maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Always use the Darwin sandbox

Browse source 
Even with "build-use-sandbox = false", we now use sandboxing with a
permissive profile that allows everything except the creation of
setuid/setgid binaries.
This commit is contained in:
Eelco Dolstra 2017-06-06 18:44:49 +02:00
parent d3f780996c
commit 85e93d7b87
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
5 changed files with 100 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.gitignore vendored
View file

@ -48,9 +48,7 @@ perl/Makefile.config
/src/libexpr/nix.tbl /src/libexpr/nix.tbl
# /src/libstore/ # /src/libstore/
/src/libstore/schema.sql.gen.hh /src/libstore/*.gen.hh
/src/libstore/sandbox-defaults.sb.gen.hh
/src/libstore/sandbox-network.sb.gen.hh
/src/nix/nix /src/nix/nix

32
src/libstore/build.cc
View file

@ -2611,12 +2611,16 @@ void DerivationGoal::runChild()
const char *builder = "invalid"; const char *builder = "invalid";
string sandboxProfile;
if (drv->isBuiltin()) { if (drv->isBuiltin()) {
; ;
} }
#if __APPLE__ #if __APPLE__
else if (useChroot) { else {
/* This has to appear before import statements. */
std::string sandboxProfile = "(version 1)\n";
if (useChroot) {
/* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */ /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */
PathSet ancestry; PathSet ancestry;
@ -2643,9 +2647,6 @@ void DerivationGoal::runChild()
for (auto & i : inputPaths) for (auto & i : inputPaths)
dirsInChroot[i] = i; dirsInChroot[i] = i;
/* This has to appear before import statements */
sandboxProfile += "(version 1)\n";
/* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */ /* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
if (settings.darwinLogSandboxViolations) { if (settings.darwinLogSandboxViolations) {
sandboxProfile += "(deny default)\n"; sandboxProfile += "(deny default)\n";
@ -2662,13 +2663,6 @@ void DerivationGoal::runChild()
#include "sandbox-network.sb.gen.hh" #include "sandbox-network.sb.gen.hh"
; ;
/* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true);
/* They don't like trailing slashes on subpath directives */
if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
/* Our rwx outputs */ /* Our rwx outputs */
sandboxProfile += "(allow file-read* file-write* process-exec\n"; sandboxProfile += "(allow file-read* file-write* process-exec\n";
for (auto & i : missingPaths) { for (auto & i : missingPaths) {
@ -2709,6 +2703,10 @@ void DerivationGoal::runChild()
sandboxProfile += ")\n"; sandboxProfile += ")\n";
sandboxProfile += additionalSandboxProfile; sandboxProfile += additionalSandboxProfile;
} else
sandboxProfile +=
#include "sandbox-minimal.sb.gen.hh"
;
debug("Generated sandbox profile:"); debug("Generated sandbox profile:");
debug(sandboxProfile); debug(sandboxProfile);
@ -2717,6 +2715,13 @@ void DerivationGoal::runChild()
writeFile(sandboxFile, sandboxProfile); writeFile(sandboxFile, sandboxProfile);
/* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true);
/* They don't like trailing slashes on subpath directives */
if (globalTmpDir.back() == '/') globalTmpDir.pop_back();
builder = "/usr/bin/sandbox-exec"; builder = "/usr/bin/sandbox-exec";
args.push_back("sandbox-exec"); args.push_back("sandbox-exec");
args.push_back("-f"); args.push_back("-f");
@ -2725,12 +2730,13 @@ void DerivationGoal::runChild()
args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir); args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir);
args.push_back(drv->builder); args.push_back(drv->builder);
} }
#endif #else
else { else {
builder = drv->builder.c_str(); builder = drv->builder.c_str();
string builderBasename = baseNameOf(drv->builder); string builderBasename = baseNameOf(drv->builder);
args.push_back(builderBasename); args.push_back(builderBasename);
} }
#endif
for (auto & i : drv->args) for (auto & i : drv->args)
args.push_back(rewriteStrings(i, inputRewrites)); args.push_back(rewriteStrings(i, inputRewrites));

6
src/libstore/local.mk
View file

@ -36,7 +36,9 @@ libstore_CXXFLAGS = \
$(d)/local-store.cc: $(d)/schema.sql.gen.hh $(d)/local-store.cc: $(d)/schema.sql.gen.hh
$(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh $(d)/sandbox-network.sb.gen.hh sandbox-headers = $(d)/sandbox-defaults.sb.gen.hh $(d)/sandbox-network.sb.gen.hh $(d)/sandbox-minimal.sb.gen.hh
$(d)/build.cc: $(sandbox-headers)
%.gen.hh: % %.gen.hh: %
@echo 'R"foo(' >> $@.tmp @echo 'R"foo(' >> $@.tmp
@ -44,6 +46,6 @@ $(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh $(d)/sandbox-network.sb.gen.hh
@echo ')foo"' >> $@.tmp @echo ')foo"' >> $@.tmp
@mv $@.tmp $@ @mv $@.tmp $@
clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh $(d)/sandbox-network.sb.gen.hh clean-files += $(d)/schema.sql.gen.hh $(sandbox-headers)
$(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644)) $(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644))

2
src/libstore/sandbox-defaults.sb
View file

@ -1,5 +1,7 @@
(define TMPDIR (param "_GLOBAL_TMP_DIR")) (define TMPDIR (param "_GLOBAL_TMP_DIR"))
(deny default)
; Disallow creating setuid/setgid binaries, since that ; Disallow creating setuid/setgid binaries, since that
; would allow breaking build user isolation. ; would allow breaking build user isolation.
(deny file-write-setugid) (deny file-write-setugid)

5
src/libstore/sandbox-minimal.sb Normal file
View file

@ -0,0 +1,5 @@
(allow default)
; Disallow creating setuid/setgid binaries, since that
; would allow breaking build user isolation.
(deny file-write-setugid)