From patchwork Fri Mar 14 17:47:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40172 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 7499C27BBED; Fri, 14 Mar 2025 17:51:38 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 212B027BBEC for ; Fri, 14 Mar 2025 17:51:37 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9Ar-00059F-0V; Fri, 14 Mar 2025 13:50:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Ac-00051l-FX for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9Ab-00021z-7L for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=gj2HkSqKqMC6OnWJO11zAMx01vOVuopEBzKWBjgHWEs=; b=W39asZnNcGOhRIQFdP6HGB6osER9ntfofuZQ+bRionTtbK1LVJpt9lG80jwI49kbjaIXO7qUEANl9Nmd0tLG3clMl8X8UlDGvZ5PtkPRriYs2U7/LXdCNTPbG8abfEbe/j/2CvvO4MzZbfEgf9EPXkHoUZ3JOtxpXO8+JzX1RpmIuIdLqFKzDxeDwRsqrDg96SOBVIZuw3C5haZ6R5B0/+4gQuMAKWOy1bdcq1bHPGPFbTSrEqDgoLRVOg0brPUf0XQBBsyTBOmC1senM6yD3A6FoUswQxuJ9jDb5UHok++cX52SbHawlHyQpXwehTRPW4cpR8aZoQ8X8SCYiR2qxg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9Aa-0004RO-Rw for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 01/14] daemon: Use =?utf-8?b?4oCYY2xvc2VfcmFu?= =?utf-8?b?Z2XigJk=?= where available. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:50:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197459216963 (code B ref 75810); Fri, 14 Mar 2025 17:50:04 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:49:52 +0000 Received: from localhost ([127.0.0.1]:36007 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9AN-0004PQ-8N for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44272) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AG-0004OE-SE for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:45 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9A8-0001xa-0d; Fri, 14 Mar 2025 13:49:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=gj2HkSqKqMC6OnWJO11zAMx01vOVuopEBzKWBjgHWEs=; b=R+JdslMmONDeCgKhfUOn Osb0ErsquFYVgII5bWBu1CPy9Mhx3Bl9t8lfPj/6ZRI1Ib33ug4ZqPgQAIb0HF61aMcZFuaHgLh1R beJJ1ZLzARg42LqgDZ/hrzu1+p9uI5XUu7glFUd6TQomelxZNTG6YsHiuaiytgd5iwMRomlA6yzPs UhcgCHsA+6TkHruubsI8zBPrgK4ZiFQSroZDA1olT15yufkIaMfQd3mTaZxDS36kI2mSwy0eEbjOk hLUkFsqcRc02A35LMJ6/Rt12Kv+EOD/Y3MiYav93ktadgWHWGtzgDbtUUyGlQSs6j9M0fLJm33YG9 +XrArUeqGiaZlw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:47:58 +0100 Message-ID: <8ae666d03ea7b1d96fbf3c3ff928b920f98df06a.1741973869.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libutil/util.cc (closeMostFDs) [HAVE_CLOSE_RANGE]: Use ‘close_range’ when ‘exceptions’ is empty. * config-daemon.ac: Check for and the ‘close_range’ symbol. Change-Id: I12fa3bde58b003fcce5ea5a1fee1dcf9a92c0359 --- config-daemon.ac | 5 +++-- nix/libutil/util.cc | 23 +++++++++++++++++------ 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/config-daemon.ac b/config-daemon.ac index 6731c68bc3..4e949bc88a 100644 --- a/config-daemon.ac +++ b/config-daemon.ac @@ -78,7 +78,8 @@ if test "x$guix_build_daemon" = "xyes"; then dnl Chroot support. AC_CHECK_FUNCS([chroot unshare]) - AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h]) + AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \ + linux/close_range.h]) if test "x$ac_cv_func_chroot" != "xyes"; then AC_MSG_ERROR(['chroot' function missing, bailing out]) @@ -95,7 +96,7 @@ if test "x$guix_build_daemon" = "xyes"; then dnl strsignal: for error reporting. dnl statx: fine-grain 'stat' call, new in glibc 2.28. AC_CHECK_FUNCS([lutimes lchown posix_fallocate sched_setaffinity \ - statvfs nanosleep strsignal statx]) + statvfs nanosleep strsignal statx close_range]) dnl Check for . AC_LANG_PUSH(C++) diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index 3206dea11b..eb2d16e1cc 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -23,6 +23,10 @@ #include #endif +#ifdef HAVE_LINUX_CLOSE_RANGE_H +# include +#endif + extern char * * environ; @@ -1087,12 +1091,19 @@ string runProgram(Path program, bool searchPath, const Strings & args) void closeMostFDs(const set & exceptions) { - int maxFD = 0; - maxFD = sysconf(_SC_OPEN_MAX); - for (int fd = 0; fd < maxFD; ++fd) - if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd != STDERR_FILENO - && exceptions.find(fd) == exceptions.end()) - close(fd); /* ignore result */ +#ifdef HAVE_CLOSE_RANGE + if (exceptions.empty()) + close_range(3, ~0U, 0); + else +#endif + { + int maxFD = 0; + maxFD = sysconf(_SC_OPEN_MAX); + for (int fd = 0; fd < maxFD; ++fd) + if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd != STDERR_FILENO + && exceptions.find(fd) == exceptions.end()) + close(fd); /* ignore result */ + } } From patchwork Fri Mar 14 17:47:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40167 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 62A7827BBEA; Fri, 14 Mar 2025 17:50:47 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 9140127BBE9 for ; Fri, 14 Mar 2025 17:50:46 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9Ah-000560-Q5; Fri, 14 Mar 2025 13:50:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Aa-00050o-L8 for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9Aa-00021n-1R for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=5fbggu8STjwEXFRRV3Gq/UXyTgxUmf6fh1UKO8gjNXs=; b=pDl/twze/Sz3HwgyPUZfaFStZbMgXfkZGNuUh+MG1Cl1W1pCdz2KIc9NRD8jW3IiIJmFQBCrSwqqat4l6rIrsoFQHUeLMH857kC03P3B9FGaGhJahFaHq/iLp7Uhz3tte2p6zym7Lwi3xIMm3rkH/lcVVROWgUzIQbAsR6kuO8KgZP6uFe//m3YOvBHUx2zreneIq3PH81DMbw28v0y7G7Wdtlw0qLQGAJ9JKKWR5Dxh9wFzotu9XO06Dkx6i/5kJEfORUUfVFoW5RU2NaQJMlaO1sLs5dkb54QvQCleVXNvnuvfM9PkEdn21fviKafq4DY7lgoLbyWCNxuX3Wx8bQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9AZ-0004R3-Ih for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 02/14] daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:50:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197459116955 (code B ref 75810); Fri, 14 Mar 2025 17:50:03 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:49:51 +0000 Received: from localhost ([127.0.0.1]:36005 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9AM-0004PO-Ro for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44260) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AG-0004OD-C4 for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AA-0001xb-9Q; Fri, 14 Mar 2025 13:49:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=5fbggu8STjwEXFRRV3Gq/UXyTgxUmf6fh1UKO8gjNXs=; b=CDn6I66Ph4oSvPCNsgp9 zi/9luaoA7jeCiUsgsDktq5Qdpx/eoaRHvGpfOOo/bAhe1Milak0ab6FZKM8fYzkI6dTf0uPmkL7m n9qs3O+zCzEVJgZOZM9rp8l2xvmg1a+nFzLOVrzq5k6VXuq+ZrexfmlHsaJ8zMpsTFQrsqnIHgbUG xbPtYxr25HhVYPBIr7C3K3PabRMqEns1uRSu4MRhIkOZq1CgKOjcnjQ+SbPIzLsMZPSPNuoZd/sBZ V6GnoHplr3/5ZHv6i8NLwq/7csHcs7mqUFC1OigW9AUtTmkRLbRW9LoGy19tOlJ5+TjSHond+fsp4 spZMn6EPaln2lg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:47:59 +0100 Message-ID: <7fa4cb05e23e14bb03832084fb60af1cbf727b39.1741973869.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Those files may be missing in some contexts, for instance within the build environment. * nix/libstore/build.cc (DerivationGoal::runChild): Add /etc/resolv.conf and related files to ‘ss’ only if they exist. Change-Id: Ie19664a86c8101a1dc82cf39ad4b7abb10f8250a --- nix/libstore/build.cc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index edd01bab34..8ca5e5b732 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2093,10 +2093,11 @@ void DerivationGoal::runChild() network, so give them access to /etc/resolv.conf and so on. */ if (fixedOutput) { - ss.push_back("/etc/resolv.conf"); - ss.push_back("/etc/nsswitch.conf"); - ss.push_back("/etc/services"); - ss.push_back("/etc/hosts"); + auto files = { "/etc/resolv.conf", "/etc/nsswitch.conf", + "/etc/services", "/etc/hosts" }; + for (auto & file: files) { + if (pathExists(file)) ss.push_back(file); + } } for (auto & i : ss) dirsInChroot[i] = i; From patchwork Fri Mar 14 17:48:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40170 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 5256127BBE9; Fri, 14 Mar 2025 17:51:23 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id DF75D27BBE2 for ; Fri, 14 Mar 2025 17:51:22 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9B2-0005CC-Gz; Fri, 14 Mar 2025 13:50:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Ae-00054I-Pn for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:10 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9Ae-0002DT-FG for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=OHeVSHlKl++yMNnhWaubdTXXSn3UUkG8AbIkWMisgq8=; b=fG2K5xezCqimhd+yKW4itmek+mLOqaaMy0n87jluAYA2ri6SRhw7m3KmEwU8z9q9g90Apzxe8KuaDLWq3KSMGWsDKaZlHFlcwAK/pTMIqaWW1JpQoR7ivSUvac4WRigw4LAW/iA9gA2eJxpZaO+oDJdjPFHp5b8lBBDsy+4sTMeFA6ubZUdUpKoDyo1MZ4y6yZLX2PVts4GcrR+ZQTKm/4rRrqhJSQDvKgnaYn457xPmb5CJt0IoJnIeJMfvVD8RQmtSQ/v/2UGfU3gQtiqvIKzw3EmOsXQETTg61+NZbQ6ydx35mQ6yz7zNxHL2zP8OVpSAe4qawdUIpsVoFVODNg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9Ae-0004S9-5Q for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:08 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 03/14] daemon: Bind-mount all the inputs, not just directories. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:50:08 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197460717103 (code B ref 75810); Fri, 14 Mar 2025 17:50:08 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:07 +0000 Received: from localhost ([127.0.0.1]:36034 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9Ab-0004Rc-Ti for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56554) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AH-0004OH-Ef for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:49 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AB-0001xm-Bf; Fri, 14 Mar 2025 13:49:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=OHeVSHlKl++yMNnhWaubdTXXSn3UUkG8AbIkWMisgq8=; b=qe02UEo+E68VDIFbgIp/ OhKt97sgCqgY1fMQjxjOxwHBqpKpKmvMQlIzurHbOl66tub74qgitQ5eakLn9ZCIv/pCZXEnbZy/Q zC4zIcwu1Xu19M0judXDOOEtMQkAkAN3ECJxc/BNj1ynom3auSWyijHeXSeW1FCfk5RfAkDoAE4t0 SvpEtk1NeiJdkMBznMoOeoYs4Cir34TnYf5uv6QOOHppzN/ISDqDKfMH3nUkyTyju1DS++BhEQ/Wt aUMYXUMmWR/D4AbiR3trQRlXvUerHvxcqSw5XHkT+3abPYiPfFZk3HTlJVA+WjJo7P/RcOBEGVR9m TRSPyp8DeXmgCQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:00 +0100 Message-ID: <30fc8ecc23bcb583a30d869bd9c229b775a34ef1.1741973869.