Merge pull request #10482 from tweag/fix-symlink-in-sandbox

Fix the access of symlinks to host files in the sandbox
This commit is contained in:
John Ericson 2024-04-15 09:29:00 -04:00 committed by GitHub
commit 65cc237b3a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 65 additions and 20 deletions

View file

@ -1823,11 +1823,18 @@ void LocalDerivationGoal::runChild()
if (pathExists(path)) if (pathExists(path))
ss.push_back(path); ss.push_back(path);
if (settings.caFile != "") if (settings.caFile != "" && pathExists(settings.caFile)) {
pathsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true); Path caFile = settings.caFile;
pathsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", canonPath(caFile, true), true);
}
} }
for (auto & i : ss) pathsInChroot.emplace(i, i); for (auto & i : ss) {
// For backwards-compatibiliy, resolve all the symlinks in the
// chroot paths
auto canonicalPath = canonPath(i, true);
pathsInChroot.emplace(i, canonicalPath);
}
/* Bind-mount all the directories from the "host" /* Bind-mount all the directories from the "host"
filesystem that we want in the chroot filesystem that we want in the chroot

View file

@ -60,7 +60,13 @@ testCert () {
nocert=$TEST_ROOT/no-cert-file.pem nocert=$TEST_ROOT/no-cert-file.pem
cert=$TEST_ROOT/some-cert-file.pem cert=$TEST_ROOT/some-cert-file.pem
symlinkcert=$TEST_ROOT/symlink-cert-file.pem
transitivesymlinkcert=$TEST_ROOT/transitive-symlink-cert-file.pem
symlinkDir=$TEST_ROOT/symlink-dir
echo -n "CERT_CONTENT" > $cert echo -n "CERT_CONTENT" > $cert
ln -s $cert $symlinkcert
ln -s $symlinkcert $transitivesymlinkcert
ln -s $TEST_ROOT $symlinkDir
# No cert in sandbox when not a fixed-output derivation # No cert in sandbox when not a fixed-output derivation
testCert missing normal "$cert" testCert missing normal "$cert"
@ -74,5 +80,14 @@ testCert missing fixed-output "$nocert"
# Cert in sandbox when ssl-cert-file is set to an existing file # Cert in sandbox when ssl-cert-file is set to an existing file
testCert present fixed-output "$cert" testCert present fixed-output "$cert"
# Cert in sandbox when ssl-cert-file is set to a (potentially transitive) symlink to an existing file
testCert present fixed-output "$symlinkcert"
testCert present fixed-output "$transitivesymlinkcert"
# Symlinks should be added in the sandbox directly and not followed # Symlinks should be added in the sandbox directly and not followed
nix-sandbox-build symlink-derivation.nix nix-sandbox-build symlink-derivation.nix -A depends_on_symlink
nix-sandbox-build symlink-derivation.nix -A test_sandbox_paths \
--option extra-sandbox-paths "/file=$cert" \
--option extra-sandbox-paths "/dir=$TEST_ROOT" \
--option extra-sandbox-paths "/symlinkDir=$symlinkDir" \
--option extra-sandbox-paths "/symlink=$symlinkcert"

View file

@ -15,22 +15,45 @@ let
''; '';
}; };
in in
mkDerivation { {
name = "depends-on-symlink"; depends_on_symlink = mkDerivation {
buildCommand = '' name = "depends-on-symlink";
( buildCommand = ''
set -x (
set -x
# `foo_symlink` should be a symlink pointing to `foo_in_store` # `foo_symlink` should be a symlink pointing to `foo_in_store`
[[ -L ${foo_symlink} ]] [[ -L ${foo_symlink} ]]
[[ $(readlink ${foo_symlink}) == ${foo_in_store} ]] [[ $(readlink ${foo_symlink}) == ${foo_in_store} ]]
# `symlink_to_not_in_store` should be a symlink pointing to `./.`, which # `symlink_to_not_in_store` should be a symlink pointing to `./.`, which
# is not available in the sandbox # is not available in the sandbox
[[ -L ${symlink_to_not_in_store} ]] [[ -L ${symlink_to_not_in_store} ]]
[[ $(readlink ${symlink_to_not_in_store}) == ${builtins.toString ./.} ]] [[ $(readlink ${symlink_to_not_in_store}) == ${builtins.toString ./.} ]]
(! ls ${symlink_to_not_in_store}/) (! ls ${symlink_to_not_in_store}/)
)
echo "Success!" > $out # Native paths
''; )
echo "Success!" > $out
'';
};
test_sandbox_paths = mkDerivation {
# Depends on the caller to set a bunch of `--sandbox-path` arguments
name = "test-sandbox-paths";
buildCommand = ''
(
set -x
[[ -f /file ]]
[[ -d /dir ]]
# /symlink and /symlinkDir should be available as raw symlinks
# (pointing to files outside of the sandbox)
[[ -L /symlink ]] && [[ ! -e $(readlink /symlink) ]]
[[ -L /symlinkDir ]] && [[ ! -e $(readlink /symlinkDir) ]]
)
touch $out
'';
};
} }