From patchwork Fri Feb 21 13:05:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 38901 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 8CE1F27BBEA; Fri, 21 Feb 2025 13:07:52 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id AB16327BBEB for ; Fri, 21 Feb 2025 13:07:51 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tlSkN-0004uG-7J; Fri, 21 Feb 2025 08:07:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSkI-0004u1-Va for guix-patches@gnu.org; Fri, 21 Feb 2025 08:07:11 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tlSkI-0004b7-7x for guix-patches@gnu.org; Fri, 21 Feb 2025 08:07:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=0izMrOHlIq4NgLJJUeAlULEe8K+llpxfq6yctCHxero=; b=R8HmNNGiDfMTu7wy60DfjSGDrTnmb3FwbdKb/QDKcfqS/PsUysor6W+CGQmIkhZXlWCBLI/dElfBRTJ26EFG3qvQqg2KxB5p0oLIOCk3KduL0gPdr3a5yW57GtW+5Uc9n1N858gB+q7aK44hcin8jAyUMCfGgsd5jTNabnznNU6C6Lwg/Y8HHCdf/OxObiEkbEXlSTATSpJX5akZBoy5qgkRQ4Z6DlwNkksgDYozui+OhzW2J+KfFHd19vYkDubFHbGTSVhJhNV2Ce/qUyNOq0XUNxe+LsQ8X4+ZGJjTEH7tEZ8Q09R4bXXpeCTWLrGf2ljjkReml0o136YIn2LuiQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tlSkG-0005Sp-FX for guix-patches@gnu.org; Fri, 21 Feb 2025 08:07:08 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v3 01/11] daemon: Use =?utf-8?b?4oCYY2xvc2VfcmFu?= =?utf-8?b?Z2XigJk=?= where available. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 21 Feb 2025 13:07:08 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174014320920818 (code B ref 75810); Fri, 21 Feb 2025 13:07:08 +0000 Received: (at 75810) by debbugs.gnu.org; 21 Feb 2025 13:06:49 +0000 Received: from localhost ([127.0.0.1]:56650 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tlSjt-0005P9-Fb for submit@debbugs.gnu.org; Fri, 21 Feb 2025 08:06:48 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:48270) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tlSjn-0005Mz-H4 for 75810@debbugs.gnu.org; Fri, 21 Feb 2025 08:06:42 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSji-0004Xu-48; Fri, 21 Feb 2025 08:06:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=0izMrOHlIq4NgLJJUeAlULEe8K+llpxfq6yctCHxero=; b=Fa8qHsdqYlC7tXaei7fh HJkYfqgSo7cMjdX9ShO89w2HV6D7Or4tuijB4swhy5hb2as9sTlJtlqmf7wyvZh4hhHtKtFXfWru0 gsY8dZYRqK/ebFoVzFWKyvwseHIl/pUnwkMQkRc3fVRPGG6NPHtA7lSO7d55QPqvEOzv1P5AZAojX 3qHiRnL4hSjZnAoBIrZYfkdoFLOyNaZ/athRYxgP17f57Cv7M1ynLqW0wuDplLeXDfLrkjbfgZlBE 0xfvAthaO3TQPkzCzYWvayQFtC5YH5iOQtQfYl7Q9LJu4APMrnmUr6ZaoFEOIO0z3c99ACU/gpBRF x12HDkMz/EeGBw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 21 Feb 2025 14:05:49 +0100 Message-ID: <47cd29cc645e87a85536da2d6edc676744c58cd5.1740142328.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libutil/util.cc (closeMostFDs) [HAVE_CLOSE_RANGE]: Use ‘close_range’ when ‘exceptions’ is empty. * config-daemon.ac: Check for and the ‘close_range’ symbol. Change-Id: I12fa3bde58b003fcce5ea5a1fee1dcf9a92c0359 --- config-daemon.ac | 5 +++-- nix/libutil/util.cc | 23 +++++++++++++++++------ 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/config-daemon.ac b/config-daemon.ac index 6731c68bc39..4e949bc88a3 100644 --- a/config-daemon.ac +++ b/config-daemon.ac @@ -78,7 +78,8 @@ if test "x$guix_build_daemon" = "xyes"; then dnl Chroot support. AC_CHECK_FUNCS([chroot unshare]) - AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h]) + AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \ + linux/close_range.h]) if test "x$ac_cv_func_chroot" != "xyes"; then AC_MSG_ERROR(['chroot' function missing, bailing out]) @@ -95,7 +96,7 @@ if test "x$guix_build_daemon" = "xyes"; then dnl strsignal: for error reporting. dnl statx: fine-grain 'stat' call, new in glibc 2.28. AC_CHECK_FUNCS([lutimes lchown posix_fallocate sched_setaffinity \ - statvfs nanosleep strsignal statx]) + statvfs nanosleep strsignal statx close_range]) dnl Check for . AC_LANG_PUSH(C++) diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index 3206dea11b1..eb2d16e1cc3 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -23,6 +23,10 @@ #include #endif +#ifdef HAVE_LINUX_CLOSE_RANGE_H +# include +#endif + extern char * * environ; @@ -1087,12 +1091,19 @@ string runProgram(Path program, bool searchPath, const Strings & args) void closeMostFDs(const set & exceptions) { - int maxFD = 0; - maxFD = sysconf(_SC_OPEN_MAX); - for (int fd = 0; fd < maxFD; ++fd) - if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd != STDERR_FILENO - && exceptions.find(fd) == exceptions.end()) - close(fd); /* ignore result */ +#ifdef HAVE_CLOSE_RANGE + if (exceptions.empty()) + close_range(3, ~0U, 0); + else +#endif + { + int maxFD = 0; + maxFD = sysconf(_SC_OPEN_MAX); + for (int fd = 0; fd < maxFD; ++fd) + if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd != STDERR_FILENO + && exceptions.find(fd) == exceptions.end()) + close(fd); /* ignore result */ + } } From patchwork Fri Feb 21 13:05:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 38903 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 531D427BBEA; Fri, 21 Feb 2025 13:08:19 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 01D9D27BBE2 for ; Fri, 21 Feb 2025 13:08:19 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tlSlD-00056E-53; Fri, 21 Feb 2025 08:08:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSl9-00054v-9C for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:03 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tlSl8-0004fe-Tj for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=G7Jx1/74uyahpmNN6NOOyHz1Zj53iERfANavhA6dHdE=; b=iwGp9vel7T+YDbF7971NZXtvrxs1t4Ci4QebJb/BI7svWXwj43akOE7jIxDnhOFvbnFrLHkydXtQBIPTdkeNMn2X9zFtNctEFT870nttAJifbikhkxuVKVINGAtlMZ5lpdhiRBRuUJ+3ZFuz57b3fts0AivqlMyvUce9qnzxnEIbACWvjnvwSfUJi34773ZxeZnDTFwOGQQ1dCqHn8s8kQp/YWj6hOWB269xXbvTzbWMxUSXhnvZiB0wNTjrA3IZ3rETDnOTHSofcg1LbKO2gg2PBi+uih1eE4uieja8qbSnsRcgIxGaHv1sqnC2oKlUKhuz6bqmA49HOThLuvXe4w==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tlSl8-0005ci-Ml for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v3 02/11] daemon: Bind-mount all the inputs, not just directories. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 21 Feb 2025 13:08:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174014326421399 (code B ref 75810); Fri, 21 Feb 2025 13:08:02 +0000 Received: (at 75810) by debbugs.gnu.org; 21 Feb 2025 13:07:44 +0000 Received: from localhost ([127.0.0.1]:56673 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tlSkn-0005Ye-QL for submit@debbugs.gnu.org; Fri, 21 Feb 2025 08:07:43 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:48276) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tlSjp-0005NF-Ey for 75810@debbugs.gnu.org; Fri, 21 Feb 2025 08:06:46 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSjj-0004Y4-2y; Fri, 21 Feb 2025 08:06:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=G7Jx1/74uyahpmNN6NOOyHz1Zj53iERfANavhA6dHdE=; b=aHpHVyGtVmH3uhPTi7qz tnA+Ktpn0x6MnFWexd6kGAfCOfj3YW5s9Vd40ulEX33pXEudpuPI4df1CyJc+oEujxhL6fplnIBL6 dqHYXvMO46Dom+VhYnXq7k5TS7t3JhNqyIZOFhHYprmnGRzIXngx7UKGi7JnKPB78Efjy+IBlDuEP 8Oa+44VDYw7pmoyW4Cn40Hcm5YPXPUS8o4Ny1sfttYx38Jl4matq13vXJw9tLM2QU11omhs8ZNy30 5VQL15slVibAWblv8xxh6TRRXLIRKF4NCeZxhw7nuunVapen/ssBsm5acstlBbM+f/MUiaCgViNtl CO5OjBuHyDdiDw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 21 Feb 2025 14:05:50 +0100 Message-ID: <9819a4edaacbd5ed8d56094d6bb602f90f535be6.1740142328.