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::startBuilder): Add all of ‘inputPaths’ to ‘dirsInChroot’ instead of hard-linking regular files. Special-case symlinks. (DerivationGoal)[regularInputPaths]: Remove. Reported-by: Reepca Russelstein Change-Id: I070987f92d73f187f7826a975bee9ee309d67f56 --- nix/libstore/build.cc | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 8ca5e5b732..193b279b88 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -659,9 +659,6 @@ private: /* RAII object to delete the chroot directory. */ std::shared_ptr autoDelChroot; - /* All inputs that are regular files. */ - PathSet regularInputPaths; - /* Whether this is a fixed-output derivation. */ bool fixedOutput; @@ -1850,9 +1847,7 @@ void DerivationGoal::startBuilder() /* Make the closure of the inputs available in the chroot, rather than the whole store. This prevents any access - to undeclared dependencies. Directories are bind-mounted, - while other inputs are hard-linked (since only directories - can be bind-mounted). !!! As an extra security + to undeclared dependencies. !!! As an extra security precaution, make the fake store only writable by the build user. */ Path chrootStoreDir = chrootRootDir + settings.nixStore; @@ -1863,28 +1858,22 @@ void DerivationGoal::startBuilder() throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { - struct stat st; + struct stat st; if (lstat(i->c_str(), &st)) throw SysError(format("getting attributes of path `%1%'") % *i); - if (S_ISDIR(st.st_mode)) - dirsInChroot[*i] = *i; - else { - Path p = chrootRootDir + *i; - if (link(i->c_str(), p.c_str()) == -1) { - /* Hard-linking fails if we exceed the maximum - link count on a file (e.g. 32000 of ext3), - which is quite possible after a `nix-store - --optimise'. */ - if (errno != EMLINK) - throw SysError(format("linking `%1%' to `%2%'") % p % *i); - StringSink sink; - dumpPath(*i, sink); - StringSource source(sink.s); - restorePath(p, source); - } - regularInputPaths.insert(*i); - } + if (S_ISLNK(st.st_mode)) { + /* Since bind-mounts follow symlinks, thus representing their + target and not the symlink itself, special-case + symlinks. XXX: When running unprivileged, TARGET can be + deleted by the build process. Use 'open_tree' & co. when + it's more widely available. */ + Path target = chrootRootDir + *i; + if (symlink(readLink(*i).c_str(), target.c_str()) == -1) + throw SysError(format("failed to create symlink '%1%' to '%2%'") % target % readLink(*i)); + } + else + dirsInChroot[*i] = *i; } /* If we're repairing, checking or rebuilding part of a From patchwork Fri Mar 14 17:48:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40169 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 0447327BBE9; Fri, 14 Mar 2025 17:51:18 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C7C6F27BBE2 for ; Fri, 14 Mar 2025 17:51:17 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9Al-00057M-G1; Fri, 14 Mar 2025 13:50:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Ae-000541-2r for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:08 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9Ad-0002DG-My for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=ozQM+lYqSSPDiTg6Dp/w4oPIGKDs4CrGaOeKp99rZWg=; b=R31xxw47uJ3MdCx7w66WzSi6GoGMo7leVMR7ilaOxUV0tLNHUXMdYMj8rCDkTmWRFlP4pVd91ysqNxLreb/nScICSHihuWf/923fIl6UyHSo1kniHTstJJqCk3HNReLfHsS7CVVRjayUzQUksN0PeFYnWW+0JJIFCpICLXyUnTzpS3/7h5FEnhR+OJGzierr99FdygJLKJkKRWpYriXQgIV4OxxTQ92jQ/NDJfxC0wxDMW7wtmgEj5QnNNlNYmaiM2EVYn2Y9+K+Z5vKj3lpeZ7FwKPou4knX5TspAg2TaustDqYd99UEAL/7dP07c5wzXbdRQxLf82sdcqnmymMFA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9Ad-0004Rt-3m for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:07 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 04/14] daemon: Remount inputs as read-only. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:50:07 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197460617086 (code B ref 75810); Fri, 14 Mar 2025 17:50:07 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:06 +0000 Received: from localhost ([127.0.0.1]:36030 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9AZ-0004Qz-78 for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56568) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AM-0004Ob-1i for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AE-0001y3-HA; Fri, 14 Mar 2025 13:49:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=ozQM+lYqSSPDiTg6Dp/w4oPIGKDs4CrGaOeKp99rZWg=; b=Y0ED6kK0RtGST4cPwnjd Ao+wJWQ7PEE+lyNXYE+KWeSBL91YYLbqJHnOpEodnGZ9L5XLK2B/D/yh4hR84loaXSJDOksAYp8X7 TIeb/266/rXa2xNVhF08oSBAOuw8trZSozJ8h+6oPWDJzLh4Rl4p6Why0pwpVdP02mp++5wfj7VdK j8XuIxVpm0M9hKIrSv6Y28QzwFk6FWGfCs9wSC//+zawzV5XKnDiAF7qBJsovHf0XgaxcfRLiwzSw R+Gk3utY4yRIuxhV8Ii41tanN83Se44L43D2I/98RSmT4lXfbxy14iW3QnAauffkdSex9mc0e8tBd /O9dBRE+JzBPjQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:01 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::runChild): Remount ‘target’ as read-only. Reported-by: Reepca Russelstein Change-Id: Ib7201bcf4363be566f205d23d17fe2f55d3ad666 --- nix/libstore/build.cc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 193b279b88..3861a1ffd9 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2107,8 +2107,15 @@ void DerivationGoal::runChild() createDirs(dirOf(target)); writeFile(target, ""); } + + /* Extra flags passed with MS_BIND are ignored, hence the + extra MS_REMOUNT. */ if (mount(source.c_str(), target.c_str(), "", MS_BIND, 0) == -1) throw SysError(format("bind mount from `%1%' to `%2%' failed") % source % target); + if (source.compare(0, settings.nixStore.length(), settings.nixStore) == 0) { + if (mount(source.c_str(), target.c_str(), "", MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) + throw SysError(format("read-only remount of `%1%' failed") % target); + } } /* Bind a new instance of procfs on /proc to reflect our From patchwork Fri Mar 14 17:48:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40168 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 91EC627BBE9; Fri, 14 Mar 2025 17:51:12 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 6246F27BBE2 for ; Fri, 14 Mar 2025 17:51:12 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9Al-00055w-Dq; Fri, 14 Mar 2025 13:50:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Ac-00052V-UC for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:07 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9Ac-0002C0-Gy for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=3sOVW5n0d1cSpQd8PLRrsmflCadSWuH5XwPCIe/iTyM=; b=dwh7W5O5xAbIzYUZ8MM1EofyhuWugUIp+ENdH1Hh73J9Lg7oijqPxiSqALpiLPUeOBK28Y1FJnxaA55m8b1ftjo+VzTYi+JqIGIhXgoRZJewu4oC3EX/izxOFZT/zyKvuRj9TNk5XcxdZS/NLWIppDF6tJXTTkfrucVprX/zx1L3Xyt2ae6S8nVCR5NfIhlr9dZ2+I51JcXorA/dct40Ner03IMUqVO9+l5Vd9wwkC+OBx25HwalQ+AWg/pTLKWlw40X/Eveiu8jlSlGDLv+13z190umZBulR1us3V7OInHS9G/lwmrNKYcCwlUajklhJ9j4AQTmT2UbAiFen9r9nA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9Ac-0004Rd-5h for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:06 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 05/14] daemon: Remount root directory as read-only. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:50:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197460317047 (code B ref 75810); Fri, 14 Mar 2025 17:50:05 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:03 +0000 Received: from localhost ([127.0.0.1]:36025 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9AY-0004Qn-EF for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56564) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AL-0004OZ-3n for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:49 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AF-0001yK-IX; Fri, 14 Mar 2025 13:49:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=3sOVW5n0d1cSpQd8PLRrsmflCadSWuH5XwPCIe/iTyM=; b=GyLCF5yPm8l/EQKWhuEC 1fmiYWpvO860bBLogwUO75G5FcJO8SX47FqZkUoTettA98AjJAo+wGmKsqhlGl7XZ+vl1h0+gNdyc bpk1Abgs8vcjc7ZR+ueIRyD0CR7Yd6vPdPDCTaGh38stJdAtTGFZiIHoygC1nIfBC/COyGL5Zzped yyt+3rPE9N+ZmAp62Qo8s8JWtQorbCK5up2wTXdRYsh87z4uJJM2P92i5+0ilxwlzy6INrtkoQGwc iZ0eYg+jnU31Jfrl2bvv8I5Frq5fpd8se73Hz0DV9BUVO1gJCb1t8t9sr383FxPe6TBRsqdd449rc g33qS7ULaCw+3w==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:02 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::runChild): Bind-mount the store and /tmp under ‘chrootRootDir’ to themselves as read-write. Remount / as read-only. Change-Id: I79565094c8ec8448401897c720aad75304fd1948 --- nix/libstore/build.cc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 3861a1ffd9..c8b778362a 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2091,6 +2091,18 @@ void DerivationGoal::runChild() for (auto & i : ss) dirsInChroot[i] = i; + /* Make new mounts for the store and for /tmp. That way, when + 'chrootRootDir' is made read-only below, these two mounts will + remain writable (the store needs to be writable so derivation + outputs can be written to it, and /tmp is writable by + convention). */ + auto chrootStoreDir = chrootRootDir + settings.nixStore; + if (mount(chrootStoreDir.c_str(), chrootStoreDir.c_str(), 0, MS_BIND, 0) == -1) + throw SysError(format("read-write mount of store '%1%' failed") % chrootStoreDir); + auto chrootTmpDir = chrootRootDir + "/tmp"; + if (mount(chrootTmpDir.c_str(), chrootTmpDir.c_str(), 0, MS_BIND, 0) == -1) + throw SysError(format("read-write mount of temporary directory '%1%' failed") % chrootTmpDir); + /* Bind-mount all the directories from the "host" filesystem that we want in the chroot environment. */ @@ -2164,6 +2176,10 @@ void DerivationGoal::runChild() if (rmdir("real-root") == -1) throw SysError("cannot remove real-root directory"); + + /* Remount root as read-only. */ + if (mount("/", "/", 0, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) + throw SysError(format("read-only remount of build root '%1%' failed") % chrootRootDir); } #endif From patchwork Fri Mar 14 17:48:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40174 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 1B15027BBEA; Fri, 14 Mar 2025 17:51:39 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 79E8527BBE2 for ; Fri, 14 Mar 2025 17:51:36 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9C2-0005mg-RB; Fri, 14 Mar 2025 13:51:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Bd-0005JQ-7j for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:09 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9BY-0002HM-2R; Fri, 14 Mar 2025 13:51:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=BCS7CA2n9xDeHpz/nXwjL/1CgpmeOGUI+SjqwJ9Ij+I=; b=mYhPDnrzI28I2uYPNKw4cRS2XcA+EZZtmRq10DF08Fy5oQJSCdM9+ScUmdPGMPCJrMpm0F5J3v6dzp68fT9j5undLysJVGhHeHRKQk7+LRIYUFY+Nr41uHjfkVxI/6eMiBM7W9MggbaZMLEUYYAdCbJxBYhYfOIks7LI2M3fkWTjC8A+06WVJidwAe0nIp3ME54XmrdnIuSxgB1LNOFO8aJWTn6msGBC0fRjWIYrXWhj9haEwLSXbVWOiVSUZP6lLYu7lNJFz6zlgBUd4vF83EXiMiVwR/gLMMKVH1f0ZIH1X3UWxfm8TpMCn87uqi0DFJyH6CiXgKRobdcnKv6wcg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9BW-0004aY-CP; Fri, 14 Mar 2025 13:51:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 06/14] daemon: Allow running as non-root with unprivileged user namespaces. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, maxim.cournoyer@gmail.com, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:51:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Maxim Cournoyer , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Maxim Cournoyer , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197461017151 (code B ref 75810); Fri, 14 Mar 2025 17:51:02 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:10 +0000 Received: from localhost ([127.0.0.1]:36040 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9Ad-0004S2-Nx for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56590) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AO-0004Ov-Fa for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:54 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AH-0001yY-C1; Fri, 14 Mar 2025 13:49:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=BCS7CA2n9xDeHpz/nXwjL/1CgpmeOGUI+SjqwJ9Ij+I=; b=iNxwzNh2ZW6bL6wf2ayG Zvm7pwg7u18RaY8It9WhZIFyq1n+SeeZja5IfXAksKOqWVckK0Soyg6QF3KGcvBBDyYZYoxqbs/Rv A2vQtmTJV8IGiNocNCytZhapU7I/wQBs0SaJHiXHQuYrXTls0YorninYjGSAlh7RYft1wSvf3pfyd JOIC4YO41c0s991rFEglPxCsp2j0tlpQI7JOSLpHMFEtpiupD6VUn0IXk72aczRlG02q9EJ5i5fPE 4xliVRKXJ2ytXtf9LJ/6eLCZRBKSSCngV4/CeGXlmOOJwKdlg2o6iBMCwYOY1Puuzc69rOq+c0iIl 6ogSGGGpGd+XsA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:03 +0100 Message-ID: <067fd1219aa1b4354c0a321dc7e2a7d414eabf1b.1741973869.