mirror of https://github.com/privatevoid-net/nix-super.git synced 2025-01-19 09:36:47 +02:00

No description

Find a file

Maximilian Bosch ba68045187 libstore/local-derivation-goal: prohibit creating setuid/setgid binaries With Linux kernel >=6.6 & glibc 2.39 a `fchmodat2(2)` is available that isn't filtered away by the libseccomp sandbox. Being able to use this to bypass that restriction has surprising results for some builds such as lxc[1]: > With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2, > which slips through `9b88e52846/src/libstore/build/local-derivation-goal.cc (L1650-L1663)`. > The fixupPhase then uses fchmodat, which fails. > With older kernel or glibc, setting the suid bit fails in the > install phase, which is not treated as fatal, and then the > fixup phase does not try to set it again. Please note that there are still ways to bypass this sandbox[2] and this is mostly a fix for the breaking builds. This change works by creating a syscall filter for the `fchmodat2` syscall (number 452 on most systems). The problem is that glibc 2.39 and seccomp 2.5.5 are needed to have the correct syscall number available via `__NR_fchmodat2` / `__SNR_fchmodat2`, but this flake is still on nixpkgs 23.11. To have this change everywhere and not dependent on the glibc this package is built against, I added a header "fchmodat2-compat.hh" that sets the syscall number based on the architecture. On most platforms its 452 according to glibc with a few exceptions: $ rg --pcre2 'define __NR_fchmodat2 (?!452)' sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h 58:#define __NR_fchmodat2 1073742276 sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h 67:#define __NR_fchmodat2 6452 sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h 62:#define __NR_fchmodat2 5452 sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h 70:#define __NR_fchmodat2 4452 sysdeps/unix/sysv/linux/alpha/arch-syscall.h 59:#define __NR_fchmodat2 562 I tested the change by adding the diff below as patch to `pkgs/tools/package-management/nix/common.nix` & then built a VM from the following config using my dirty nixpkgs master: { vm = { pkgs, ... }: { virtualisation.writableStore = true; virtualisation.memorySize = 8192; virtualisation.diskSize = 12 * 1024; nix.package = pkgs.nixVersions.nix_2_21; }; } The original issue can be triggered via nix build -L github:nixos/nixpkgs/d6dc19adbda4fd92fe9a332327a8113eaa843894#lxc \ --extra-experimental-features 'nix-command flakes' however the problem disappears with this patch applied. Closes #10424 [1] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2031073804 [2] https://github.com/NixOS/nixpkgs/issues/300635#issuecomment-2030844251		2024-04-18 12:20:20 +02:00
.github	Auto label C API PRs	2024-04-17 16:20:37 +02:00
config	Remove and gitignore the autoreconf generated files	2024-03-02 10:18:47 +01:00
contrib	function-trace: always show the trace	2019-09-18 23:23:21 +02:00
dep-patches	Move dependency patches from top level into subdir	2024-01-17 13:13:54 -05:00
doc	Merge pull request #10523 from tweag/jl/c-api_nix_get_string	2024-04-17 15:22:06 +02:00
m4	Build a minimized Nix with MinGW	2024-04-17 12:26:10 -04:00
maintainers	maintainers/upload-release.pl: Handle 2.3 and 2.18 branches	2024-03-07 16:53:34 +01:00
misc	Remove custom lowdown	2023-12-13 16:25:18 -05:00
mk	Create compile-commands.json with Make	2024-03-21 15:55:44 +08:00
perl	Add Git object hashing to the store layer	2024-02-27 11:27:34 -05:00
scripts	Prevent nix-daemon.sh from leaking variable into user environment	2024-04-06 10:26:29 -04:00
src	libstore/local-derivation-goal: prohibit creating setuid/setgid binaries	2024-04-18 12:20:20 +02:00
tests	Build a minimized Nix with MinGW	2024-04-17 12:26:10 -04:00
.clang-format	Have `clang-format` indent conditional CPP	2024-04-15 08:33:45 -04:00
.clang-tidy	Add .clang-tidy	2024-02-01 01:01:39 +01:00
.dir-locals.el	.dir-locals.el: Set c-block-comment-prefix	2020-07-10 11:21:06 +02:00
.editorconfig	`.editorconfig`: Also affect Perl FFI `xs` file	2023-11-09 23:11:52 -05:00
.gitignore	Remove `resolve-system-dependencies`	2024-04-08 09:55:42 -04:00
.version	Bump version	2024-03-11 21:16:10 +01:00
configure.ac	C API: fix docs build after rebase	2024-03-28 10:51:59 +01:00
CONTRIBUTING.md	docs: Fix link to release note documentation	2024-03-08 20:04:55 +01:00
COPYING	* Change this to LGPL to keep the government happy.	2006-04-25 16:41:06 +00:00
default.nix	add flake-compat to flake.nix and use sha256 in default.nix	2023-03-06 21:11:24 +01:00
docker.nix	fix "add an option to include flake-registry..."	2023-05-16 14:35:31 +02:00
flake.lock	flake.lock: Strip out treeHash. Too soon...	2024-02-28 07:08:21 +01:00
flake.nix	Get rid of `shellCrossSystems`	2024-04-17 12:26:10 -04:00
local.mk	local.mk: Solve warnings	2024-04-17 15:37:14 +02:00
Makefile	Build a minimized Nix with MinGW	2024-04-17 12:26:10 -04:00
Makefile.config.in	C API: fix docs build after rebase	2024-03-28 10:51:59 +01:00
package.nix	devShell: enable API docs	2024-04-17 13:12:46 +02:00
precompiled-headers.h	Build a minimized Nix with MinGW	2024-04-17 12:26:10 -04:00
README.md	fix: Remove extra to from README.md (#9213 )	2023-10-23 19:20:23 +02:00
shell.nix	Remove url literals	2022-01-24 13:28:21 +01:00

README.md

Nix

Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Please refer to the Nix manual for more details.

Installation and first steps

Visit nix.dev for installation instructions and beginner tutorials.

Full reference documentation can be found in the Nix manual.

Building And Developing

See our Hacking guide in our manual for instruction on how to set up a development environment and build Nix from source.

README.md

Nix

Installation and first steps

Building And Developing

Contributing

Additional Resources

License