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::startBuilder): Add all of ‘inputPaths’ to ‘dirsInChroot’ instead of hard-linking regular files. Reported-by: Reepca Russelstein Change-Id: I070987f92d73f187f7826a975bee9ee309d67f56 --- nix/libstore/build.cc | 27 ++------------------------- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index edd01bab34d..f4cd2131c84 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -1850,9 +1850,7 @@ void DerivationGoal::startBuilder() /* Make the closure of the inputs available in the chroot, rather than the whole store. This prevents any access - to undeclared dependencies. Directories are bind-mounted, - while other inputs are hard-linked (since only directories - can be bind-mounted). !!! As an extra security + to undeclared dependencies. !!! As an extra security precaution, make the fake store only writable by the build user. */ Path chrootStoreDir = chrootRootDir + settings.nixStore; @@ -1863,28 +1861,7 @@ void DerivationGoal::startBuilder() throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { - struct stat st; - if (lstat(i->c_str(), &st)) - throw SysError(format("getting attributes of path `%1%'") % *i); - if (S_ISDIR(st.st_mode)) - dirsInChroot[*i] = *i; - else { - Path p = chrootRootDir + *i; - if (link(i->c_str(), p.c_str()) == -1) { - /* Hard-linking fails if we exceed the maximum - link count on a file (e.g. 32000 of ext3), - which is quite possible after a `nix-store - --optimise'. */ - if (errno != EMLINK) - throw SysError(format("linking `%1%' to `%2%'") % p % *i); - StringSink sink; - dumpPath(*i, sink); - StringSource source(sink.s); - restorePath(p, source); - } - - regularInputPaths.insert(*i); - } + dirsInChroot[*i] = *i; } /* If we're repairing, checking or rebuilding part of a From patchwork Fri Feb 21 13:05:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 38904 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9847A27BBEA; Fri, 21 Feb 2025 13:08:40 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 51BF427BBE2 for ; Fri, 21 Feb 2025 13:08:40 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tlSlI-00058c-UV; Fri, 21 Feb 2025 08:08:12 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSlG-000583-Uj for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:10 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tlSlF-0004ga-At for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=udLBw4qw0envZeVnNl6X7JHSGVVjKh3qwYLpmJ5s2vI=; b=fSrEqp1RjwIzvYbvdAz4er5qGpzYiOntJw44OZyJtCmOQRxb4WrzWC8JRbqC/VhkIwsjial28NTWDqShG95I+Vxd34lwX+hqB4VTJq8Of+Ec3V1SmO1MqnmjTOKJ4cD6zZAFKPvRZ71WWwMysNY8VkQbTmxQ2NRDb9hQJcdzJNRhDmRzmeFRzgUXrkwqRRwq1Q588y1wYF1FM1VjCn+A8CWo2PyTenm6LprXm9F/TfJifSk18sONsLNzYnhLPmrFbQtnsektpA5Ajsd9270RtPwYTgEEVWbsKdi/EjLcVn/f71pA0oEAq5wn+YlqVpX4NNaWzak9owTShH7IxHhdXA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tlSlE-0005e1-RA for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:08 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v3 03/11] daemon: Remount inputs as read-only. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 21 Feb 2025 13:08:08 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174014327021469 (code B ref 75810); Fri, 21 Feb 2025 13:08:08 +0000 Received: (at 75810) by debbugs.gnu.org; 21 Feb 2025 13:07:50 +0000 Received: from localhost ([127.0.0.1]:56677 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tlSks-0005Zh-Ta for submit@debbugs.gnu.org; Fri, 21 Feb 2025 08:07:49 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:48278) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tlSjq-0005NX-NM for 75810@debbugs.gnu.org; Fri, 21 Feb 2025 08:06:49 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSjk-0004YS-E4; Fri, 21 Feb 2025 08:06:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=udLBw4qw0envZeVnNl6X7JHSGVVjKh3qwYLpmJ5s2vI=; b=gqyslp3G9o2/wxdo48xj ihL0DR7t+TeRNoFxv/94wfW8uFgwpJxNVrGO5cb5HtR01wjLMFZcbK2+daFhJTHPHKUSEVIGKwLSs ZzyD4f+e/9huSej3FK03lDgaHXhS9K+xfmUF7a7A/b+mW6YDVjU6kariWxcyEwGOaWUwOda2wgpy6 2sgZAWngi194os2gNLxHWfPFru41IJt8/9zqgyctM67fRpsCNxYZ5rQL5349hBVWXNlENvUIZc67X HBX5oapz3vCrZEF9sNTAfkCCf1BqVe1X2HADq26cWmBA9qmveBuGWLHfaeu2zYG0g35OOseWNG2DT tGymk+kLsZEgfg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 21 Feb 2025 14:05:51 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::runChild): Remount ‘target’ as read-only. Reported-by: Reepca Russelstein Change-Id: Ib7201bcf4363be566f205d23d17fe2f55d3ad666 --- nix/libstore/build.cc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index f4cd2131c84..6244c99e751 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2094,8 +2094,15 @@ void DerivationGoal::runChild() createDirs(dirOf(target)); writeFile(target, ""); } + + /* Extra flags passed with MS_BIND are ignored, hence the + extra MS_REMOUNT. */ if (mount(source.c_str(), target.c_str(), "", MS_BIND, 0) == -1) throw SysError(format("bind mount from `%1%' to `%2%' failed") % source % target); + if (source.compare(0, settings.nixStore.length(), settings.nixStore) == 0) { + if (mount(source.c_str(), target.c_str(), "", MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) + throw SysError(format("read-only remount of `%1%' failed") % target); + } } /* Bind a new instance of procfs on /proc to reflect our From patchwork Fri Feb 21 13:05:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 38905 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 4CA2827BBEA; Fri, 21 Feb 2025 13:08:43 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 05E4927BBE2 for ; Fri, 21 Feb 2025 13:08:43 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tlSlE-000578-Ov; Fri, 21 Feb 2025 08:08:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSlC-000568-CZ for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:06 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tlSlB-0004fr-PF for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=VRbaQkpHuujQuVs9fnXsFpQvamzXpEoyOQmUI3kKkJU=; b=uUxWA3FZU3r0o6LSsbL8KKGM8fDRBlWaAWkz5ZVj0Xf9we+arsuAfqo6imQWMui0DOVUw0+JO/gAimnSIPzpdmuvgAeEDZ4EynpG24B9oG22/mCUIaPbL1thTIxZS/cPQM8qBTUktadVAt7tsjbo1O4thGT25T24IJTBo5uXb01J+uz/yziPHrln0i9JZtenF79yWXU1L47iB6as07QPf4d9cwCfPv/hVD5LyFuMw6/aMqxY6U7i+TIDD6ZLY8lem8pUdKlMKLTEv29zsUxHtSWSxnIxmxnw8PK9OxFF7fJCz9CySec2WJ+30Y8yrk6M/VQ+yONXGyPM2ZxkBci4Yw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tlSlB-0005dH-BA for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:05 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v3 04/11] daemon: Remount root directory as read-only. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 21 Feb 2025 13:08:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174014326721437 (code B ref 75810); Fri, 21 Feb 2025 13:08:05 +0000 Received: (at 75810) by debbugs.gnu.org; 21 Feb 2025 13:07:47 +0000 Received: from localhost ([127.0.0.1]:56675 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tlSkq-0005Z5-3e for submit@debbugs.gnu.org; Fri, 21 Feb 2025 08:07:46 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:48282) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tlSjr-0005No-NE for 75810@debbugs.gnu.org; Fri, 21 Feb 2025 08:06:49 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSjm-0004Yp-7F; Fri, 21 Feb 2025 08:06:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=VRbaQkpHuujQuVs9fnXsFpQvamzXpEoyOQmUI3kKkJU=; b=dKDJ0U0xZVmzw0RV3sTS HqTzTYj+DkTY3554MBgb90Yq2uCTFaKBNOmy1Fvk4IFlekW2tmzco+7ErZiynwIXeWLoxDVLUg1Zh 9iPDaaDy761EzYvHA95e3787leu9S33EnVUh8ReMbUVn6GK6Trm8dv/Q6hP7VUl0+qkvJlJ8kazp2 5XaxreDXZagCkWMUdW7ZljxXoEaZJVHLVsnYNIi3IL/9Syedc2DTLQQQQMA+eeAl3m4jClq/Xpe3s krjZGkfyhqf1VEjrgYL0TQXnF4u+qzLDsXZiZomdqyova8+HqPjLsvkAecFYuVFeRJrMySvjtRfOM NtFhRhNYhuWtfg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 21 Feb 2025 14:05:52 +0100 Message-ID: <6272a7109a276d4ffa5cdd8b218b3233aaade5f5.1740142328.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::runChild): Bind-mount the store and /tmp under ‘chrootRootDir’ to themselves as read-write. Remount / as read-only. Change-Id: I79565094c8ec8448401897c720aad75304fd1948 --- nix/libstore/build.cc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 6244c99e751..c87f4f767c5 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2078,6 +2078,18 @@ void DerivationGoal::runChild() for (auto & i : ss) dirsInChroot[i] = i; + /* Make new mounts for the store and for /tmp. That way, when + 'chrootRootDir' is made read-only below, these two mounts will + remain writable (the store needs to be writable so derivation + outputs can be written to it, and /tmp is writable by + convention). */ + auto chrootStoreDir = chrootRootDir + settings.nixStore; + if (mount(chrootStoreDir.c_str(), chrootStoreDir.c_str(), 0, MS_BIND, 0) == -1) + throw SysError(format("read-write mount of store '%1%' failed") % chrootStoreDir); + auto chrootTmpDir = chrootRootDir + "/tmp"; + if (mount(chrootTmpDir.c_str(), chrootTmpDir.c_str(), 0, MS_BIND, 0) == -1) + throw SysError(format("read-write mount of temporary directory '%1%' failed") % chrootTmpDir); + /* Bind-mount all the directories from the "host" filesystem that we want in the chroot environment. */ @@ -2151,6 +2163,10 @@ void DerivationGoal::runChild() if (rmdir("real-root") == -1) throw SysError("cannot remove real-root directory"); + + /* Remount root as read-only. */ + if (mount("/", "/", 0, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) + throw SysError(format("read-only remount of build root '%1%' failed") % chrootRootDir); } #endif From patchwork Fri Feb 21 13:05:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 38909 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id BF73F27BBEA; Fri, 21 Feb 2025 13:10:39 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id CA79E27BBE2 for ; Fri, 21 Feb 2025 13:10:38 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tlSnY-00068M-2D; Fri, 21 Feb 2025 08:10:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSnK-00060u-T4 for guix-patches@gnu.org; Fri, 21 Feb 2025 08:10:19 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tlSnK-00059b-G9; Fri, 21 Feb 2025 08:10:18 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=idfaYvTmznhqv9+JO9+QiD13YMv5X4U5zH6e+nqsgOA=; b=G1XsC7Nd/Voj4Nke8nyJns3hjgKeqIFu15WFP2yS0Rmul4eomsuHEs0Rs02msaF1CvWiUy2E191MgGzmxdYzseEfIsUP/05r+9geWMi1fpd4SqB4GYPFLKlhEPejDAzNZDITMe10MAbzYOzU/4KZGamuFTSf10IR/XBG1TsKHxlH5OP3rzHPVAlg9Sc4SkdV+Gwhp7wRqAzLJHuHCfKhA6I6CBEPrfuK93ZQOxZIll56U9HXbUDYdptPidMaYQsOjx/4wonaRDqsM3xyQi4C6P1pPoyGZ8p27L5MCfIxoXz30F/Sqkv59i6l3rPwTXhTfnh9dkDEMbjEPtX9P46BJg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tlSnG-0005yo-B4; Fri, 21 Feb 2025 08:10:14 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v3 05/11] daemon: Allow running as non-root with unprivileged user namespaces. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Fri, 21 Feb 2025 13:10:13 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174014338522676 (code B ref 75810); Fri, 21 Feb 2025 13:10:13 +0000 Received: (at 75810) by debbugs.gnu.org; 21 Feb 2025 13:09:45 +0000 Received: from localhost ([127.0.0.1]:56713 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tlSmk-0005tL-HY for submit@debbugs.gnu.org; Fri, 21 Feb 2025 08:09:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60040) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tlSjt-0005OD-RP for 75810@debbugs.gnu.org; Fri, 21 Feb 2025 08:07:02 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSjn-0004Yz-Ia; Fri, 21 Feb 2025 08:06:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=idfaYvTmznhqv9+JO9+QiD13YMv5X4U5zH6e+nqsgOA=; b=R8mrQ4mlW7XQGnsEkwbQ 0s5fR0rOxQAZqcb3y9C2swDIloNT4IJ/S+Se16uHsQSTA4Qg2rrM6kcwB3hI6gEOdUwDCdiweD9dN inarbhDvq/IszdaORra1+Rv6U8EWKdJG1PKiktE4VcFFmPwZX9Z4oAHYyTqXiH5OkAdlPt2q8ugU6 3kcM+iG+WrrFnXh/JEzQyqLoIoW1O12krwoNAgYlSxcaCRU8yBWqIfOz4f2yo4UwSFEESoRVj9B7q LDybhvqvH56EPOK3dV3ufSy0aYFKVXUPSBzJUlWpn4U6+MPD18hXJDUpqhkKW5UXLSOE+L9TyAyVf 05ixn7KlXYlrxA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 21 Feb 2025 14:05:53 +0100 Message-ID: <1f4adc1c09dde70b193e1571b250e6152f0b4ca2.1740142328.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Ludovic Courtès * nix/libstore/build.cc (guestUID, guestGID): New variables. (DerivationGoal)[readiness]: New field. (initializeUserNamespace): New function. (DerivationGoal::runChild): When ‘readiness.readSide’ is positive, read from it. (DerivationGoal::startBuilder): Call ‘chown’ only when ‘buildUser.enabled()’ is true. Pass CLONE_NEWUSER to ‘clone’ when ‘buildUser.enabled()’ is false or not running as root. Retry ‘clone’ without CLONE_NEWUSER upon EPERM. (DerivationGoal::registerOutputs): Make ‘actualPath’ writable before ‘rename’. (DerivationGoal::deleteTmpDir): Catch ‘SysError’ around ‘_chown’ call. * nix/libstore/local-store.cc (LocalStore::createUser): Do nothing if ‘dirs’ already exists. Warn instead of failing when failing to chown ‘dir’. * guix/substitutes.scm (%narinfo-cache-directory): Check for ‘_NIX_OPTIONS’ rather than getuid() == 0 to determine the cache location. Change-Id: I38fbe01f80fb45a99cd8a391e55a39a54d64fcb7 --- guix/substitutes.scm | 4 +- nix/libstore/build.cc | 149 ++++++++++++++++++++++++++++-------- nix/libstore/local-store.cc | 22 ++++-- 3 files changed, 135 insertions(+), 40 deletions(-) diff --git a/guix/substitutes.scm b/guix/substitutes.scm index e31b3940203..2761a3dafb4 100644 --- a/guix/substitutes.scm +++ b/guix/substitutes.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013-2021, 2023-2024 Ludovic Courtès +;;; Copyright © 2013-2021, 2023-2025 Ludovic Courtès ;;; Copyright © 2014 Nikita Karetnikov ;;; Copyright © 2018 Kyle Meyer ;;; Copyright © 2020 Christopher Baines @@ -76,7 +76,7 @@ (define %narinfo-cache-directory ;; time, 'guix substitute' is called by guix-daemon as root and stores its ;; cached data in /var/guix/…. However, when invoked from 'guix challenge' ;; as a user, it stores its cache in ~/.cache. - (if (zero? (getuid)) + (if (getenv "_NIX_OPTIONS") ;invoked by guix-daemon (or (and=> (getenv "XDG_CACHE_HOME") (cut string-append <> "/guix/substitute")) (string-append %state-directory "/substitute/cache")) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index c87f4f767c5..107ffcfea06 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -747,6 +747,10 @@ private: friend int childEntry(void *); + /* Pipe to notify readiness to the child process when using unprivileged + user namespaces. */ + Pipe readiness; + /* Check that the derivation outputs all exist and register them as valid. */ void registerOutputs(); @@ -1622,6 +1626,25 @@ int childEntry(void * arg) } +/* UID and GID of the build user inside its own user namespace. */ +static const uid_t guestUID = 30001; +static const gid_t guestGID = 30000; + +/* Initialize the user namespace of CHILD. */ +static void initializeUserNamespace(pid_t child) +{ + auto hostUID = getuid(); + auto hostGID = getgid(); + + writeFile("/proc/" + std::to_string(child) + "/uid_map", + (format("%d %d 1") % guestUID % hostUID).str()); + + writeFile("/proc/" + std::to_string(child) + "/setgroups", "deny"); + + writeFile("/proc/" + std::to_string(child) + "/gid_map", + (format("%d %d 1") % guestGID % hostGID).str()); +} + void DerivationGoal::startBuilder() { auto f = format( @@ -1685,7 +1708,7 @@ void DerivationGoal::startBuilder() then an attacker could create in it a hardlink to a root-owned file such as /etc/shadow. If 'keepFailed' is true, the daemon would then chown that hardlink to the user, giving them write access to - that file. */ + that file. See CVE-2021-27851. */ tmpDir += "/top"; if (mkdir(tmpDir.c_str(), 0700) == 1) throw SysError("creating top-level build directory"); @@ -1802,7 +1825,7 @@ void DerivationGoal::startBuilder() if (mkdir(chrootRootDir.c_str(), 0750) == -1) throw SysError(format("cannot create ‘%1%’") % chrootRootDir); - if (chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) + if (buildUser.enabled() && chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) throw SysError(format("cannot change ownership of ‘%1%’") % chrootRootDir); /* Create a writable /tmp in the chroot. Many builders need @@ -1821,8 +1844,8 @@ void DerivationGoal::startBuilder() (format( "nixbld:x:%1%:%2%:Nix build user:/:/noshell\n" "nobody:x:65534:65534:Nobody:/:/noshell\n") - % (buildUser.enabled() ? buildUser.getUID() : getuid()) - % (buildUser.enabled() ? buildUser.getGID() : getgid())).str()); + % (buildUser.enabled() ? buildUser.getUID() : guestUID) + % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str()); /* Declare the build user's group so that programs get a consistent view of the system (e.g., "id -gn"). */ @@ -1857,7 +1880,7 @@ void DerivationGoal::startBuilder() createDirs(chrootStoreDir); chmod_(chrootStoreDir, 01775); - if (chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) + if (buildUser.enabled() && chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { @@ -1948,14 +1971,34 @@ void DerivationGoal::startBuilder() if (useChroot) { char stack[32 * 1024]; int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | SIGCHLD; - if (!fixedOutput) flags |= CLONE_NEWNET; + if (!fixedOutput) { + flags |= CLONE_NEWNET; + } + if (!buildUser.enabled() || getuid() != 0) { + flags |= CLONE_NEWUSER; + readiness.create(); + } + /* Ensure proper alignment on the stack. On aarch64, it has to be 16 bytes. */ - pid = clone(childEntry, + pid = clone(childEntry, (char *)(((uintptr_t)stack + sizeof(stack) - 8) & ~(uintptr_t)0xf), flags, this); - if (pid == -1) - throw SysError("cloning builder process"); + if (pid == -1) { + if ((flags & CLONE_NEWUSER) != 0 && getuid() != 0) + /* 'clone' fails with EPERM on distros where unprivileged user + namespaces are disabled. Error out instead of giving up on + isolation. */ + throw SysError("cannot create process in unprivileged user namespace"); + else + throw SysError("cloning builder process"); + } + + if ((flags & CLONE_NEWUSER) != 0) { + /* Initialize the UID/GID mapping of the child process. */ + initializeUserNamespace(pid); + writeFull(readiness.writeSide, (unsigned char*)"go\n", 3); + } } else #endif { @@ -2001,23 +2044,34 @@ void DerivationGoal::runChild() _writeToStderr = 0; + if (readiness.readSide > 0) { + /* Wait for the parent process to initialize the UID/GID mapping + of our user namespace. */ + char str[20] = { '\0' }; + readFull(readiness.readSide, (unsigned char*)str, 3); + if (strcmp(str, "go\n") != 0) + throw Error("failed to initialize process in unprivileged user namespace"); + } + restoreAffinity(); commonChildInit(builderOut); #if CHROOT_ENABLED if (useChroot) { - /* Initialise the loopback interface. */ - AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); - if (fd == -1) throw SysError("cannot open IP socket"); + if (!fixedOutput) { + /* Initialise the loopback interface. */ + AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); + if (fd == -1) throw SysError("cannot open IP socket"); - struct ifreq ifr; - strcpy(ifr.ifr_name, "lo"); - ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING; - if (ioctl(fd, SIOCSIFFLAGS, &ifr) == -1) - throw SysError("cannot set loopback interface flags"); + struct ifreq ifr; + strcpy(ifr.ifr_name, "lo"); + ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING; + if (ioctl(fd, SIOCSIFFLAGS, &ifr) == -1) + throw SysError("cannot set loopback interface flags"); - fd.close(); + fd.close(); + } /* Set the hostname etc. to fixed values. */ char hostname[] = "localhost"; @@ -2463,8 +2517,16 @@ void DerivationGoal::registerOutputs() if (buildMode == bmRepair) replaceValidPath(path, actualPath); else - if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) - throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + if (buildMode != bmCheck) { + if (S_ISDIR(st.st_mode)) + /* Change mode on the directory to allow for + rename(2). */ + chmod(actualPath.c_str(), st.st_mode | 0700); + if (rename(actualPath.c_str(), path.c_str()) == -1) + throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + if (S_ISDIR(st.st_mode) && chmod(path.c_str(), st.st_mode) == -1) + throw SysError(format("restoring permissions on directory `%1%'") % actualPath); + } } if (buildMode != bmCheck) actualPath = path; } @@ -2723,17 +2785,42 @@ void DerivationGoal::deleteTmpDir(bool force) // Change the ownership if clientUid is set. Never change the // ownership or the group to "root" for security reasons. if (settings.clientUid != (uid_t) -1 && settings.clientUid != 0) { - _chown(tmpDir, settings.clientUid, - settings.clientGid != 0 ? settings.clientGid : -1); - - if (top != tmpDir) { - // Rename tmpDir to its parent, with an intermediate step. - string pivot = top + ".pivot"; - if (rename(top.c_str(), pivot.c_str()) == -1) - throw SysError("pivoting failed build tree"); - if (rename((pivot + "/top").c_str(), top.c_str()) == -1) - throw SysError("renaming failed build tree"); - rmdir(pivot.c_str()); + uid_t uid = settings.clientUid; + gid_t gid = settings.clientGid != 0 ? settings.clientGid : -1; + try { + _chown(tmpDir, uid, gid); + + if (getuid() != 0) { + /* If, without being root, the '_chown' call above + succeeded, then it means we have CAP_CHOWN. Retake + ownership of tmpDir itself so it can be renamed + below. */ + chown(tmpDir.c_str(), getuid(), getgid()); + } + + if (top != tmpDir) { + /* Rename 'tmpDir' to its parent with an intermediate + step. Skip that if the '_chown' call above fails + since in that case the setuid bits are not + removed. */ + string pivot = top + ".pivot"; + if (rename(top.c_str(), pivot.c_str()) == -1) + throw SysError("pivoting failed build tree"); + if (rename((pivot + "/top").c_str(), top.c_str()) == -1) + throw SysError("renaming failed build tree"); + + if (getuid() != 0) + /* Running unprivileged but with CAP_CHOWN. */ + chown(top.c_str(), uid, gid); + + rmdir(pivot.c_str()); + } + } catch (SysError & e) { + /* When running as an unprivileged user and without + CAP_CHOWN, we cannot chown the build tree. Print a + message and keep going. */ + printMsg(lvlInfo, format("cannot change ownership of build directory '%1%': %2%") + % tmpDir % strerror(e.errNo)); } } } diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 0883a4bbcee..4308264a4f3 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -306,14 +306,14 @@ void LocalStore::openDB(bool create) void LocalStore::makeStoreWritable() { #if HAVE_UNSHARE && HAVE_STATVFS && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_REMOUNT) - if (getuid() != 0) return; /* Check if /nix/store is on a read-only mount. */ struct statvfs stat; if (statvfs(settings.nixStore.c_str(), &stat) != 0) throw SysError("getting info about the store mount point"); if (stat.f_flag & ST_RDONLY) { - if (unshare(CLONE_NEWNS) == -1) + int flags = CLONE_NEWNS | (getpid() == 0 ? 0 : CLONE_NEWUSER); + if (unshare(flags) == -1) throw SysError("setting up a private mount namespace"); if (mount(0, settings.nixStore.c_str(), "none", MS_REMOUNT | MS_BIND, 0) == -1) @@ -1614,11 +1614,19 @@ void LocalStore::createUser(const std::string & userName, uid_t userId) { auto dir = settings.nixStateDir + "/profiles/per-user/" + userName; - createDirs(dir); - if (chmod(dir.c_str(), 0755) == -1) - throw SysError(format("changing permissions of directory '%s'") % dir); - if (chown(dir.c_str(), userId, -1) == -1) - throw SysError(format("changing owner of directory '%s'") % dir); + auto created = createDirs(dir); + if (!created.empty()) { + if (chmod(dir.c_str(), 0755) == -1) + throw SysError(format("changing permissions of directory '%s'") % dir); + + /* The following operation requires CAP_CHOWN or can be handled + manually by a user with CAP_CHOWN. */ + if (chown(dir.c_str(), userId, -1) == -1) { + rmdir(dir.c_str()); + string message = strerror(errno); + printMsg(lvlInfo, format("failed to change owner of directory '%1%' to %2%: %3%") % dir % userId % message); + } + } } From patchwork Fri Feb 21 13:05:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 38907 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 23F8727BBEA; Fri, 21 Feb 2025 13:09:20 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 2725027BBE2 for ; Fri, 21 Feb 2025 13:09:19 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tlSmA-0005Ny-SE; Fri, 21 Feb 2025 08:09:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSm8-0005NR-W6 for guix-patches@gnu.org; Fri, 21 Feb 2025 08:09:06 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tlSm8-0004r8-Jw for guix-patches@gnu.org; Fri, 21 Feb 2025 08:09:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=x4qLkh9hJTZ4TkZolyQcxkgbw8cbkZm5cnTUmctXty8=; b=KfLSAc7FtenCCx5DBHAkr6OauhzC5fQRXeBJBh4fL5Cr97RdASnvyjJfgfZ8vBA0CsH8+NMNCKyKWueF19kJX9Pe2GQ5cWPn/o87F/1r528jRJgN8HQQTMzusf+SjYdsEBCIl/9eXifbuWqRf/O2t+LZsc0WMmiY2HT4rfqCKGGg6breJzYlKZELznIliPYgfzQ7rZuxtpVmVRLB/60fjvtpagX6EwtDHXDWkJqCtI1JXx5CouvAaLLAF0wKxtFDev0D/fDkp0v4AOv4tioC+6/M4GulL4KAVR3oGYTweVW7H5UvefPga5YID+7T2wsKMQ1/UbAstEr5FLdG3gHoFw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tlSm8-0005mu-8I for guix-patches@gnu.org; Fri, 21 Feb 2025 08:09:04 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v3 06/11] tests: Run in a chroot and unprivileged user namespaces. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 21 Feb 2025 13:09:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174014333122118 (code B ref 75810); Fri, 21 Feb 2025 13:09:03 +0000 Received: (at 75810) by debbugs.gnu.org; 21 Feb 2025 13:08:51 +0000 Received: from localhost ([127.0.0.1]:56691 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tlSlt-0005kT-17 for submit@debbugs.gnu.org; Fri, 21 Feb 2025 08:08:50 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60044) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tlSju-0005OH-5o for 75810@debbugs.gnu.org; Fri, 21 Feb 2025 08:07:01 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSjo-0004Z7-PQ; Fri, 21 Feb 2025 08:06:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=x4qLkh9hJTZ4TkZolyQcxkgbw8cbkZm5cnTUmctXty8=; b=ktDtittoYnlV9w3J0Qp3 wT+5TAOUna0q4SyqB2cco3M8nNwxjh6mda4Hvn0HHhuecw9xSxnQiW5jBY6BF8X4UCVT+LVzzXnFd cY2wagPXDspLQ5gRnJrEl1J/d9dAUrymx5ywGUlctAOZvFme4+x/nwCL1QAOWAwrFo8Wfhjs3Lt58 ypTJ7FaGOu42hdXhZlD9vPmZ+ZT+0+BsnhNxguByjci86/xOswSsl/lVOijFUGkC4QGFW3kP/0IwD pEI01vjKLjZzkwB1sdwhX7oIGyW9Hi9Mw//4CXeLCqXKgEWSfDSlJ/oPSzAX+4/5mC9k6tlO1G1kn X5+qtEolwvFMeg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 21 Feb 2025 14:05:54 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * build-aux/test-env.in: Pass ‘--disable-chroot’ only when unprivileged user namespace support is lacking. * tests/store.scm ("build-things, check mode"): Use ‘gettimeofday’ rather than a shared file as a source of entropy. ("isolated environment", "inputs are read-only") ("inputs cannot be remounted read-write") ("build root cannot be made world-readable") ("/tmp, store, and /dev/{null,full} are writable"): New tests. * tests/processes.scm ("client + lock"): Skip when ‘unprivileged-user-namespace-supported?’ returns true. Change-Id: I3b3c3ebdf6db5fd36ee70251d07b893c17ca1b84 --- build-aux/test-env.in | 14 ++- tests/processes.scm | 9 +- tests/store.scm | 206 +++++++++++++++++++++++++++++++++++------- 3 files changed, 191 insertions(+), 38 deletions(-) diff --git a/build-aux/test-env.in b/build-aux/test-env.in index 9caa29da581..5626152b346 100644 --- a/build-aux/test-env.in +++ b/build-aux/test-env.in @@ -1,7 +1,7 @@ #!/bin/sh # GNU Guix --- Functional package management for GNU -# Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2021 Ludovic Courtès +# Copyright © 2012-2019, 2021, 2025 Ludovic Courtès # # This file is part of GNU Guix. # @@ -102,10 +102,20 @@ then rm -rf "$GUIX_STATE_DIRECTORY/daemon-socket" mkdir -m 0700 "$GUIX_STATE_DIRECTORY/daemon-socket" + # If unprivileged user namespaces are not supported, pass + # '--disable-chroot'. + if [ ! -f /proc/sys/kernel/unprivileged_userns_clone ] \ + || [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -eq 1 ]; then + extra_options="" + else + extra_options="--disable-chroot" + fi + # Launch the daemon without chroot support because is may be # unavailable, for instance if we're not running as root. "@abs_top_builddir@/pre-inst-env" \ - "@abs_top_builddir@/guix-daemon" --disable-chroot \ + "@abs_top_builddir@/guix-daemon" \ + $extra_options \ --substitute-urls="$GUIX_BINARY_SUBSTITUTE_URL" & daemon_pid=$! diff --git a/tests/processes.scm b/tests/processes.scm index ba518f2d9e3..a72ba16f587 100644 --- a/tests/processes.scm +++ b/tests/processes.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2018 Ludovic Courtès +;;; Copyright © 2018, 2025 Ludovic Courtès ;;; Copyright © 2019 Mathieu Othacehe ;;; ;;; This file is part of GNU Guix. @@ -25,6 +25,8 @@ (define-module (test-processes) #:use-module (guix gexp) #:use-module ((guix utils) #:select (call-with-temporary-directory)) #:use-module (gnu packages bootstrap) + #:use-module ((gnu build linux-container) + #:select (unprivileged-user-namespace-supported?)) #:use-module (guix tests) #:use-module (srfi srfi-1) #:use-module (srfi srfi-64) @@ -84,6 +86,11 @@ (define-syntax-rule (test-assert* description exp) (and (kill (process-id daemon) 0) (string-suffix? "guix-daemon" (first (process-command daemon))))))) +(when (unprivileged-user-namespace-supported?) + ;; The test below assumes the build process can communicate with the outside + ;; world via the TOKEN1 and TOKEN2 files, which is impossible when + ;; guix-daemon is set up to build in separate namespaces. + (test-skip 1)) (test-assert* "client + lock" (with-store store (call-with-temporary-directory diff --git a/tests/store.scm b/tests/store.scm index 45948f4f433..4ba0916e3fe 100644 --- a/tests/store.scm +++ b/tests/store.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012-2021, 2023 Ludovic Courtès +;;; Copyright © 2012-2021, 2023, 2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,8 +28,12 @@ (define-module (test-store) #:use-module (guix base32) #:use-module (guix packages) #:use-module (guix derivations) + #:use-module ((guix modules) + #:select (source-module-closure)) #:use-module (guix serialization) #:use-module (guix build utils) + #:use-module ((gnu build linux-container) + #:select (unprivileged-user-namespace-supported?)) #:use-module (guix gexp) #:use-module (gnu packages) #:use-module (gnu packages bootstrap) @@ -391,6 +395,147 @@ (define %shell (equal? (valid-derivers %store o) (list (derivation-file-name d)))))) +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-equal "isolated environment" + (string-join (append + '("PID: 1" "UID: 30001") + (delete-duplicates + (sort (list "/dev" "/tmp" "/proc" "/etc" + (match (string-tokenize (%store-prefix) + (char-set-complement + (char-set #\/))) + ((top _ ...) (string-append "/" top)))) + string $out")) + (s (add-to-store %store "bash" #t "sha256" + (search-bootstrap-binary "bash" + (%current-system)))) + (d (derivation %store "the-thing" + s `("-e" ,b) + #:env-vars `(("foo" . ,(random-text))) + #:sources (list b s))) + (o (derivation->output-path d))) + (and (build-derivations %store (list d)) + (call-with-input-file o get-string-all)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-equal "inputs are read-only" + "All good!" + (let* ((input (plain-file (string-append "might-be-tampered-with-" + (number->string + (car (gettimeofday)) + 16)) + "All good!")) + (drv + (run-with-store %store + (gexp->derivation + "attempt-to-remount-input-read-write" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((input #$input)) + (chmod input #o666) + (call-with-output-file input + (lambda (port) + (display "BAD!" port))) + (mkdir #$output)))))))) + (and (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv))) + (call-with-input-file (run-with-store %store + (lower-object input)) + get-string-all)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "inputs cannot be remounted read-write" + (let ((drv + (run-with-store %store + (gexp->derivation + "attempt-to-remount-input-read-write" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((input #$(plain-file "input-that-might-be-tampered-with" + "All good!"))) + (mount "none" input "none" (logior MS_BIND MS_REMOUNT)) + (call-with-output-file input + (lambda (port) + (display "BAD!" port))) + (mkdir #$output)))))))) + (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv)) + #f))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "build root cannot be made world-readable" + (let ((drv + (run-with-store %store + (gexp->derivation + "attempt-to-make-root-world-readable" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((guile (string-append (assoc-ref %guile-build-info + 'bindir) + "/guile"))) + (catch 'system-error + (lambda () + (chmod "/" #o777)) + (lambda args + (format #t "failed to make root writable: ~a~%" + (strerror (system-error-errno args))) + (format #t "attempting read-write remount~%") + (mount "none" "/" "/" (logior MS_BIND MS_REMOUNT)) + (chmod "/" #o777))) + (copy-file guile "/guile") + (chmod "/guile" #o6755) + ;; At this point, there's a world-readable setuid 'guile' + ;; binary in the store that remains visible until this + ;; build completes. + (list #$output)))))))) + (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv)) + #f))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "/tmp, store, and /dev/{null,full} are writable" + ;; All of /tmp and all of the store must be writable (the store is writable + ;; so that derivation outputs can be written to it, but in practice it's + ;; always been wide open). Things like /dev/null must be writable too. + (let ((drv (run-with-store %store + (gexp->derivation + "check-tmp-and-store-are-writable" + #~(begin + (mkdir "/tmp/something") + (mkdir (in-vicinity (getenv "NIX_STORE") + "some-other-thing")) + (call-with-output-file "/dev/null" + (lambda (port) + (display "Welcome to the void." port))) + (catch 'system-error + (lambda () + (call-with-output-file "/dev/full" + (lambda (port) + (display "No space left!" port))) + (error "Should have thrown!")) + (lambda args + (unless (= ENOSPC (system-error-errno args)) + (apply throw args)))) + (mkdir #$output)))))) + (build-derivations %store (list drv)))) + (test-equal "with-build-handler" 'success (let* ((b (add-text-to-store %store "build" "echo $foo > $out" '())) @@ -1333,40 +1478,31 @@ (define %shell (test-assert "build-things, check mode" (with-store store - (call-with-temporary-output-file - (lambda (entropy entropy-port) - (write (random-text) entropy-port) - (force-output entropy-port) - (let* ((drv (build-expression->derivation - store "non-deterministic" - `(begin - (use-modules (rnrs io ports)) - (let ((out (assoc-ref %outputs "out"))) - (call-with-output-file out - (lambda (port) - ;; Rely on the fact that tests do not use the - ;; chroot, and thus ENTROPY is readable. - (display (call-with-input-file ,entropy - get-string-all) - port))) - #t)) - #:guile-for-build - (package-derivation store %bootstrap-guile (%current-system)))) - (file (derivation->output-path drv))) - (and (build-things store (list (derivation-file-name