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Ludovic Courtès Many thanks to Reepca Russelstein for their review and guidance on these changes. * nix/libstore/build.cc (guestUID, guestGID): New variables. (DerivationGoal)[readiness]: New field. (initializeUserNamespace): New function. (DerivationGoal::runChild): When ‘readiness.readSide’ is positive, read from it. (DerivationGoal::startBuilder): Call ‘chown’ only when ‘buildUser.enabled()’ is true. Pass CLONE_NEWUSER to ‘clone’ when ‘buildUser.enabled()’ is false or not running as root. Retry ‘clone’ without CLONE_NEWUSER upon EPERM. (DerivationGoal::registerOutputs): Make ‘actualPath’ writable before ‘rename’. (DerivationGoal::deleteTmpDir): Catch ‘SysError’ around ‘_chown’ call. * nix/libstore/local-store.cc (LocalStore::createUser): Do nothing if ‘dirs’ already exists. Warn instead of failing when failing to chown ‘dir’. * guix/substitutes.scm (%narinfo-cache-directory): Check for ‘_NIX_OPTIONS’ rather than getuid() == 0 to determine the cache location. * doc/guix.texi (Build Environment Setup): Reorganize a bit. Add section headings “Daemon Running as Root” and “The Isolated Build Environment”. Add “Daemon Running Without Privileges” subsection. Remove paragraph about ‘--disable-chroot’. (Invoking guix-daemon): Warn against ‘--disable-chroot’ and explain why. Reviewed-by: Reepca Russelstein --- doc/guix.texi | 102 +++++++++++++++++------ guix/substitutes.scm | 2 +- nix/libstore/build.cc | 156 +++++++++++++++++++++++++++++++----- nix/libstore/local-store.cc | 18 +++-- 4 files changed, 225 insertions(+), 53 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index d109877a32..66d0e42112 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -877,6 +877,7 @@ Setting Up the Daemon @section Setting Up the Daemon @cindex daemon +@cindex build daemon During installation, the @dfn{build daemon} that must be running to use Guix has already been set up and you can run @command{guix} commands in your terminal program, @pxref{Getting Started}: @@ -921,20 +922,38 @@ Build Environment Setup @cindex build environment In a standard multi-user setup, Guix and its daemon---the @command{guix-daemon} program---are installed by the system -administrator; @file{/gnu/store} is owned by @code{root} and -@command{guix-daemon} runs as @code{root}. Unprivileged users may use -Guix tools to build packages or otherwise access the store, and the -daemon will do it on their behalf, ensuring that the store is kept in a -consistent state, and allowing built packages to be shared among users. +administrator. Unprivileged users may use Guix tools to build packages +or otherwise access the store, and the daemon will do it on their +behalf, ensuring that the store is kept in a consistent state, and +allowing built packages to be shared among users. + +There are currently two ways to set up and run the build daemon: + +@enumerate +@item +running @command{guix-daemon} as ``root'', letting it run build +processes as unprivileged users taken from a pool of build users---this +is the historical approach; + +@item +running @command{guix-daemon} as a separate unprivileged user, relying +on Linux's @dfn{unprivileged user namespace} functionality to set up +isolated environments---this is the option chosen when installing Guix +on a systemd-based distribution with the installation script +(@pxref{Binary Installation}). +@end enumerate + +The sections below describe each of these two configurations in more +detail and summarize the kind of build isolation they provide. + +@unnumberedsubsubsec Daemon Running as Root @cindex build users When @command{guix-daemon} runs as @code{root}, you may not want package build processes themselves to run as @code{root} too, for obvious security reasons. To avoid that, a special pool of @dfn{build users} should be created for use by build processes started by the daemon. -These build users need not have a shell and a home directory: they will -just be used when the daemon drops @code{root} privileges in build -processes. Having several such users allows the daemon to launch +Having several such users allows the daemon to launch distinct build processes under separate UIDs, which guarantees that they do not interfere with each other---an essential feature since builds are regarded as pure functions (@pxref{Introduction}). @@ -977,11 +996,45 @@ Build Environment Setup # guix-daemon --build-users-group=guixbuild @end example +In this setup, @file{/gnu/store} is owned by @code{root}. + +@unnumberedsubsubsec Daemon Running Without Privileges + +@cindex rootless build daemon +@cindex unprivileged build daemon +@cindex build daemon, unprivileged +The second and preferred option is to run @command{guix-daemon} +@emph{as an unprivileged user}. It has the advantage of reducing the +harm that can be done should a build process manage to exploit a +vulnerability in the daemon. This option requires the user of Linux's +unprivileged user namespace mechanism; today it is available and enabled +by most GNU/Linux distributions but can still be disabled. The +installation script automatically determines whether this option is +available on your system (@pxref{Binary Installation}). + +When using this option, you only need to create one user account, and +@command{guix-daemon} will run with the authority of that account: + +@example +# groupadd --system guix-daemon +# useradd -g guix-daemon -G guix-daemon \ + -d /var/empty -s $(which nologin) \ + -c "Guix daemon privilege separation user" \ + --system guix-daemon +@end example + +In this configuration, @file{/gnu/store} is owned by the +@code{guix-daemon} user. + +@unnumberedsubsubsec The Isolated Build Environment + @cindex chroot -@noindent -This way, the daemon starts build processes in a chroot, under one of -the @code{guixbuilder} users. On GNU/Linux, by default, the chroot -environment contains nothing but: +@cindex build environment isolation +@cindex isolated build environment +@cindex hermetic build environment +In both cases, the daemon starts build processes without privileges in +an @emph{isolated} or @emph{hermetic} build environment---a ``chroot''. +On GNU/Linux, by default, the build environment contains nothing but: @c Keep this list in sync with libstore/build.cc! ----------------------- @itemize @@ -1015,7 +1068,7 @@ Build Environment Setup @file{/homeless-shelter}. This helps to highlight inappropriate uses of @env{HOME} in the build scripts of packages. -All this usually enough to ensure details of the environment do not +All this is usually enough to ensure details of the environment do not influence build processes. In some exceptional cases where more control is needed---typically over the date, kernel, or CPU---you can resort to a virtual build machine (@pxref{build-vm, virtual build machines}). @@ -1035,14 +1088,6 @@ Build Environment Setup for fixed-output derivations (@pxref{Derivations}) or for substitutes (@pxref{Substitutes}). -If you are installing Guix as an unprivileged user, it is still possible -to run @command{guix-daemon} provided you pass @option{--disable-chroot}. -However, build processes will not be isolated from one another, and not -from the rest of the system. Thus, build processes may interfere with -each other, and may access programs, libraries, and other files -available on the system---making it much harder to view them as -@emph{pure} functions. - @node Daemon Offload Setup @subsection Using the Offload Facility @@ -1567,10 +1612,17 @@ Invoking guix-daemon @item --disable-chroot Disable chroot builds. -Using this option is not recommended since, again, it would allow build -processes to gain access to undeclared dependencies. It is necessary, -though, when @command{guix-daemon} is running under an unprivileged user -account. +@quotation Warning +Using this option is not recommended since it allows build processes to +gain access to undeclared dependencies, to interfere with one another, +and more generally to do anything that can be done with the authority of +the daemon---which includes at least the ability to tamper with any file +in the store! + +You may find it necessary, though, when support for Linux unprivileged +user namespaces is missing (@pxref{Build Environment Setup}). Use at +your own risk! +@end quotation @item --log-compression=@var{type} Compress build logs according to @var{type}, one of @code{gzip}, diff --git a/guix/substitutes.scm b/guix/substitutes.scm index 7ca55788d5..86b9f5472a 100644 --- a/guix/substitutes.scm +++ b/guix/substitutes.scm @@ -79,7 +79,7 @@ (define %narinfo-cache-directory ;; time, 'guix substitute' is called by guix-daemon as root and stores its ;; cached data in /var/guix/…. However, when invoked from 'guix challenge' ;; as a user, it stores its cache in ~/.cache. - (if (zero? (getuid)) + (if (getenv "_NIX_OPTIONS") ;invoked by guix-daemon (or (and=> (getenv "XDG_CACHE_HOME") (cut string-append <> "/guix/substitute")) (string-append %state-directory "/substitute/cache")) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index c8b778362a..76f75e00df 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -744,6 +744,10 @@ private: friend int childEntry(void *); + /* Pipe to notify readiness to the child process when using unprivileged + user namespaces. */ + Pipe readiness; + /* Check that the derivation outputs all exist and register them as valid. */ void registerOutputs(); @@ -1619,6 +1623,24 @@ int childEntry(void * arg) } +/* UID and GID of the build user inside its own user namespace. */ +static const uid_t guestUID = 30001; +static const gid_t guestGID = 30000; + +/* Initialize the user namespace of CHILD. */ +static void initializeUserNamespace(pid_t child, + uid_t hostUID = getuid(), + gid_t hostGID = getgid()) +{ + writeFile("/proc/" + std::to_string(child) + "/uid_map", + (format("%d %d 1") % guestUID % hostUID).str()); + + writeFile("/proc/" + std::to_string(child) + "/setgroups", "deny"); + + writeFile("/proc/" + std::to_string(child) + "/gid_map", + (format("%d %d 1") % guestGID % hostGID).str()); +} + void DerivationGoal::startBuilder() { auto f = format( @@ -1682,7 +1704,7 @@ void DerivationGoal::startBuilder() then an attacker could create in it a hardlink to a root-owned file such as /etc/shadow. If 'keepFailed' is true, the daemon would then chown that hardlink to the user, giving them write access to - that file. */ + that file. See CVE-2021-27851. */ tmpDir += "/top"; if (mkdir(tmpDir.c_str(), 0700) == 1) throw SysError("creating top-level build directory"); @@ -1799,7 +1821,7 @@ void DerivationGoal::startBuilder() if (mkdir(chrootRootDir.c_str(), 0750) == -1) throw SysError(format("cannot create ‘%1%’") % chrootRootDir); - if (chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) + if (buildUser.enabled() && chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) throw SysError(format("cannot change ownership of ‘%1%’") % chrootRootDir); /* Create a writable /tmp in