57:13 +00:00
John Ericson
e39cf2fa86 Ident some CPP in nix daemon
Makes it easier for me to read.

(cherry picked from commit a09360400b)
2024-07-03 15:57:13 +00:00
Eelco Dolstra
2de34c5d5f Bump version 2024-06-27 12:26:48 +02:00
tomberek
f5b7733e55
Merge pull request from GHSA-q82p-44mg-mgh5
Fix sandbox escape 2.22
2024-06-26 18:49:22 -04:00
Eelco Dolstra
54b27fcc60 Fix --no-sandbox
When sandboxing is disabled, we cannot put $TMPDIR underneath an
inaccessible directory.

(cherry picked from commit d54590fdf3)
2024-06-21 17:16:52 +02:00
Eelco Dolstra
a82010789e Formatting
(cherry picked from commit 58b7b3fd15)
2024-06-21 17:16:48 +02:00
Eelco Dolstra
f5f0d30597 Put the chroot inside a directory that isn't group/world-accessible
Previously, the .chroot directory had permission 750 or 755 (depending
on the uid-range system feature) and was owned by root/nixbld. This
makes it possible for any nixbld user (if uid-range is disabled) or
any user (if uid-range is enabled) to inspect the contents of the
chroot of an active build and maybe interfere with it (e.g. via /tmp
in the chroot, which has 1777 permission).

To prevent this, the root is now a subdirectory of .chroot, which has
permission 700 and is owned by root/root.

(cherry picked from commit ede95b1fc1)
2024-06-21 17:16:44 +02:00
Théophane Hufschmitt
51909005e0 Add a release note for the build-dir hardening
(cherry picked from commit d99c868b04)
2024-06-21 17:16:39 +02:00
Théophane Hufschmitt
8c20f0fc33 Run the builds in a daemon-controled directory
Instead of running the builds under
`$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them
under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}`
where the build directory is only readable and traversable by the daemon user.

This achieves two things:

1. It prevents builders from making their build directory world-readable
   (or even writeable), which would allow the outside world to interact
   with them.
2. It prevents external processes running as the build user (either
   because that somehow leaked, maybe as a consequence of 1., or because
   `build-users` isn't in use) from gaining access to the build
   directory.

(cherry picked from commit 1d3696f0fb)
2024-06-21 17:16:37 +02:00
Théophane Hufschmitt
f8f1d7eb54 Add a test for the user sandboxing
(cherry picked from commit 717f3eea39)
2024-06-21 17:16:33 +02:00
Robert Hensing
329ed85134
Merge pull request #10859 from NixOS/backport-10858-to-2.22-maintenance
[Backport 2.22-maintenance] flake check: Recognize well known homeModule/homeModules attribute
2024-06-05 13:45:32 +02:00