drv))) - (begin - (write (random-text) entropy-port) - (force-output entropy-port) - (guard (c ((store-protocol-error? c) - (pk 'determinism-exception c) - (and (not (zero? (store-protocol-error-status c))) - (string-contains (store-protocol-error-message c) - "deterministic")))) - ;; This one will produce a different result. Since we're in - ;; 'check' mode, this must fail. - (build-things store (list (derivation-file-name drv)) - (build-mode check)) - #f)))))))) + (let* ((drv (build-expression->derivation + store "non-deterministic" + `(begin + (use-modules (rnrs io ports)) + (let ((out (assoc-ref %outputs "out"))) + (call-with-output-file out + (lambda (port) + (let ((now (gettimeofday))) + (display (+ (car now) (cdr now)) port)))) + #t)) + #:guile-for-build + (package-derivation store %bootstrap-guile (%current-system)))) + (file (derivation->output-path drv))) + (and (build-things store (list (derivation-file-name drv))) + (begin + (guard (c ((store-protocol-error? c) + (pk 'determinism-exception c) + (and (not (zero? (store-protocol-error-status c))) + (string-contains (store-protocol-error-message c) + "deterministic")))) + ;; This one will produce a different result. Since we're in + ;; 'check' mode, this must fail. + (build-things store (list (derivation-file-name drv)) + (build-mode check)) + #f)))))) (test-assert "build-succeeded trace in check mode" (string-contains From patchwork Fri Feb 21 13:05:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 38902 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 24D3E27BBEA; Fri, 21 Feb 2025 13:08:07 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C6FB027BBE2 for ; Fri, 21 Feb 2025 13:08:06 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tlSlA-000556-2u; Fri, 21 Feb 2025 08:08:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSl8-00054h-EQ for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:02 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tlSl8-0004fX-47 for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=Zsh2zvgPChPdygWDGttbjWAWpTHmsPY3r3V/6RFHAxg=; b=rmratef5yo+kBhdq9xnHCwZLcWw3mWvOyasZy+pAqbqRjfSplK1Udkfunjyc6WpaIAGya3l3+NrfMC/ltb+E0nPcP/ZgWbY7+gMv9jeewbL/a59bQSpe3SWVaTVFWBj9KNLZZ/3T9S5+QXB4xH9JL83yU53flFQ98VUN3t2WMGMp7WKuAR91pHe9Jcv0TsMPv89V3Rk+xOrmcyz6zgPO8FMBvenNe9Py/xt5AfXEKybQ2cAJMkZV5//vFYGONG9MuKydjwWYdPgh+OcdKewZZ05Gc+aOmu0TAmCV2MkDLv7QF1fFAUzBGRSbNcuiXAeL0hoW9rZEXwHGPANxxZMYXw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tlSl7-0005cV-Tu for guix-patches@gnu.org; Fri, 21 Feb 2025 08:08:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v3 07/11] daemon: Create /var/guix/profiles/per-user unconditionally. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 21 Feb 2025 13:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174014326221373 (code B ref 75810); Fri, 21 Feb 2025 13:08:01 +0000 Received: (at 75810) by debbugs.gnu.org; 21 Feb 2025 13:07:42 +0000 Received: from localhost ([127.0.0.1]:56671 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tlSkl-0005YG-JD for submit@debbugs.gnu.org; Fri, 21 Feb 2025 08:07:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60052) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tlSjx-0005Ov-DA for 75810@debbugs.gnu.org; Fri, 21 Feb 2025 08:06:54 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSjr-0004ZO-MD; Fri, 21 Feb 2025 08:06:43 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=Zsh2zvgPChPdygWDGttbjWAWpTHmsPY3r3V/6RFHAxg=; b=CQm+Lb8jxciD4Z5quqVJ C5g/T4kY8MF9sUmMO1mZm7OLhFZOLaZZiG6+XdmfwxhUzEA41OXA10F+rPBQtMaXmMnB11J0QBuWx 1cGb2hTK0xivL3sTvuC8pxjw6SrknC4viATybu2ZkLmkkotZYgDtEpwpAVlj6zNv/qJzVvQ3rKKkX aUFrivFux6mCljxfZQZJPgRZhFINqoTmWoVcLJ3PuDuTQgiSCWWKmxZGUL9+J4YnJkDEYyWSSvtYc 2F7nxQtnkB4Fay8H9G+SedxO292WORQl89eAc2yDNagHILPq//YQF4HEPPmT2DgngaBp7dCvyo7FR c16JjungyqlYZg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 21 Feb 2025 14:05:55 +0100 Message-ID: <42766ef6f8486fd4e25a5f211883934a7bdb5256.1740142328.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/local-store.cc (LocalStore::LocalStore): Create ‘perUserDir’ unconditionally. Change-Id: I5188320f9630a81d16f79212d0fffabd55d94abe --- nix/libstore/local-store.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 4308264a4f3..63846695194 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -79,12 +79,12 @@ LocalStore::LocalStore(bool reserveSpace) createSymlink(profilesDir, gcRootsDir + "/profiles"); } - /* Optionally, create directories and set permissions for a - multi-user install. */ + Path perUserDir = profilesDir + "/per-user"; + createDirs(perUserDir); + + /* Optionally, set permissions for a multi-user install. */ if (getuid() == 0 && settings.buildUsersGroup != "") { - Path perUserDir = profilesDir + "/per-user"; - createDirs(perUserDir); if (chmod(perUserDir.c_str(), 0755) == -1) throw SysError(format("could not set permissions on '%1%' to 755") % perUserDir); From patchwork Fri Feb 21 13:05:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 38906 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D7CFB27BBEA; Fri, 21 Feb 2025 13:09:10 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4978C27BBE2 for ; Fri, 21 Feb 2025 13:09:10 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tlSm8-0005NE-GE; Fri, 21 Feb 2025 08:09:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSm7-0005N6-63 for guix-patches@gnu.org; Fri, 21 Feb 2025 08:09:03 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tlSm6-0004qy-SB for guix-patches@gnu.org; Fri, 21 Feb 2025 08:09:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=Cq0kaUqqXvShQhQeK/4/6kl4yXtjDCBbINBs6TqgNTE=; b=GtLEpSzqNe35sh8mdpCVu9nRzyM06e/fMQe0X/Eeuh59gx83y9vpmx2eysv3KERiIxLP0qQci9Ht75mdxQwqddl0dNpSERgvqkcniiKlMGB9FtK3Mk6M48wxsv6cLhtU48v28D3w3hoOrhS1lsJds8WCB27mCW9O/OxqBKGnNMnIL38cFHiXF6U3kzsbkIJhc3mbY9VksDhBdToI/OLkiruQ0RBueOWY7qkNsQdGLwedKXEF0jgHktbYE2naMVjppKop/DD3HBr3d2UA2qERhq4VzQuGMU482FfMS9x5/lBWnHep02Pk8k4znT4I86qzXDiCoY113rylGYKBLNlfJg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tlSm6-0005mW-Jy for guix-patches@gnu.org; Fri, 21 Feb 2025 08:09:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v3 08/11] daemon: Drop Linux ambient capabilities before executing builder. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 21 Feb 2025 13:09:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174014332922102 (code B ref 75810); Fri, 21 Feb 2025 13:09:02 +0000 Received: (at 75810) by debbugs.gnu.org; 21 Feb 2025 13:08:49 +0000 Received: from localhost ([127.0.0.1]:56688 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tlSls-0005kN-E7 for submit@debbugs.gnu.org; Fri, 21 Feb 2025 08:08:48 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60062) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tlSjy-0005P7-H9 for 75810@debbugs.gnu.org; Fri, 21 Feb 2025 08:06:55 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSjs-0004ZV-TC; Fri, 21 Feb 2025 08:06:45 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=Cq0kaUqqXvShQhQeK/4/6kl4yXtjDCBbINBs6TqgNTE=; b=qBy9fbjeeW40p79U/07I tihiZE0Kqhyn8pVPYYjilI4BpQy6soiuikg3/imWGzATcvSkTRXHaPKbaglmWchOsryj3gNxv4o+m WLS3gSR7mcG0LJhwswLOSOPstwlzmJt2pywuXSqjxmWxe3d2SlYyrOMyaA2d47G+ya0j9pou5XSka QKPTL4yvZQhgERVKT/inE6kUrTxJTCHyFv1jq/ib1MiooLuiKaY5zGyxuKCzPrKKntdiM3sOsoRkf a3uu7MnHrUhD17ZZIracP2ZlfGFTKg8yzT5fkpnBMlKe0jgtyALeJAAYTPiVl2DXrwTaJDBso0xPn am++1LFfStjnPA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 21 Feb 2025 14:05:56 +0100 Message-ID: <41e73aaabf721c22bfde3b0369a8e0d1a5694671.1740142328.