the chroot. Many builders need @@ -1818,8 +1840,8 @@ void DerivationGoal::startBuilder() (format( "nixbld:x:%1%:%2%:Nix build user:/:/noshell\n" "nobody:x:65534:65534:Nobody:/:/noshell\n") - % (buildUser.enabled() ? buildUser.getUID() : getuid()) - % (buildUser.enabled() ? buildUser.getGID() : getgid())).str()); + % (buildUser.enabled() ? buildUser.getUID() : guestUID) + % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str()); /* Declare the build user's group so that programs get a consistent view of the system (e.g., "id -gn"). */ @@ -1854,7 +1876,7 @@ void DerivationGoal::startBuilder() createDirs(chrootStoreDir); chmod_(chrootStoreDir, 01775); - if (chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) + if (buildUser.enabled() && chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { @@ -1960,14 +1982,34 @@ void DerivationGoal::startBuilder() if (useChroot) { char stack[32 * 1024]; int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | SIGCHLD; - if (!fixedOutput) flags |= CLONE_NEWNET; + if (!fixedOutput) { + flags |= CLONE_NEWNET; + } + if (!buildUser.enabled() || getuid() != 0) { + flags |= CLONE_NEWUSER; + readiness.create(); + } + /* Ensure proper alignment on the stack. On aarch64, it has to be 16 bytes. */ - pid = clone(childEntry, + pid = clone(childEntry, (char *)(((uintptr_t)stack + sizeof(stack) - 8) & ~(uintptr_t)0xf), flags, this); - if (pid == -1) - throw SysError("cloning builder process"); + if (pid == -1) { + if ((flags & CLONE_NEWUSER) != 0 && getuid() != 0) + /* 'clone' fails with EPERM on distros where unprivileged user + namespaces are disabled. Error out instead of giving up on + isolation. */ + throw SysError("cannot create process in unprivileged user namespace"); + else + throw SysError("cloning builder process"); + } + + if ((flags & CLONE_NEWUSER) != 0) { + /* Initialize the UID/GID mapping of the child process. */ + initializeUserNamespace(pid); + writeFull(readiness.writeSide, (unsigned char*)"go\n", 3); + } } else #endif { @@ -2013,23 +2055,34 @@ void DerivationGoal::runChild() _writeToStderr = 0; + if (readiness.readSide > 0) { + /* Wait for the parent process to initialize the UID/GID mapping + of our user namespace. */ + char str[20] = { '\0' }; + readFull(readiness.readSide, (unsigned char*)str, 3); + if (strcmp(str, "go\n") != 0) + throw Error("failed to initialize process in unprivileged user namespace"); + } + restoreAffinity(); commonChildInit(builderOut); #if CHROOT_ENABLED if (useChroot) { - /* Initialise the loopback interface. */ - AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); - if (fd == -1) throw SysError("cannot open IP socket"); + if (!fixedOutput) { + /* Initialise the loopback interface. */ + AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); + if (fd == -1) throw SysError("cannot open IP socket"); - struct ifreq ifr; - strcpy(ifr.ifr_name, "lo"); - ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING; - if (ioctl(fd, SIOCSIFFLAGS, &ifr) == -1) - throw SysError("cannot set loopback interface flags"); + struct ifreq ifr; + strcpy(ifr.ifr_name, "lo"); + ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING; + if (ioctl(fd, SIOCSIFFLAGS, &ifr) == -1) + throw SysError("cannot set loopback interface flags"); - fd.close(); + fd.close(); + } /* Set the hostname etc. to fixed values. */ char hostname[] = "localhost"; @@ -2180,6 +2233,27 @@ void DerivationGoal::runChild() /* Remount root as read-only. */ if (mount("/", "/", 0, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) throw SysError(format("read-only remount of build root '%1%' failed") % chrootRootDir); + + if (getuid() != 0) { + /* Create a new mount namespace to "lock" previous mounts. + See mount_namespaces(7). */ + auto uid = getuid(); + auto gid = getgid(); + + if (unshare(CLONE_NEWNS | CLONE_NEWUSER) == -1) + throw SysError(format("creating new user and mount namespaces")); + + initializeUserNamespace(getpid(), uid, gid); + + /* Check that mounts within the build environment are "locked" + together and cannot be separated from within the build + environment namespace. Since + umount(2) is documented to fail with EINVAL when attempting + to unmount one of the mounts that are locked together, + check that this is what we get. */ + int ret = umount(tmpDirInSandbox.c_str()); + assert(ret == -1 && errno == EINVAL); + } } #endif @@ -2476,8 +2550,16 @@ void DerivationGoal::registerOutputs() if (buildMode == bmRepair) replaceValidPath(path, actualPath); else - if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) - throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + if (buildMode != bmCheck) { + if (S_ISDIR(st.st_mode)) + /* Change mode on the directory to allow for + rename(2). */ + chmod(actualPath.c_str(), st.st_mode | 0700); + if (rename(actualPath.c_str(), path.c_str()) == -1) + throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + if (S_ISDIR(st.st_mode) && chmod(path.c_str(), st.st_mode) == -1) + throw SysError(format("restoring permissions on directory `%1%'") % actualPath); + } } if (buildMode != bmCheck) actualPath = path; } @@ -2736,16 +2818,46 @@ void DerivationGoal::deleteTmpDir(bool force) // Change the ownership if clientUid is set. Never change the // ownership or the group to "root" for security reasons. if (settings.clientUid != (uid_t) -1 && settings.clientUid != 0) { - _chown(tmpDir, settings.clientUid, - settings.clientGid != 0 ? settings.clientGid : -1); + uid_t uid = settings.clientUid; + gid_t gid = settings.clientGid != 0 ? settings.clientGid : -1; + bool reown = false; + + /* First remove setuid/setgid bits. */ + secureFilePerms(tmpDir); + + try { + _chown(tmpDir, uid, gid); + + if (getuid() != 0) { + /* If, without being root, the '_chown' call above + succeeded, then it means we have CAP_CHOWN. Retake + ownership of tmpDir itself so it can be renamed + below. */ + reown = true; + } + + } catch (SysError & e) { + /* When running as an unprivileged user and without + CAP_CHOWN, we cannot chown the build tree. Print a + message and keep going. */ + printMsg(lvlInfo, format("cannot change ownership of build directory '%1%': %2%") + % tmpDir % strerror(e.errNo)); + } if (top != tmpDir) { + if (reown) chown(tmpDir.c_str(), getuid(), getgid()); + // Rename tmpDir to its parent, with an intermediate step. string pivot = top + ".pivot"; if (rename(top.c_str(), pivot.c_str()) == -1) throw SysError("pivoting failed build tree"); if (rename((pivot + "/top").c_str(), top.c_str()) == -1) throw SysError("renaming failed build tree"); + + if (reown) + /* Running unprivileged but with CAP_CHOWN. */ + chown(top.c_str(), uid, gid); + rmdir(pivot.c_str()); } } diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 0883a4bbce..83e6c3e16e 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -1614,11 +1614,19 @@ void LocalStore::createUser(const std::string & userName, uid_t userId) { auto dir = settings.nixStateDir + "/profiles/per-user/" + userName; - createDirs(dir); - if (chmod(dir.c_str(), 0755) == -1) - throw SysError(format("changing permissions of directory '%s'") % dir); - if (chown(dir.c_str(), userId, -1) == -1) - throw SysError(format("changing owner of directory '%s'") % dir); + auto created = createDirs(dir); + if (!created.empty()) { + if (chmod(dir.c_str(), 0755) == -1) + throw SysError(format("changing permissions of directory '%s'") % dir); + + /* The following operation requires CAP_CHOWN or can be handled + manually by a user with CAP_CHOWN. */ + if (chown(dir.c_str(), userId, -1) == -1) { + rmdir(dir.c_str()); + string message = strerror(errno); + printMsg(lvlInfo, format("failed to change owner of directory '%1%' to %2%: %3%") % dir % userId % message); + } + } } From patchwork Fri Mar 14 17:48:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40171 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 40D1F27BBE9; Fri, 14 Mar 2025 17:51:26 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 2276127BBE2 for ; Fri, 14 Mar 2025 17:51:26 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9B6-0005CP-GZ; Fri, 14 Mar 2025 13:50:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Ai-00056J-1H for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:13 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9Ah-0002Dh-Ds for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=wZDaJpSBiec4HWURn73Fvz7bhdz1AmvaDkV9vu9Mxas=; b=DvDu09qQWae3YAHWavcdx6vYx8ThCmFShamOIiYmX0vxtVwMV8ezqngRqJ8P9hAJ/kva/EXuT4HtDx0+TwTt46XzhCD6RhT/S/d9kU+jVDLUo0I+j9Qtn5y82aDY4Fa2v0EAaR3s4f+U3H2DwOvLJrQEbkRTYi0DZEsz6cniUnsUh8LE95bIdL2646E/4d6ASj9+fvx9U/7rLJesDeGCsaZrvVo7uAMxkBUg+UhATMv4up4Is+fpp/x1OtdOl9fTqkbT/qu0tHH5mKvHtxULpuBYuYo+UxHQHbotsRjP4uA8g34rQax9odvB9TUsnE7q4yTaa0Jf0bqhc6J6W6bqCw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9Af-0004SG-1M for guix-patches@gnu.org; Fri, 14 Mar 2025 13:50:09 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 07/14] daemon: Create /var/guix/profiles/per-user unconditionally. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:50:08 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197460817117 (code B ref 75810); Fri, 14 Mar 2025 17:50:08 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:08 +0000 Received: from localhost ([127.0.0.1]:36037 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9Ad-0004Ro-0f for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56584) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AO-0004Ou-7U for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:52 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AI-0001yf-Pm; Fri, 14 Mar 2025 13:49:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=wZDaJpSBiec4HWURn73Fvz7bhdz1AmvaDkV9vu9Mxas=; b=Wgbn8aA26jwmIJfRLGDy Q4ZXa7YQl4XpZ+JrvAHYM5LCKM9znFPedKEUYR20Y+FOqRHEyExU7fpYn38kmNn0TwYStjNvThNpz lRdxgIuij6PlbLu5++eDIfoyW+laQwpsAPZtZFUrl8IcOXD0krBPlHdXjN6rZZvZZzCHXAwJPPukO O4OH3LRrg/+E23cRJRsznuOuBXRkgOJdHJFhTH1ioFpm9C4f6v6kl8XQvAaNvIBejv8puyP0vzv+W jtTivZJfI8yPWeSlneJcz/cwiTxazbEI18V4Vc6Wn6SI6D4QZ0LKK1boVsghoawhUYGRQu8sL/j0V Un+rhCQpWCrm3Q==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:04 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/local-store.cc (LocalStore::LocalStore): Create ‘perUserDir’ unconditionally. Change-Id: I5188320f9630a81d16f79212d0fffabd55d94abe --- nix/libstore/local-store.