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * config-daemon.ac: Check for . * nix/libstore/build.cc (DerivationGoal::runChild): When ‘useChroot’ is true, call ‘prctl’ to drop all ambient capabilities. Change-Id: If34637fc508e5fb6d278167f5df7802fc595284f --- config-daemon.ac | 2 +- nix/libstore/build.cc | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/config-daemon.ac b/config-daemon.ac index 4e949bc88a3..35d9c8cd56b 100644 --- a/config-daemon.ac +++ b/config-daemon.ac @@ -79,7 +79,7 @@ if test "x$guix_build_daemon" = "xyes"; then dnl Chroot support. AC_CHECK_FUNCS([chroot unshare]) AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \ - linux/close_range.h]) + linux/close_range.h sys/prctl.h]) if test "x$ac_cv_func_chroot" != "xyes"; then AC_MSG_ERROR(['chroot' function missing, bailing out]) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 107ffcfea06..213ed635933 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -50,6 +50,9 @@ #if HAVE_SCHED_H #include #endif +#if HAVE_SYS_PRCTL_H +#include +#endif #define CHROOT_ENABLED HAVE_CHROOT && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE) @@ -2059,6 +2062,12 @@ void DerivationGoal::runChild() #if CHROOT_ENABLED if (useChroot) { +# if HAVE_SYS_PRCTL_H + /* Drop ambient capabilities such as CAP_CHOWN that might have + been granted when starting guix-daemon. */ + prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); +# endif + if (!fixedOutput) { /* Initialise the loopback interface. */ AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); From patchwork Fri Feb 21 13:05:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 38911 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 8CAFD27BBEA; Fri, 21 Feb 2025 13:10:59 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 8910A27BBE2 for ; Fri, 21 Feb 2025 13:10:58 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tlSnM-00061Q-O6; Fri, 21 Feb 2025 08:10:20 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSn7-0005wl-2S for guix-patches@gnu.org; Fri, 21 Feb 2025 08:10:05 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tlSn6-000580-FL for guix-patches@gnu.org; Fri, 21 Feb 2025 08:10:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=O9Cnga7box/1rcpw3VHiKXPbujUc92KmLXmRuqngb6k=; b=P7zE5EvIWvhwyYKCgmOubbY5Y+V2+kz3d19PAmF4WnfgXblBM//2bwGoFz9DZuCLmzil2rq9WdfAijOXX9ssPhvbaVCicSMsa7cMr+49zMiaXFVBHws5nwqcI9irDSVodBfTMaIYrpWigmMLOX0GJSwJ65X2Ivp9DkeHwB8wLWymgwYYJ8UtFRB8EH+njyevalpMGbeKe30WoMX5RdI95zZcNAkvFPYS0VbndU8u0FGhOlEOo+VnUVKPizjdy0Vbiwix8C4womk+ZgxKwtRI6gtUinN4Pqdg6OEs6nlasSYEutbSVrOK/O6ftwphnHKPWSn7v+VHetKJcSHSuf3lWQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tlSn6-0005wj-5h for guix-patches@gnu.org; Fri, 21 Feb 2025 08:10:04 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v3 09/11] daemon: Move comments where they belong. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 21 Feb 2025 13:10:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174014335122353 (code B ref 75810); Fri, 21 Feb 2025 13:10:04 +0000 Received: (at 75810) by debbugs.gnu.org; 21 Feb 2025 13:09:11 +0000 Received: from localhost ([127.0.0.1]:56699 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tlSmC-0005o8-UZ for submit@debbugs.gnu.org; Fri, 21 Feb 2025 08:09:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60064) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tlSjz-0005PH-Re for 75810@debbugs.gnu.org; Fri, 21 Feb 2025 08:07:04 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSju-0004Zc-7k; Fri, 21 Feb 2025 08:06:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=O9Cnga7box/1rcpw3VHiKXPbujUc92KmLXmRuqngb6k=; b=Udu5iZBOsTuJRHw4R6qH ZDFS4h8FKfsU+cwOvU48gwqFjUYnhfw7Y67b854brijWZ8Ab80CPJyB1Z0jkeXLuX1k0+3ABEVZwc 7po5z8NrKtsJ9XeMy1qid1Ck/QfeJt6jDq6Plx7XaUCNCmYcmUPBqpcV+Z+9G80sRhBa7L/avyKde 0p90m6lUtYcW7UvDCW45kuNIJdaNobxe0EgcKXi3Wdbt9WGQ0Fu9DXrtjUwyYLxcslVXfrfnSmR0X UHBxv7wcerNqL5SavyCZxmcH7BNn1jYxsEjJHaFTx9WDqFDA72xwNOVjj6q1wqdmUm8fnPjXXRwud WlfxrVUapjKQPg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 21 Feb 2025 14:05:57 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::startBuilder): Shuffle comments for clarity. Change-Id: I6557c103ade4a3ab046354548ea193c68f8c9c05 --- nix/libstore/build.cc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 213ed635933..c8a0667c7b5 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -1874,18 +1874,19 @@ void DerivationGoal::startBuilder() } dirsInChroot[tmpDirInSandbox] = tmpDir; - /* Make the closure of the inputs available in the chroot, - rather than the whole store. This prevents any access - to undeclared dependencies. !!! As an extra security - precaution, make the fake store only writable by the - build user. */ + /* Create the fake store. */ Path chrootStoreDir = chrootRootDir + settings.nixStore; createDirs(chrootStoreDir); chmod_(chrootStoreDir, 01775); if (buildUser.enabled() && chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) - throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); + /* As an extra security precaution, make the fake store only + writable by the build user. */ + throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); + /* Make the closure of the inputs available in the chroot, rather than + the whole store. This prevents any access to undeclared + dependencies. */ foreach (PathSet::iterator, i, inputPaths) { dirsInChroot[*i] = *i; } From patchwork Fri Feb 21 13:05:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 38908 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 1A3B527BBEA; Fri, 21 Feb 2025 13:10:26 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id B394327BBE9 for ; Fri, 21 Feb 2025 13:10:25 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tlSnJ-0005zI-Bv; Fri, 21 Feb 2025 08:10:18 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSn7-0005ws-LO for guix-patches@gnu.org; Fri, 21 Feb 2025 08:10:06 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tlSn7-000589-B5 for guix-patches@gnu.org; Fri, 21 Feb 2025 08:10:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=fWWXPGKmocenmkwm2NuKznHSEy4eXcjP6Tuf4/xJCg8=; b=C7UG9FlW8PloEZu7R8JhqOW6XjWo2S4b5rBbsb/lNi1hTSvLwmifNqfcPQHW1fJWAf3UIXGVpe9dI56ZXBcB9o8rjWBDl9LJjaj5ompc8IznxdGxdRDnw150Hf4Ix2db5y/O36xZGrBADygP19hlJJ65051yQnhN4TIfEaK8a5LVBMgGSvQ02nnIWQGs5P3ASq754WJTQ0iNZnSJj8+B/TzrRm1kw77DEyqigu6cWbEHnTVjr2wGZ9s7bW6GvujXGFEl3OI7alxUP84FLh+K8l4uJXrcraMqxU0DMa/EjSNbhfTv1Gl8ppy9LA7YARqG/r++c7F4ytv5J+JfQWPLoA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tlSn7-0005wt-5Z for guix-patches@gnu.org; Fri, 21 Feb 2025 08:10:05 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v3 10/11] etc: systemd services: Run =?utf-8?b?4oCYZ3VpeC1kYWVtb27igJk=?= as an unprivileged user. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 21 Feb 2025 13:10:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174014335322380 (code B ref 75810); Fri, 21 Feb 2025 13:10:05 +0000 Received: (at 75810) by debbugs.gnu.org; 21 Feb 2025 13:09:13 +0000 Received: from localhost ([127.0.0.1]:56701 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tlSmF-0005oS-1C for submit@debbugs.gnu.org; Fri, 21 Feb 2025 08:09:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60070) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tlSk1-0005PX-6T for 75810@debbugs.gnu.org; Fri, 21 Feb 2025 08:07:06 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSjv-0004Zn-Kv; Fri, 21 Feb 2025 08:06:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=fWWXPGKmocenmkwm2NuKznHSEy4eXcjP6Tuf4/xJCg8=; b=auRDK2ruMfc5RD6arP5j uAoAGuI/i8HBtnCV1YMc+pHZhD50PWpZL0Cd+6NfC9sjY7+bE0PaTiHYa40V91ebluZPd+S1gEr+x 7nRLF0HGI3R/3fXmVz/KAId8u141GkMc850QccaCLIFCvh79glR+ufs+Wljfo+YBAkCroLLHckpaX emo25BEufl6UYHmRBeWyCMF6F2/GOKc8WCKf0SAd0mxOUlmozJUnTwFC+WrosnzpegcPgvfUDSGCJ zrTfrniVZJixMEvB4hMS0ptlaVUb2ENXOOdGkHvMarwP8HnsilQLz//bgq/oeSI8kjr0sNbLcGyCN 74i2NoInvcaevQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 21 Feb 2025 14:05:58 +0100 Message-ID: <32992bd69bfc6c3ff386c67ccfc2edeeb9fe7fd4.1740142328.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/guix-daemon.service.in (ExecStart): Remove ‘--build-users-group’. (Before, User, AmbientCapabilities, PrivateMounts, BindPaths): New fields. * etc/gnu-store.mount.in (Before): Remove. (WantedBy): Change to ‘multi-user.target’. Change-Id: Id826b8ab535844b6024d777f6bd15fd49db6d65e --- etc/gnu-store.mount.in | 3 +-- etc/guix-daemon.service.in | 20 +++++++++++++++++++- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in index c94f2db72be..f9918c9e52e 100644 --- a/etc/gnu-store.mount.in +++ b/etc/gnu-store.mount.in @@ -2,10 +2,9 @@ Description=Read-only @storedir@ for GNU Guix DefaultDependencies=no ConditionPathExists=@storedir@ -Before=guix-daemon.service [Install] -WantedBy=guix-daemon.service +WantedBy=multi-user.target [Mount] What=@storedir@ diff --git a/etc/guix-daemon.service.in b/etc/guix-daemon.service.in index 5c43d9b7f1b..a04cf1f2f0f 100644 --- a/etc/guix-daemon.service.in +++ b/etc/guix-daemon.service.in @@ -5,11 +5,29 @@ [Unit] Description=Build daemon for GNU Guix +# Start before 'gnu-store.mount' to get a writable view of the store. +Before=gnu-store.mount + [Service] ExecStart=@localstatedir@/guix/profiles/per-user/root/current-guix/bin/guix-daemon \ - --build-users-group=guixbuild --discover=no \ + --discover=no \ --substitute-urls='@GUIX_SUBSTITUTE_URLS@' Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8 + +# Run