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 83e6c3e16e..f6540c2117 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -79,12 +79,12 @@ LocalStore::LocalStore(bool reserveSpace) createSymlink(profilesDir, gcRootsDir + "/profiles"); } - /* Optionally, create directories and set permissions for a - multi-user install. */ + Path perUserDir = profilesDir + "/per-user"; + createDirs(perUserDir); + + /* Optionally, set permissions for a multi-user install. */ if (getuid() == 0 && settings.buildUsersGroup != "") { - Path perUserDir = profilesDir + "/per-user"; - createDirs(perUserDir); if (chmod(perUserDir.c_str(), 0755) == -1) throw SysError(format("could not set permissions on '%1%' to 755") % perUserDir); From patchwork Fri Mar 14 17:48:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40179 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 8E90F27BBEB; Fri, 14 Mar 2025 17:52:08 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3B6E027BBE2 for ; Fri, 14 Mar 2025 17:52:08 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9CV-0006JR-Nf; Fri, 14 Mar 2025 13:52:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Bc-0005JZ-Gt for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:09 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9BX-0002HI-3K for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=Cia5Ikq0N0EGZSt4F8nK8osBdkduR1atUQLZPx04ask=; b=OERTGa3z2WlNMtBMFb1ZbQexH4WTHuACjuKAZ2sbKVdpw4rOZVHuzb4RQ50WDUdsatMR/qDgozwVmuGmrY3akNGwD75CT9qLX+P9FOkJy/Q4vVkJlFok9lEoAa+OgRauGL27NqnsCv8PGyt7kbDNo5uPpfSqowErGYNvvp/NddbbW7dEJrWhFJOAa/thxsNKa303oKzakqjxifgyEawwImfI+/GCwEfxL5oI3pq1A9mSkoAxC0tkGze6NCj4oNl37ouDBAJq4zQQnI248ei9FjQs8y1IL8d0/+6z5JTIepCRqBT5aS0mKJMYhWDnQpY5wG0DemYnJBiyL1tLtZ+5ow==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9BW-0004ah-Ri for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 08/14] daemon: Drop Linux ambient capabilities before executing builder. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:51:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197461417294 (code B ref 75810); Fri, 14 Mar 2025 17:51:02 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:14 +0000 Received: from localhost ([127.0.0.1]:36044 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9Ag-0004Sb-Ht for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56592) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AQ-0004P7-Cg for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:54 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AJ-0001yq-V7; Fri, 14 Mar 2025 13:49:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=Cia5Ikq0N0EGZSt4F8nK8osBdkduR1atUQLZPx04ask=; b=HRaBMHV0iiIa9FDeD6uz feXGaDPSdtzUuvOOWe7OsYKfs4SS4AlSdt3Uk7kLkxLQFbahUVO3o4bzMcrHufrYgDowVckhd60Ib Ti6Vo8P885KuiDit42s4B0RTxTrjHE4hygDnfYslsvChKWt0e2AAwMtJKJ0+Jy/x279Fa1d+ClgWL kPE7+4d1rEo6RQRfw0UUZEvkcHEELp+xN0CkzhswSjx8ToauR5R2801z2iKmIzl9tty4w7ythZcAX DaxHBBpnmBNRKMHDBiUfbgFuaqEwPFPDihS6/XL+Kmv7c2An/vfgejZMvL3MnV9h76PO7Hn/xlhTI R8qzgZAgSf5/yA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:05 +0100 Message-ID: <579aae1bcbba126fb7a779ca53d3877b70bd110e.1741973869.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * config-daemon.ac: Check for . * nix/libstore/build.cc (DerivationGoal::runChild): When ‘useChroot’ is true, call ‘prctl’ to drop all ambient capabilities. Change-Id: If34637fc508e5fb6d278167f5df7802fc595284f --- config-daemon.ac | 2 +- nix/libstore/build.cc | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/config-daemon.ac b/config-daemon.ac index 4e949bc88a..35d9c8cd56 100644 --- a/config-daemon.ac +++ b/config-daemon.ac @@ -79,7 +79,7 @@ if test "x$guix_build_daemon" = "xyes"; then dnl Chroot support. AC_CHECK_FUNCS([chroot unshare]) AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \ - linux/close_range.h]) + linux/close_range.h sys/prctl.h]) if test "x$ac_cv_func_chroot" != "xyes"; then AC_MSG_ERROR(['chroot' function missing, bailing out]) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 76f75e00df..07c8ad7e1d 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -50,6 +50,9 @@ #if HAVE_SCHED_H #include #endif +#if HAVE_SYS_PRCTL_H +#include +#endif #define CHROOT_ENABLED HAVE_CHROOT && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE) @@ -2070,6 +2073,12 @@ void DerivationGoal::runChild() #if CHROOT_ENABLED if (useChroot) { +# if HAVE_SYS_PRCTL_H + /* Drop ambient capabilities such as CAP_CHOWN that might have + been granted when starting guix-daemon. */ + prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); +# endif + if (!fixedOutput) { /* Initialise the loopback interface. */ AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); From patchwork Fri Mar 14 17:48:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40178 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D4A2B27BBE9; Fri, 14 Mar 2025 17:51:52 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id B421A27BBE2 for ; Fri, 14 Mar 2025 17:51:52 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9C3-0005pV-RH; Fri, 14 Mar 2025 13:51:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Bd-0005JX-8z for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:09 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9BY-0002HL-KI for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=3+xXW3NEhqCdaNvzOdWk4oL/UxHf2EzI+PwkPo6SGtE=; b=SZk9o4J5eE2RuXvEGV+pJTWvWYTf5g0r1/5whJDvrvEkvhwaUfDHbFLXgMMMi9LPZFQSGLzNm/+4+B6Y4y/VzJCEIm+ccDhHY84b84hMGhnFsbaVXbeYmfqGBN7YYueSIbOOFRtgaa3TxGfZGCJu60ySDc+DyB8LMMptke5/VsPxtGRPYGF46C0GTLlZKZeG86KM8Omyq3lRpzUVRx8tncFElHtIhT9nFE9yhTKMSLL9x5bcIDBWmccUB0opxFT+HkRfA2trS+HM+Da2mqdoF/1Am4vUTAAbTa1/qOlsXRPH3+AQOy9NQtGV5VaIxT67esAwD5BsvAVEeCUAMiWqVg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9BX-0004ao-CQ for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 09/14] daemon: Move comments where they belong. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:51:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197461517319 (code B ref 75810); Fri, 14 Mar 2025 17:51:03 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:15 +0000 Received: from localhost ([127.0.0.1]:36046 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9Ak-0004Uu-Cq for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34836) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AT-0004PX-1R for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:57 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AM-0001z4-Ak; Fri, 14 Mar 2025 13:49:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=3+xXW3NEhqCdaNvzOdWk4oL/UxHf2EzI+PwkPo6SGtE=; b=eQxUXS67BLShE3pn4tPG DEVTyJnPN/cg6vA+vqhbiB/t9KFiHqD1HFjPMJCoeOglfNMBErniN4mjd92C3DenRimjEPhnEq4Pu WHRK78gtKZYGtlwKLgvOK6Gnm4RLswZjv2bUn+bQIy5/0ER04PXNtqOoMoxarWR40Mae+ohudbAId ORvDh4buu1s0AEEAWHyGBS0iLHemw0w37Zkqy9+TsGvE7t18bkGIzScGZl00bkCSaEsJ0n/Y5Ton9 kTWqQQvZV4I6GxuvUw+xpYmRDLvthpWY+rCRJRv4Gx6Zkto7A0W6F7N9SoUCmWH8nuU6RrmGgq7xQ 6cCiqs2Iw0NMSQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:06 +0100 Message-ID: <86a4ed49616acee6bf2767470f76d459000f4ca3.1741973869.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::startBuilder): Shuffle comments for clarity. Change-Id: I6557c103ade4a3ab046354548ea193c68f8c9c05 --- nix/libstore/build.cc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 07c8ad7e1d..37c3d3bf1e 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -1870,18 +1870,19 @@ void DerivationGoal::startBuilder() } dirsInChroot[tmpDirInSandbox] = tmpDir; - /* Make the closure of the inputs available in the chroot, - rather than the whole store. This prevents any access - to undeclared dependencies. !!! As an extra security - precaution, make the fake store only writable by the - build user. */ + /* Create the fake store. */ Path chrootStoreDir = chrootRootDir + settings.nixStore; createDirs(chrootStoreDir); chmod_(chrootStoreDir, 01775); if (buildUser.enabled() && chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) - throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); + /* As an extra security precaution, make the fake store only + writable by the build user. */ + throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); + /* Make the closure of the inputs available in the chroot, rather than + the whole store. This prevents any access to undeclared + dependencies. */ foreach (PathSet::iterator, i, inputPaths) { struct stat st; if (lstat(i->c_str(), &st)) From patchwork Fri Mar 14 17:48:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40180 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 227B627BBE2; Fri, 14 Mar 2025 17:52:10 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 78D6627BBEA for ; Fri, 14 Mar 2025 17:52:08 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9C9-00063p-7L; Fri, 14 Mar 2025 13:51:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Bc-0005JN-4S for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:09 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9BY-0002HN-3S for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=b8CNe7Kd4LDHNqpleCFnb1ypaRvesBWH130JtOnxyOw=; b=NUtQXnNy3ZntneD+7LFzTEabQwbDTokTVYdqscgcpKZhKuzVoIQDFeghQZCikmqodQpdg3BwxPgLso68tLmdibe5JLuPQUXmnIOyGS3iueg2uQjcg4s/Obu/ZZLO4+MWy3nN8udyXkyTL6aZQBGfwEggBQ5Wjyv0wDlw5TghZ90Q+BaU7daNw199Qk6hdWanEEBm73K245k/ONwWIEOlC8Kj70JTDu4cTFlkv9gyXnv2W3AYiv4gr+oz/BBnfpyuzYJmXdghiQdUyKbxj1EYMojoGG9mmYzMyaMyPnC0gtp79LAYT+Dt650SpTwAcgv/8czsR9ODaH69NC+5SeYEAw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9BX-0004aw-SV for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 10/14] tests: Add missing derivation inputs. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:51:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197461617379 (code B ref 75810); Fri, 14 Mar 2025 17:51:03 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:16 +0000 Received: from localhost ([127.0.0.1]:36048 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9Al-0004VI-4E for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34846) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AT-0004Pf-LA for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:58 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AO-0001zH-AJ; Fri, 14 Mar 2025 13:49:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=b8CNe7Kd4LDHNqpleCFnb1ypaRvesBWH130JtOnxyOw=; b=GGMjXAO8N8MLER7NgguD SVKnv3tn45QP6WY/U/MdbLBIXoe+82LxXPfQaaaIK8+urj0a1f+X5u+ugA7J2fuZF7I9fy/uXkjBs 6yVZOt8h1op8C3ssOIQtoudQmnSXIPte+t0vqs6qhzV9heDXaB4jcu3B/VxUOJiB8e4cHZvSCcHui frog92Z9l6ENYf9LJ9EFLwVqRSwl74kZc0uQbgDSEnxTe4DPFcCwq56Yt4ThG9as+kTacwf/L17xX h3/4QWWja2IbsR+O6YrMS3NB+fN54YXvwWBPy7eXcVMQAucx0I6yoKsvS7t7fVfOK6MaDcnTbvV8o a+BXIoNmeaZviA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:07 +0100 Message-ID: <817d91a82d60546476736e014acd28eb8043b63f.1741973869.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches These missing inputs go unnoticed when running ‘guix-daemon --disable-chroot’ but are immediately visible otherwise. * tests/derivations.scm ("fixed-output derivation"): Add %BASH to #:sources. ("fixed-output derivation: output paths are equal"): ("fixed-output derivation, recursive"): ("derivation with a fixed-output input"): ("derivation with duplicate fixed-output inputs"): ("derivation with equivalent fixed-output inputs"): ("build derivation with coreutils"): Likewise. * tests/packages.scm (bootstrap-binary): New procedure. ("package-source-derivation, origin, sha512"): Use it instead of ‘search-bootstrap-binary’ and add BASH to #:sources. ("package-source-derivation, origin, sha3-512"): Likewise. Change-Id: I4c9087df23c47729a3aff15e9e1435b7266e36e2 --- tests/derivations.scm | 24 +++++++++++++++--------- tests/packages.scm | 13 +++++++++---- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/tests/derivations.scm b/tests/derivations.scm index 72ea9aa9cc..f30f05474e 100644 --- a/tests/derivations.scm +++ b/tests/derivations.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012-2024 Ludovic Courtès +;;; Copyright © 2012-2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -443,7 +443,7 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (string-append "fixed-" (symbol->string hash-algorithm)) %bash `(,builder) - #:sources `(,builder) ;optional + #:sources (list %bash builder) #:hash hash #:hash-algo hash-algorithm))) (build-derivations %store (list drv)) @@ -462,9 +462,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (drv2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (succeeded? (build-derivations %store (list drv1 drv2)))) (and succeeded? @@ -477,7 +479,7 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv (derivation %store "fixed-rec" %bash `(,builder) - #:sources (list builder) + #:sources (list %bash builder) #:hash (base32 "0sg9f58l1jj88w6pdrfdpj5x9b1zrwszk84j81zvby36q9whhhqa") #:hash-algo 'sha256 #:recursive? #t)) @@ -511,9 +513,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (fixed1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (fixed2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (fixed-out (derivation->output-path fixed1)) (builder3 (add-text-to-store @@ -548,9 +552,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (fixed1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (fixed2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (builder3 (add-text-to-store %store "builder.sh" "echo fake builder")) @@ -580,21 +586,21 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) '())) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv1 (derivation %store "fixed" %bash (list builder1) - #:sources (list builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (drv2 (derivation %store "fixed" %bash (list builder2) - #:sources (list builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (drv3a (derivation %store "fixed-user" %bash (list builder3) #:outputs '("one" "two") - #:sources (list builder3) + #:sources (list %bash builder3) #:inputs (list (derivation-input drv1)))) (drv3b (derivation %store "fixed-user" %bash (list builder3) #:outputs '("one" "two") - #:sources (list builder3) + #:sources (list %bash builder3) #:inputs (list (derivation-input drv2)))) (drv4 (derivation %store "fixed-user-user" %bash (list builder1) - #:sources (list builder1) + #:sources (list %bash builder1) #:inputs (list (derivation-input drv3a '("one")) (derivation-input drv3b '("two")))))) (match (derivation-inputs drv4) @@ -878,7 +884,7 @@ (define %coreutils ,(string-append (derivation->output-path %coreutils) "/bin"))) - #:sources (list builder) + #:sources (list %bash builder) #:inputs (list (derivation-input %coreutils)))) (succeeded? (build-derivations %store (list drv)))) diff --git a/tests/packages.scm b/tests/packages.scm index 50c1cab915..f56c63128d 100644 --- a/tests/packages.scm +++ b/tests/packages.scm @@ -80,6 +80,11 @@ (define %store ;; When grafting, do not add dependency on 'glibc-utf8-locales'. (%graft-with-utf8-locale? #f) +(define (bootstrap-binary name) + (let ((bin (search-bootstrap-binary name (%current-system)))) + (and %store + (add-to-store %store name #t "sha256" bin)))) + (test-begin "packages") @@ -609,14 +614,14 @@ (define %store (test-equal "package-source-derivation, origin, sha512" "hello" - (let* ((bash (search-bootstrap-binary "bash" (%current-system))) + (let* ((bash (bootstrap-binary "bash")) (builder (add-text-to-store %store "my-fixed-builder.sh" "echo -n hello > $out" '())) (method (lambda* (url hash-algo hash #:optional name #:rest rest) (and (eq? hash-algo 'sha512) (raw-derivation name bash (list builder) - #:sources (list builder) + #:sources (list bash builder) #:hash hash #:hash-algo hash-algo)))) (source (origin @@ -635,14 +640,14 @@ (define %store (test-equal "package-source-derivation, origin, sha3-512" "hello, sha3" - (let* ((bash (search-bootstrap-binary "bash" (%current-system))) + (let* ((bash (bootstrap-binary "bash")) (builder (add-text-to-store %store "my-fixed-builder.sh" "echo -n hello, sha3 > $out" '())) (method (lambda* (url hash-algo hash #:optional name #:rest rest) (and (eq? hash-algo 'sha3-512) (raw-derivation name bash (list builder) - #:sources (list builder) + #:sources (list bash builder) #:hash hash #:hash-algo hash-algo)))) (source (origin From patchwork Fri Mar 14 17:48:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40177 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 748FE27BBEA; Fri, 14 Mar 2025 17:51:46 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 6D9B927BBE2 for ; Fri, 14 Mar 2025 17:51:45 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9C6-0005vw-Is; Fri, 14 Mar 2025 13:51:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Bd-0005JP-4w for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:09 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9BZ-0002HS-CI for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=ilkq8T90NgjE4yRlAWgTqOqGPLo2p9/2ak11UYRf6PE=; b=Fi3XWMkf7PsPkVRTXzTglMDghR2y3vAyuPxIeS0AAEFZtSYM8odSoh9aUbvMtlCmE8TuNuAlyFl0i3t5c0ik0tEvfsDDHkt4QSPmBclsb1aod1JsSSNXCDl/dVBBcWJ+CxfnVO0h/TMXFlTG/CHCkqiGLllflh1HerKXaiCUcI4EaCf/AL7DLKP58b4T6+XfQcofoh/U86jjZUQBswAHJtT42aYgqAWY6JsZARfUfrNAOhDsaaNBaZOynX/h4xolGMxZr8ew7Rwrd9Ve1GoSSdx0m2UBfQvcgDqQRLhAN45zu13ZkOq7NLDDpliUdkizvxDtFD+iArtA0ltPgnPDEw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9BY-0004bB-Sz for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 11/14] tests: Run in a chroot and unprivileged user namespaces. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:51:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197461817465 (code B ref 75810); Fri, 14 Mar 2025 17:51:04 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:18 +0000 Received: from localhost ([127.0.0.1]:36053 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9Am-0004Wl-Ik for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34862) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AU-0004Pl-GP for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:59 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AO-0001zT-PX; Fri, 14 Mar 2025 13:49:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=ilkq8T90NgjE4yRlAWgTqOqGPLo2p9/2ak11UYRf6PE=; b=Rmvh0JeO2p3YpzEMRmXa /uTB2k+420w7wDPhE93VG6xvZr88v59IqpdbffvyBNjb3YpUxXUdfhqZLJUzyQ/r3z+wBCzDaoAb2 nwEDMnkMH2iIomJsh5N/0XO+d+mZ7WgRMhqBXj5N1qozeS9uNIAEudKIyDMwzPGX3oJE5UPALkVYE b623ByXHsA8vWs+JUS4bQIwxkU+bYVWPYTr7VVosHWsQGFPEVeJYshRcf7tpXTygZVRdf2nmESRHa RPFHJK0XHkqD/R9oRToSxOXpdv7R5NkZS3nt7u0K4sYdGMPEqIukk6PdXdNFZBBsmAA1MbifCDzqz nHFQTYSnbK5IoQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:08 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * build-aux/test-env.in: Pass ‘--disable-chroot’ only when unprivileged user namespace support is lacking and warn in that case. * tests/store.scm ("build-things, check mode"): Use ‘gettimeofday’ rather than a shared file as a source of entropy. ("symlink is symlink") ("isolated environment", "inputs are read-only") ("inputs cannot be remounted read-write") ("build root cannot be made world-readable") ("/tmp, store, and /dev/{null,full} are writable") ("network is unreachable"): New tests. * tests/processes.scm ("client + lock"): Skip when ‘unprivileged-user-namespace-supported?’ returns true. Change-Id: I3b3c3ebdf6db5fd36ee70251d07b893c17ca1b84 --- build-aux/test-env.in | 16 ++- tests/processes.scm | 9 +- tests/store.scm | 250 ++++++++++++++++++++++++++++++++++++------ 3 files changed, 237 insertions(+), 38 deletions(-) diff --git a/build-aux/test-env.in b/build-aux/test-env.in index 9caa29da58..a3f225582d 100644 --- a/build-aux/test-env.in +++ b/build-aux/test-env.in @@ -1,7 +1,7 @@ #!/bin/sh # GNU Guix --- Functional package management for GNU -# Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2021 Ludovic Courtès +# Copyright © 2012-2019, 2021, 2025 Ludovic Courtès # # This file is part of GNU Guix. # @@ -102,10 +102,22 @@ then rm -rf "$GUIX_STATE_DIRECTORY/daemon-socket" mkdir -m 0700 "$GUIX_STATE_DIRECTORY/daemon-socket" + # If unprivileged user namespaces are not supported, pass + # '--disable-chroot'. + if [ ! -f /proc/sys/kernel/unprivileged_userns_clone ] \ + || [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -eq 1 ]; then + extra_options="" + else + extra_options="--disable-chroot" + echo "unprivileged user namespaces not supported; \ +running 'guix-daemon $extra_options'" >&2 + fi + # Launch the daemon without chroot support because is may be # unavailable, for instance if we're not running as root. "@abs_top_builddir@/pre-inst-env" \ - "@abs_top_builddir@/guix-daemon" --disable-chroot \ + "@abs_top_builddir@/guix-daemon" \ + $extra_options \ --substitute-urls="$GUIX_BINARY_SUBSTITUTE_URL" & daemon_pid=$! diff --git a/tests/processes.scm b/tests/processes.scm index ba518f2d9e..a72ba16f58 100644 --- a/tests/processes.scm +++ b/tests/processes.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2018 Ludovic Courtès +;;; Copyright © 2018, 2025 Ludovic Courtès ;;; Copyright © 2019 Mathieu Othacehe ;;; ;;; This file is part of GNU Guix. @@ -25,6 +25,8 @@ (define-module (test-processes) #:use-module (guix gexp) #:use-module ((guix utils) #:select (call-with-temporary-directory)) #:use-module (gnu packages bootstrap) + #:use-module ((gnu build linux-container) + #:select (unprivileged-user-namespace-supported?)) #:use-module (guix tests) #:use-module (srfi srfi-1) #:use-module (srfi srfi-64) @@ -84,6 +86,11 @@ (define-syntax-rule (test-assert* description exp) (and (kill (process-id daemon) 0) (string-suffix? "guix-daemon" (first (process-command daemon))))))) +(when (unprivileged-user-namespace-supported?) + ;; The test below assumes the build process can communicate with the outside + ;; world via the TOKEN1 and TOKEN2 files, which is impossible when + ;; guix-daemon is set up to build in separate namespaces. + (test-skip 1)) (test-assert* "client + lock" (with-store store (call-with-temporary-directory diff --git a/tests/store.scm b/tests/store.scm index 45948f4f43..aa2477ef75 100644 --- a/tests/store.scm +++ b/tests/store.