under a dedicated unprivileged user account. +User=guix-daemon + +# Bind-mount the store read-write in a private namespace, to counter the +# effect of 'gnu-store.mount'. +PrivateMounts=true +BindPaths=@storedir@ + +# Provide the CAP_CHOWN capability so that guix-daemon cran create and chown +# /var/guix/profiles/per-user/$USER and also chown failed build directories +# when using '--keep-failed'. Note that guix-daemon explicitly drops ambient +# capabilities before executing build processes so they don't inherit them. +AmbientCapabilities=CAP_CHOWN + StandardOutput=journal StandardError=journal From patchwork Fri Feb 21 13:05:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 38910 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 72F1E27BBEA; Fri, 21 Feb 2025 13:10:42 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id CBC7E27BBE9 for ; Fri, 21 Feb 2025 13:10:41 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tlSnR-00063B-Jk; Fri, 21 Feb 2025 08:10:26 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSnA-0005xD-8C for guix-patches@gnu.org; Fri, 21 Feb 2025 08:10:09 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tlSn9-00058P-GY for guix-patches@gnu.org; Fri, 21 Feb 2025 08:10:07 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=PwQDQer/23CkjUsQpvDtFSJfseycr+nkoov1zPm6lbc=; b=fNQX/lovrCEHQSVVQQd7/bvRU5a97+6+wsrkxu2CUBA2H0aBAAD11mra4WK6gSxBsIrsjTF0j/CNZCPMGCoDhSuWnYBSncgLNb3KmG+EBm8Yt/sSG6O1xjkpXt0VY/Gnr5ULTCBp2ILNFZxhwnqZVURs3BNcvGWJ6FLFxEzKmWe8NhrvQTVObD840MG6ZpOUDDW8w3gCCs2gZEkOC4TGSo2FT8PhPcJhqEmoeR0IACn45PlccgtC4dsS/scie88mFv0bBV0e2LL/pCKOARyTR1ZWUyCTUdGdwA95amRTCyCbxngAxTQOefD3Mtuvh/5bUwcxaEiTcAGlBvx9ccUuPg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tlSn8-0005xF-Kr for guix-patches@gnu.org; Fri, 21 Feb 2025 08:10:06 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v3 11/11] guix-install.sh: Support the unprivileged daemon where possible. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 21 Feb 2025 13:10:06 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174014338122640 (code B ref 75810); Fri, 21 Feb 2025 13:10:06 +0000 Received: (at 75810) by debbugs.gnu.org; 21 Feb 2025 13:09:41 +0000 Received: from localhost ([127.0.0.1]:56708 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tlSmg-0005sj-9n for submit@debbugs.gnu.org; Fri, 21 Feb 2025 08:09:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:43390) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tlSk3-0005QC-UL for 75810@debbugs.gnu.org; Fri, 21 Feb 2025 08:07:09 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tlSjy-0004a2-0g; Fri, 21 Feb 2025 08:06:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=PwQDQer/23CkjUsQpvDtFSJfseycr+nkoov1zPm6lbc=; b=KV09Clz6tU49fox7TU4Y fngjYCoQngCKnFkWBQXee1JogmZsLLUSyhfhpXj0SaLXqKLeJjiJbak9Zssba2l6U9RyGnIsFuqVn 5IF2FD+FugWxeBqex8D7UWPJL2IWLDikHEf6Lbcevxc5tapwduVohls6vyCln7pq7Z1zzFSgTYBXN a+YpIoBQ6QV1Xmn5EKv67CG8zHmkxt+G9V6sCcWy1h64y1bnFpxzhFhcjraAvMk4FqIfstpxhe5pl L7Q+If3/g0gDKxMMOa2UHW1GCkt3hHBYo8bgwJ31LYIUkBSxy64xF1ogxfRh4GqIBT9KT/Q8o4OpR n4QcRxqM4Kuh5w==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 21 Feb 2025 14:05:59 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/guix-install.sh (create_account): New function. (sys_create_build_user): Use it. When ‘guix-daemon.service’ contains “User=guix-daemon” only create the ‘guix-daemon’ user and group. (sys_delete_build_user): Delete the ‘guix-daemon’ user and group. (can_install_unprivileged_daemon): New function. (sys_create_store): When installing the unprivileged daemon, change ownership of /gnu and /var/guix, and create /var/log/guix. (sys_authorize_build_farms): When the ‘guix-daemon’ account exists, change ownership of /etc/guix. Change-Id: I73e573f1cc5c0cb3794aaaa6b576616b66e0c5e9 --- etc/guix-install.sh | 108 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 84 insertions(+), 24 deletions(-) diff --git a/etc/guix-install.sh b/etc/guix-install.sh index 22d54c0c832..c6f0812b5cf 100755 --- a/etc/guix-install.sh +++ b/etc/guix-install.sh @@ -390,6 +390,11 @@ sys_create_store() cd "$tmp_path" _msg "${INF}Installing /var/guix and /gnu..." # Strip (skip) the leading ‘.’ component, which fails on read-only ‘/’. + # + # TODO: Eventually extract with ‘--owner=guix-daemon’ when installing + # and unprivileged guix-daemon service; for now, this script may install + # from both an old release that does not support unprivileged guix-daemon + # and a new release that does, so ‘chown -R’ later if needed. tar --extract --strip-components=1 --file "$pkg" -C / _msg "${INF}Linking the root user's profile" @@ -415,38 +420,82 @@ sys_delete_store() rm -rf ~root/.config/guix } +create_account() +{ + local user="$1" + local group="$2" + local supplementary_groups="$3" + local comment="$4" + + if id "$user" &>/dev/null; then + _msg "${INF}user '$user' is already in the system, reset" + usermod -g "$group" -G "$supplementary_groups" \ + -d /var/empty -s "$(which nologin)" \ + -c "$comment" "$user" + else + useradd -g "$group" -G "$supplementary_groups" \ + -d /var/empty -s "$(which nologin)" \ + -c "$comment" --system "$user" + _msg "${PAS}user added <$user>" + fi +} + +can_install_unprivileged_daemon() +{ # Return true if we can install guix-daemon running without privileges. + [ "$INIT_SYS" = systemd ] && \ + grep -q "User=guix-daemon" \ + ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \ + && ([ ! -f /proc/sys/kernel/unprivileged_userns_clone ] \ + || [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -eq 1 ]) +} + sys_create_build_user() { # Create the group and user accounts for build users. _debug "--- [ ${FUNCNAME[0]} ] ---" - if getent group guixbuild > /dev/null; then - _msg "${INF}group guixbuild exists" - else - groupadd --system guixbuild - _msg "${PAS}group created" - fi - if getent group kvm > /dev/null; then _msg "${INF}group kvm exists and build users will be added to it" local KVMGROUP=,kvm fi - for i in $(seq -w 1 10); do - if id "guixbuilder${i}" &>/dev/null; then - _msg "${INF}user is already in the system, reset" - usermod -g guixbuild -G guixbuild${KVMGROUP} \ - -d /var/empty -s "$(which nologin)" \ - -c "Guix build user $i" \ - "guixbuilder${i}"; - else - useradd -g guixbuild -G guixbuild${KVMGROUP} \ - -d /var/empty -s "$(which nologin)" \ - -c "Guix build user $i" --system \ - "guixbuilder${i}"; - _msg "${PAS}user added " - fi - done + if [ "$INIT_SYS" = systemd ] && \ + grep -q "User=guix-daemon" \ + ~root/.config/guix/current/lib/systemd/system/guix-daemon.service + then + if getent group guix-daemon > /dev/null; then + _msg "${INF}group guix-daemon exists" + else + groupadd --system guix-daemon + _msg "${PAS}group guix-daemon created" + fi + + create_account guix-daemon guix-daemon \ + guix-daemon$KVMGROUP \ + "Unprivileged Guix Daemon User" + + # ‘tar xf’ creates root:root files. Change that. + chown -R guix-daemon:guix-daemon \ + /gnu /var/guix + + # The unprivileged cannot create the log directory by itself. + mkdir /var/log/guix + chown guix-daemon:guix-daemon /var/log/guix + chmod 755 /var/log/guix + else + if getent group guixbuild > /dev/null; then + _msg "${INF}group guixbuild exists" + else + groupadd --system guixbuild + _msg "${PAS}group created" + fi + + for i in $(seq -w 1 10); do + create_account "guixbuilder${i}" "guixbuild" \ + "guixbuild${KVMGROUP}" \ + "Guix build user $i" + done + fi } sys_delete_build_user() @@ -461,6 +510,14 @@ sys_delete_build_user() if getent group guixbuild &>/dev/null; then groupdel -f guixbuild fi + + _msg "${INF}remove guix-daemon user" + if id guix-daemon &>/dev/null; then + userdel -f guix-daemon + fi + if getent group guix-daemon &>/dev/null; then + groupdel -f guix-daemon + fi } sys_enable_guix_daemon() @@ -503,8 +560,7 @@ sys_enable_guix_daemon() # Install after guix-daemon.service to avoid a harmless warning. # systemd .mount units must be named after the target directory. - # Here we assume a hard-coded name of /gnu/store. - install_unit gnu-store.mount + install_unit gnu-store.mount systemctl daemon-reload && systemctl start guix-daemon; } && @@ -628,6 +684,10 @@ project's build farms?"; then && guix archive --authorize < "$key" \ && _msg "${PAS}Authorized public key for $host" done + if id guix-daemon &>/dev/null; then + # /etc/guix/acl must be readable by the unprivileged guix-daemon. + chown -R guix-daemon:guix-daemon /etc/guix + fi else _msg "${INF}Skipped authorizing build farm public keys" fi