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012-2021, 2023 Ludovic Courtès +;;; Copyright © 2012-2021, 2023, 2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,8 +28,12 @@ (define-module (test-store) #:use-module (guix base32) #:use-module (guix packages) #:use-module (guix derivations) + #:use-module ((guix modules) + #:select (source-module-closure)) #:use-module (guix serialization) #:use-module (guix build utils) + #:use-module ((gnu build linux-container) + #:select (unprivileged-user-namespace-supported?)) #:use-module (guix gexp) #:use-module (gnu packages) #:use-module (gnu packages bootstrap) @@ -391,6 +395,191 @@ (define %shell (equal? (valid-derivers %store o) (list (derivation-file-name d)))))) +(test-assert "symlink is symlink" + (let* ((a (add-text-to-store %store "hello.txt" (random-text))) + (b (build-expression->derivation + %store "symlink" + '(symlink (assoc-ref %build-inputs "a") %output) + #:inputs `(("a" ,a)))) + (c (build-expression->derivation + %store "symlink-reference" + `(call-with-output-file %output + (lambda (port) + ;; Check that B is indeed visible as a symlink. This should + ;; always be the case, both in the '--disable-chroot' and in + ;; the user namespace setups. + (pk 'stat (lstat (assoc-ref %build-inputs "b"))) + (display (readlink (assoc-ref %build-inputs "b")) + port))) + #:inputs `(("b" ,b))))) + (and (build-derivations %store (list c)) + (string=? (call-with-input-file (derivation->output-path c) + get-string-all) + a)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-equal "isolated environment" + (string-join (append + '("PID: 1" "UID: 30001") + (delete-duplicates + (sort (list "/dev" "/tmp" "/proc" "/etc" + (match (string-tokenize (%store-prefix) + (char-set-complement + (char-set #\/))) + ((top _ ...) (string-append "/" top)))) + string $out")) + (s (add-to-store %store "bash" #t "sha256" + (search-bootstrap-binary "bash" + (%current-system)))) + (d (derivation %store "the-thing" + s `("-e" ,b) + #:env-vars `(("foo" . ,(random-text))) + #:sources (list b s))) + (o (derivation->output-path d))) + (and (build-derivations %store (list d)) + (call-with-input-file o get-string-all)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-equal "inputs are read-only" + "All good!" + (let* ((input (plain-file (string-append "might-be-tampered-with-" + (number->string + (car (gettimeofday)) + 16)) + "All good!")) + (drv + (run-with-store %store + (gexp->derivation + "attempt-to-write-to-input" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((input #$input)) + (chmod input #o666) + (call-with-output-file input + (lambda (port) + (display "BAD!" port))) + (mkdir #$output)))))))) + (and (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv))) + (call-with-input-file (run-with-store %store + (lower-object input)) + get-string-all)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "inputs cannot be remounted read-write" + (let ((drv + (run-with-store %store + (gexp->derivation + "attempt-to-remount-input-read-write" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((input #$(plain-file "input-that-might-be-tampered-with" + "All good!"))) + (mount "none" input "none" (logior MS_BIND MS_REMOUNT)) + (call-with-output-file input + (lambda (port) + (display "BAD!" port))) + (mkdir #$output)))))))) + (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv)) + #f))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "build root cannot be made world-readable" + (let ((drv + (run-with-store %store + (gexp->derivation + "attempt-to-make-root-world-readable" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((guile (string-append (assoc-ref %guile-build-info + 'bindir) + "/guile"))) + (catch 'system-error + (lambda () + (chmod "/" #o777)) + (lambda args + (format #t "failed to make root writable: ~a~%" + (strerror (system-error-errno args))) + (format #t "attempting read-write remount~%") + (mount "none" "/" "/" (logior MS_BIND MS_REMOUNT)) + (chmod "/" #o777))) + (copy-file guile "/guile") + (chmod "/guile" #o6755) + ;; At this point, there's a world-readable setuid 'guile' + ;; binary in the store that remains visible until this + ;; build completes. + (list #$output)))))))) + (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv)) + #f))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "/tmp, store, and /dev/{null,full} are writable" + ;; All of /tmp and all of the store must be writable (the store is writable + ;; so that derivation outputs can be written to it, but in practice it's + ;; always been wide open). Things like /dev/null must be writable too. + (let ((drv (run-with-store %store + (gexp->derivation + "check-tmp-and-store-are-writable" + #~(begin + (mkdir "/tmp/something") + (mkdir (in-vicinity (getenv "NIX_STORE") + "some-other-thing")) + (call-with-output-file "/dev/null" + (lambda (port) + (display "Welcome to the void." port))) + (catch 'system-error + (lambda () + (call-with-output-file "/dev/full" + (lambda (port) + (display "No space left!" port))) + (error "Should have thrown!")) + (lambda args + (unless (= ENOSPC (system-error-errno args)) + (apply throw args)))) + (mkdir #$output)))))) + (build-derivations %store (list drv)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "network is unreachable" + (let ((drv (run-with-store %store + (gexp->derivation + "check-network-unreachable" + #~(let ((check-connection-failure + (lambda (address expected-code) + (let ((s (socket AF_INET SOCK_STREAM 0))) + (catch 'system-error + (lambda () + (connect s AF_INET (inet-pton AF_INET address) 80)) + (lambda args + (let ((errno (system-error-errno args))) + (unless (= expected-code errno) + (error "wrong error code" + errno (strerror errno)))))))))) + (check-connection-failure "127.0.0.1" ECONNREFUSED) + (check-connection-failure "9.9.9.9" ENETUNREACH) + (mkdir #$output)))))) + (build-derivations %store (list drv)))) + (test-equal "with-build-handler" 'success (let* ((b (add-text-to-store %store "build" "echo $foo > $out" '())) @@ -1333,40 +1522,31 @@ (define %shell (test-assert "build-things, check mode" (with-store store - (call-with-temporary-output-file - (lambda (entropy entropy-port) - (write (random-text) entropy-port) - (force-output entropy-port) - (let* ((drv (build-expression->derivation - store "non-deterministic" - `(begin - (use-modules (rnrs io ports)) - (let ((out (assoc-ref %outputs "out"))) - (call-with-output-file out - (lambda (port) - ;; Rely on the fact that tests do not use the - ;; chroot, and thus ENTROPY is readable. - (display (call-with-input-file ,entropy - get-string-all) - port))) - #t)) - #:guile-for-build - (package-derivation store %bootstrap-guile (%current-system)))) - (file (derivation->output-path drv))) - (and (build-things store (list (derivation-file-name drv))) - (begin - (write (random-text) entropy-port) - (force-output entropy-port) - (guard (c ((store-protocol-error? c) - (pk 'determinism-exception c) - (and (not (zero? (store-protocol-error-status c))) - (string-contains (store-protocol-error-message c) - "deterministic")))) - ;; This one will produce a different result. Since we're in - ;; 'check' mode, this must fail. - (build-things store (list (derivation-file-name drv)) - (build-mode check)) - #f)))))))) + (let* ((drv (build-expression->derivation + store "non-deterministic" + `(begin + (use-modules (rnrs io ports)) + (let ((out (assoc-ref %outputs "out"))) + (call-with-output-file out + (lambda (port) + (let ((now (gettimeofday))) + (display (+ (car now) (cdr now)) port)))) + #t)) + #:guile-for-build + (package-derivation store %bootstrap-guile (%current-system)))) + (file (derivation->output-path drv))) + (and (build-things store (list (derivation-file-name drv))) + (begin + (guard (c ((store-protocol-error? c) + (pk 'determinism-exception c) + (and (not (zero? (store-protocol-error-status c))) + (string-contains (store-protocol-error-message c) + "deterministic")))) + ;; This one will produce a different result. Since we're in + ;; 'check' mode, this must fail. + (build-things store (list (derivation-file-name drv)) + (build-mode check)) + #f)))))) (test-assert "build-succeeded trace in check mode" (string-contains From patchwork Fri Mar 14 17:48:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40175 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 21A2827BBEA; Fri, 14 Mar 2025 17:51:42 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D579F27BBE2 for ; Fri, 14 Mar 2025 17:51:41 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9C1-0005el-UZ; Fri, 14 Mar 2025 13:51:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Bc-0005JO-4i for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:09 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9BY-0002HO-Jl for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=UDEk6vq1C9HSdyxCSLuhOLlaq0xO7wxGb0uACXLDe0E=; b=I5i5qWpZWTTRgnzVwzTawvjazHLky7Wdw4Yc0m2IqNbTCcVjwFRs5EN4YBgUYJhimTiEqyjDHGqWvGxbA+Cd3c1xuUSZd97RU3iokwOtlbMecSg2OKMdsgpWUDmBCb+FLrBo3MbdrJb45s6iL+JHxqH0eZE95ewy+W+XVUckuCU44lnZhmVq/OL0+ruzIHZ9LT6WvUtVnx+T53eNDIAJVRkog7KJqZVKp1LHb8lhVISSQaolsB10MHys6ZkHXEDirg6+XN4NrnCSJejDP6/jz8ulzRy8cxk8OrFhzwAp0KMy8k3ajcE65C34CMcPsOIIduzU07hORTcNRnBnnXhN5g==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9BY-0004b4-CO for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 12/14] etc: systemd services: Run =?utf-8?b?4oCYZ3VpeC1kYWVtb27igJk=?= as an unprivileged user. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:51:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197461617410 (code B ref 75810); Fri, 14 Mar 2025 17:51:04 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:16 +0000 Received: from localhost ([127.0.0.1]:36050 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9Al-0004WH-Ve for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34870) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AV-0004Pn-AW for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:49:59 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AP-0001zc-Uk; Fri, 14 Mar 2025 13:49:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=UDEk6vq1C9HSdyxCSLuhOLlaq0xO7wxGb0uACXLDe0E=; b=iapH6kUEi5LfXKp6PIfD jFZXwIuKVmqObTSsIPvfb7sOITzsTzi9J07lWXodwzvHcBqUT3MzMlUHXvGd5tLnt2E1dahSl1ddc BdoEPBotOc0aSI4/59w3fjK0aXaP3YHJT8QCP7dExV5elATOZlDEAF64A2EoQwtFNgHoy+bwgzTef /4t/5GAUOqoqaiAc6h95CQXK0OErYPfbk0YqTcxZV9ivNytYy2AYyIPKe8F0POnXDS+sD/49ZNZKG CdsRbHoQWp3+oN2NypNuMi6/tMMnHKC4N73BgCPpboL/I5X3+fYIsSA6Pmor4uXN/fosc/ZNAeWfB Kfi3+75sw8irEg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:09 +0100 Message-ID: <00d1d9c120c7d8e33fe09a57df7f0818b5ff0df4.1741973869.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/guix-daemon.service.in (ExecStart): Remove ‘--build-users-group’. (Environment): Add ‘GUIX_STATE_DIRECTORY’. (Before, User, AmbientCapabilities, PrivateMounts, BindPaths): New fields. * etc/gnu-store.mount.in (Before): Remove. (WantedBy): Change to ‘multi-user.target’. Change-Id: Id826b8ab535844b6024d777f6bd15fd49db6d65e --- etc/gnu-store.mount.in | 3 +-- etc/guix-daemon.service.in | 22 ++++++++++++++++++++-- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in index c94f2db72b..f9918c9e52 100644 --- a/etc/gnu-store.mount.in +++ b/etc/gnu-store.mount.in @@ -2,10 +2,9 @@ Description=Read-only @storedir@ for GNU Guix DefaultDependencies=no ConditionPathExists=@storedir@ -Before=guix-daemon.service [Install] -WantedBy=guix-daemon.service +WantedBy=multi-user.target [Mount] What=@storedir@ diff --git a/etc/guix-daemon.service.in b/etc/guix-daemon.service.in index 5c43d9b7f1..c4faf1bcfe 100644 --- a/etc/guix-daemon.service.in +++ b/etc/guix-daemon.service.in @@ -5,11 +5,29 @@ [Unit] Description=Build daemon for GNU Guix +# Start before 'gnu-store.mount' to get a writable view of the store. +Before=gnu-store.mount + [Service] ExecStart=@localstatedir@/guix/profiles/per-user/root/current-guix/bin/guix-daemon \ - --build-users-group=guixbuild --discover=no \ + --discover=no \ --substitute-urls='@GUIX_SUBSTITUTE_URLS@' -Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8 +Environment='GUIX_STATE_DIRECTORY=@localstatedir@/guix' 'GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8 + +# Run under a dedicated unprivileged user account. +User=guix-daemon + +# Bind-mount the store read-write in a private namespace, to counter the +# effect of 'gnu-store.mount'. +PrivateMounts=true +BindPaths=@storedir@ + +# Provide the CAP_CHOWN capability so that guix-daemon cran create and chown +# /var/guix/profiles/per-user/$USER and also chown failed build directories +# when using '--keep-failed'. Note that guix-daemon explicitly drops ambient +# capabilities before executing build processes so they don't inherit them. +AmbientCapabilities=CAP_CHOWN + StandardOutput=journal StandardError=journal From patchwork Fri Mar 14 17:48:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40173 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id DA48827BBEC; Fri, 14 Mar 2025 17:51:38 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3AEDC27BBEA for ; Fri, 14 Mar 2025 17:51:37 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9Bl-0005Mb-IR; Fri, 14 Mar 2025 13:51:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Bc-0005JW-8v for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:09 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9BZ-0002HU-O6 for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=CUXV6UHPknqgvxLUw2u/RN9HeGPwYQJy5e03yApbb00=; b=tqrapS60NvjMR11DAlSstN8hFb3Ix34TrLgxPhqW7QE0v7YCGosWFkfccz4H65h+vSVM//j86uIjJq0xc5u/nq7bUZ6wq3sa2BBdnckso895tX7IND6s/vQB5FuJtdLwOh3JxQ8JnfM1BcjZUsIDoUYdY0qrRN9WeJFNf3MJw8GRM5Nh3K3VTx8n2gEMZnfxV5D6CaYsJDwG/vvLI4XdjtoyK9UelhkicXQSlwie6Cbtgsx5c0lbBVHfD+lQLiuMGr/9uopf3dsUO131rusfS4nvrDyQ0i5NdHAGdN5jAUVRcBPaKwcpi41CfiAYvctCatLJdhVfzVpqKp7fn+vsVw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9BZ-0004bJ-Fh for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 13/14] guix-install.sh: Support the unprivileged daemon where possible. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:51:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197461817491 (code B ref 75810); Fri, 14 Mar 2025 17:51:05 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:18 +0000 Received: from localhost ([127.0.0.1]:36057 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9Ao-0004Xk-5S for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34878) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AY-0004Q5-Aj for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:03 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AS-0001zv-PS; Fri, 14 Mar 2025 13:49:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=CUXV6UHPknqgvxLUw2u/RN9HeGPwYQJy5e03yApbb00=; b=VvhPH4NK1harIpPTY7gf 7Gk1qDnV/yavM8Zp54vCR9cs24VG3+WVO6Y7L0zjnyU0PqEt5/Nhw+z26iGpeB9N2ne/9EMQ5QSC4 Ma7Ygr1/K81NIOOXBXy4BWiprHLvFqxsPlnVlrWWoaHLFyKJvSz0qFa/Au9bpjQPDnIGWPQZPdfAi PnmA0y2Te9J4TNHEJ5m7E6JnBD2NlODE4BElnqc6PgX55xFTAibybQkGoLpum9g4NSPgeAXMSaD4j 65dzEda7NNrJTV2/cUHsQiVv6pW4spDlzL3wX+rV2nwKjQko2DhJiW+BpEhx7t5hsvNokAOfnJ/gn 3eDjWJjmyY/kIQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:10 +0100 Message-ID: <00562be83ffe965836a8a23674d379bb9b45dfc9.1741973869.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/guix-install.sh (create_account): New function. (sys_create_build_user): Use it. When ‘guix-daemon.service’ contains “User=guix-daemon” only create the ‘guix-daemon’ user and group. (sys_delete_build_user): Delete the ‘guix-daemon’ user and group. (can_install_unprivileged_daemon): New function. (sys_create_store): When installing the unprivileged daemon, change ownership of /gnu and /var/guix, and create /var/log/guix. (sys_authorize_build_farms): When the ‘guix-daemon’ account exists, change ownership of /etc/guix. Change-Id: I73e573f1cc5c0cb3794aaaa6b576616b66e0c5e9 --- etc/guix-install.sh | 109 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 84 insertions(+), 25 deletions(-) diff --git a/etc/guix-install.sh b/etc/guix-install.sh index 8887204df4..eb1093c577 100755 --- a/etc/guix-install.sh +++ b/etc/guix-install.sh @@ -414,6 +414,11 @@ sys_create_store() cd "$tmp_path" _msg_info "Installing /var/guix and /gnu..." # Strip (skip) the leading ‘.’ component, which fails on read-only ‘/’. + # + # TODO: Eventually extract with ‘--owner=guix-daemon’ when installing + # and unprivileged guix-daemon service; for now, this script may install + # from both an old release that does not support unprivileged guix-daemon + # and a new release that does, so ‘chown -R’ later if needed. tar --extract --strip-components=1 --file "$pkg" -C / _msg_info "Linking the root user's profile" @@ -441,38 +446,80 @@ sys_delete_store() rm -rf ~root/.config/guix } +create_account() +{ + local user="$1" + local group="$2" + local supplementary_groups="$3" + local comment="$4" + + if id "$user" &>/dev/null; then + _msg_info "user '$user' is already in the system, reset" + usermod -g "$group" -G "$supplementary_groups" \ + -d /var/empty -s "$(which nologin)" \ + -c "$comment" "$user" + else + useradd -g "$group" -G "$supplementary_groups" \ + -d /var/empty -s "$(which nologin)" \ + -c "$comment" --system "$user" + _msg_pass "user added <$user>" + fi +} + +can_install_unprivileged_daemon() +{ # Return true if we can install guix-daemon running without privileges. + [ "$INIT_SYS" = systemd ] && \ + grep -q "User=guix-daemon" \ + ~root/.config/guix/current/lib/systemd/system/guix-daemon.service \ + && ([ ! -f /proc/sys/kernel/unprivileged_userns_clone ] \ + || [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -eq 1 ]) +} + sys_create_build_user() { # Create the group and user accounts for build users. _debug "--- [ ${FUNCNAME[0]} ] ---" - if getent group guixbuild > /dev/null; then - _msg_info "group guixbuild exists" - else - groupadd --system guixbuild - _msg_pass "group created" - fi - if getent group kvm > /dev/null; then _msg_info "group kvm exists and build users will be added to it" local KVMGROUP=,kvm fi - for i in $(seq -w 1 10); do - if id "guixbuilder${i}" &>/dev/null; then - _msg_info "user is already in the system, reset" - usermod -g guixbuild -G guixbuild"$KVMGROUP" \ - -d /var/empty -s "$(which nologin)" \ - -c "Guix build user $i" \ - "guixbuilder${i}"; - else - useradd -g guixbuild -G guixbuild"$KVMGROUP" \ - -d /var/empty -s "$(which nologin)" \ - -c "Guix build user $i" --system \ - "guixbuilder${i}"; - _msg_pass "user added " - fi - done + if can_install_unprivileged_daemon + then + if getent group guix-daemon > /dev/null; then + _msg_info "group guix-daemon exists" + else + groupadd --system guix-daemon + _msg_pass "group guix-daemon created" + fi + + create_account guix-daemon guix-daemon \ + guix-daemon$KVMGROUP \ + "Unprivileged Guix Daemon User" + + # ‘tar xf’ creates root:root files. Change that. + chown -R guix-daemon:guix-daemon /gnu /var/guix + chown -R root:root /var/guix/profiles/per-user/root + + # The unprivileged daemon cannot create the log directory by itself. + mkdir /var/log/guix + chown guix-daemon:guix-daemon /var/log/guix + chmod 755 /var/log/guix + else + if getent group guixbuild > /dev/null; then + _msg_info "group guixbuild exists" + else + groupadd --system guixbuild + _msg_pass "group created" + fi + + for i in $(seq -w 1 10); do + create_account "guixbuilder${i}" "guixbuild" \ + "guixbuild${KVMGROUP}" \ + "Guix build user $i" + done + fi } sys_delete_build_user() @@ -487,6 +534,14 @@ sys_delete_build_user() if getent group guixbuild &>/dev/null; then groupdel -f guixbuild fi + + _msg_info "remove guix-daemon user" + if id guix-daemon &>/dev/null; then + userdel -f guix-daemon + fi + if getent group guix-daemon &>/dev/null; then + groupdel -f guix-daemon + fi } sys_enable_guix_daemon() @@ -529,11 +584,11 @@ sys_enable_guix_daemon() # Install after guix-daemon.service to avoid a harmless warning. # systemd .mount units must be named after the target directory. - # Here we assume a hard-coded name of /gnu/store. - install_unit gnu-store.mount + install_unit gnu-store.mount systemctl daemon-reload && - systemctl start guix-daemon; } && + systemctl start guix-daemon && + systemctl start gnu-store.mount; } && _msg_pass "enabled Guix daemon via systemd" ;; sysv-init) @@ -654,6 +709,10 @@ project's build farms?"; then && guix archive --authorize < "$key" \ && _msg_pass "Authorized public key for $host" done + if id guix-daemon &>/dev/null; then + # /etc/guix/acl must be readable by the unprivileged guix-daemon. + chown -R guix-daemon:guix-daemon /etc/guix + fi else _msg_info "Skipped authorizing build farm public keys" fi From patchwork Fri Mar 14 17:48:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40176 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 721E327BBE9; Fri, 14 Mar 2025 17:51:44 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 5265327BBE2 for ; Fri, 14 Mar 2025 17:51:44 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tt9C1-0005eY-Lv; Fri, 14 Mar 2025 13:51:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9Bc-0005JY-97 for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:09 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tt9Ba-0002HV-81 for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=NI59LRaDUVYi2djUVX63YOr2tAfeOTTamhbicaDSA3g=; b=VzkyZlpEtvDYrIC3LCywqfFOAtyRICk1gC5kf50i/B/TWDNOquGoL+ogksLgidlC5XRi/+src6BzZ+PbNZ2X/zCNQSXNvhDajgKafoVxvNecrF7GoP2gHzSiyot1+5Bh9p+j3gJt9nKAC2SniMvFLFqvB2wBpZ5UsXbJLEvCopKQ8Kk4u7tfgKcEEm6gDSoOZ0qPqcTiPhaSbNR8zu/mziErpwP5RWebA7AIDCSG0c/EAax4s2af7StoJ2sMMvYaPyT5mKB2Vg1ehj2+ZJBGycrGiBdts1mGIxUrV8pohyKvLEBAShmZ0Xhwg6GzRHNCxn3ZhDSXDyhl97hbC80D/Q==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tt9Ba-0004bQ-00 for guix-patches@gnu.org; Fri, 14 Mar 2025 13:51:06 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v5 14/14] DRAFT gnu: guix: Update to 00562be. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:51:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174197461917518 (code B ref 75810); Fri, 14 Mar 2025 17:51:05 +0000 Received: (at 75810) by debbugs.gnu.org; 14 Mar 2025 17:50:19 +0000 Received: from localhost ([127.0.0.1]:36059 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tt9Ao-0004Y4-SI for submit@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34888) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tt9AY-0004Q6-Ib for 75810@debbugs.gnu.org; Fri, 14 Mar 2025 13:50:04 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tt9AT-000200-5G; Fri, 14 Mar 2025 13:49:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=NI59LRaDUVYi2djUVX63YOr2tAfeOTTamhbicaDSA3g=; b=Y8WTarYKAyybaPMEV3nz OCgbR3q9tAqDzH527+o4lbdKZ2xptXKXs1ff7t+yW78wiPOlJMNhX8CEuhtPMtegnxiENtKUtruDu eN/s3mVPumm8EeeFqBj2pgV17Jr84PsVaHYI3IB1988MLLhlj62IMkiXtBDD4ns56uf3GsAE6xcr7 1a1Ygx6rGWaihdvGjkrmqZlExbF7/Jbpb1wJ7Rm90xgiQ6YARGbnFmXi+xVPwbPX7qlAhVar04cN2 hqusxjXrN4MRYvAnL26dV/6Kb60eRAVl5s52k7COlrxDqG4R9Bx80RG5g42GaSIzNTrmoTW5YX1tP a1R6B6CljBzsaw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 14 Mar 2025 18:48:11 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches DRAFT: Temporary commit. * gnu/packages/package-management.scm (guix): Update to 00562be. Change-Id: I34ef62c3b12391b145916bd6f44f4da3b497754e --- gnu/packages/package-management.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index b0e8ad0d2a..6a48216961 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -179,8 +179,8 @@ (define-public guix ;; Note: the 'update-guix-package.scm' script expects this definition to ;; start precisely like this. (let ((version "1.4.0") - (commit "5058b40aba825ab6e7b9e518dd1147d1e35fd7de") - (revision 34)) + (commit "00562be83ffe965836a8a23674d379bb9b45dfc9") + (revision 35)) (package (name "guix") @@ -196,7 +196,7 @@ (define-public guix (commit commit))) (sha256 (base32 - "04vk4lslcd6h22yj5pxvb1pdyyxd8421gjfyvyb1bl3xn7c77246")) + "1ixrs1hlipv81y90q60v6rhjjg7sz3f0rgpq201lvgvbl9pl19i9")) (file-name (string-append "guix-" version "-checkout")))) (build-system gnu-build-system) (arguments