From patchwork Mon Mar 17 17:02:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40283 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 32EF127BBEB; Mon, 17 Mar 2025 17:04:42 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7A72C27BBE9 for ; Mon, 17 Mar 2025 17:04:41 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDso-0004D3-10; Mon, 17 Mar 2025 13:04:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDsi-00048T-VM for guix-patches@gnu.org; Mon, 17 Mar 2025 13:04:05 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDsi-0005Bw-89 for guix-patches@gnu.org; Mon, 17 Mar 2025 13:04:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=gj2HkSqKqMC6OnWJO11zAMx01vOVuopEBzKWBjgHWEs=; b=DH85c78IKgBmlrsT89u+7BlKVgEIgncw3vJdsyiA4Cj2euz2fWhisZQiXjKWw4x6ICWii67sz/kl8nzFE4Mjbh+N86yidGDzewLyocKXv+9l45LWInBq1ObfB8SxTDWpGW9Oolk4RBsKTVuoj4IM/DZ9MRrGIOpoGG7N3UGF/ft+RrXAMLpOulfrtAAC61XxjDT8E6N+FEf/HS+p8YCC7uti7EMck39RFRThuh16HadHW4f70bpgk6yM6oovwHIDE+RJQiYuASU7YjJ51J+W7W3xMw+Rx8dDeEs9YYgUp+76uRsEpCDVNCdVZc3Rll6VAXpcK686VPMWdmPBC4cM+A==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDsh-0002cb-92 for guix-patches@gnu.org; Mon, 17 Mar 2025 13:04:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 01/16] daemon: Use =?utf-8?b?4oCYY2xvc2VfcmFu?= =?utf-8?b?Z2XigJk=?= where available. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:04:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.17422310279901 (code B ref 75810); Mon, 17 Mar 2025 17:04:03 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:03:47 +0000 Received: from localhost ([127.0.0.1]:60632 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDsO-0002Z8-6R for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:03:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42088) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDsG-0002Ws-Pq for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:03:40 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDs9-00052c-6M; Mon, 17 Mar 2025 13:03:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=gj2HkSqKqMC6OnWJO11zAMx01vOVuopEBzKWBjgHWEs=; b=hszcIaMPoR6xxiJkkZjJ xCwan8g7WYMTRYWjuTMES6IzX3Cs+agtTh4qz1WTMfUT+1zsbicLacDDZ7kZTqOp+x6vCJLtXGnBW 9d6JRmzCf34WLM7A/gl9hMpUifWSbyZScFM4lekPvHUP28+SRScOdkv63V8jCG6nb6Xq1AnJYBuum /LiJA+QdGrXZ3zaBnpPRoBon+9asHVfWBXBc1PhyhTfrqwIBMAPI7haY9NjRRDzC5HZ1EvDPgx4ux 2OVhpKxq2AET10Y0gWeQlZra4lfnoroMmEkGugfvl9B4LXyr0sO03Gq+DhkYD2un8fxBvdEhbwXXq EiAXaqP//Qu0KQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:44 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libutil/util.cc (closeMostFDs) [HAVE_CLOSE_RANGE]: Use ‘close_range’ when ‘exceptions’ is empty. * config-daemon.ac: Check for and the ‘close_range’ symbol. Change-Id: I12fa3bde58b003fcce5ea5a1fee1dcf9a92c0359 --- config-daemon.ac | 5 +++-- nix/libutil/util.cc | 23 +++++++++++++++++------ 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/config-daemon.ac b/config-daemon.ac index 6731c68bc3..4e949bc88a 100644 --- a/config-daemon.ac +++ b/config-daemon.ac @@ -78,7 +78,8 @@ if test "x$guix_build_daemon" = "xyes"; then dnl Chroot support. AC_CHECK_FUNCS([chroot unshare]) - AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h]) + AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \ + linux/close_range.h]) if test "x$ac_cv_func_chroot" != "xyes"; then AC_MSG_ERROR(['chroot' function missing, bailing out]) @@ -95,7 +96,7 @@ if test "x$guix_build_daemon" = "xyes"; then dnl strsignal: for error reporting. dnl statx: fine-grain 'stat' call, new in glibc 2.28. AC_CHECK_FUNCS([lutimes lchown posix_fallocate sched_setaffinity \ - statvfs nanosleep strsignal statx]) + statvfs nanosleep strsignal statx close_range]) dnl Check for . AC_LANG_PUSH(C++) diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index 3206dea11b..eb2d16e1cc 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -23,6 +23,10 @@ #include #endif +#ifdef HAVE_LINUX_CLOSE_RANGE_H +# include +#endif + extern char * * environ; @@ -1087,12 +1091,19 @@ string runProgram(Path program, bool searchPath, const Strings & args) void closeMostFDs(const set & exceptions) { - int maxFD = 0; - maxFD = sysconf(_SC_OPEN_MAX); - for (int fd = 0; fd < maxFD; ++fd) - if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd != STDERR_FILENO - && exceptions.find(fd) == exceptions.end()) - close(fd); /* ignore result */ +#ifdef HAVE_CLOSE_RANGE + if (exceptions.empty()) + close_range(3, ~0U, 0); + else +#endif + { + int maxFD = 0; + maxFD = sysconf(_SC_OPEN_MAX); + for (int fd = 0; fd < maxFD; ++fd) + if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd != STDERR_FILENO + && exceptions.find(fd) == exceptions.end()) + close(fd); /* ignore result */ + } } From patchwork Mon Mar 17 17:02:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40284 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 21BBA27BBE2; Mon, 17 Mar 2025 17:05:22 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id CDAD727BBE2 for ; Mon, 17 Mar 2025 17:05:21 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDtn-00057P-G6; Mon, 17 Mar 2025 13:05:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtj-00053P-84 for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:07 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDti-0005fa-EY for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=fUCaHHG/eO75rZDRlbk9XFL7p37y9SICE8zVkSS6pAE=; b=QUjeN8JaX3OsdqHkic1fpVbBtiW8fd8o7qr1IUQdvXFNNUk13618P5OCDBIK7RePRj8jRjh56QQdZ/9jYhFr31teXS7XHnBfxsEHTxjmcUuX4rGp3RaeyUVWtkCzEhMSXUR8o3nRb8O094keD8I6ByC+mGLHSthICpoQVd/cnbySM56CMogUkOvD2vXpzB15Nr4XIcc0Ob/v/QBpHU4Cjj7SHHdId9bIPrXEGIkZ0yjDot9b7S+KqekUPBxqoaH0gJgBfcKcYZSlgZYQId6kerAjDnvrHzTouHS7AFNW0HrOOdpvKR4zI7rLgpk0FS6FijnBMSt3O3wR6XaMuM0NPQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDth-0002nD-P3 for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 02/16] daemon: Close the read end of the logging pipe. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:05:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223105010173 (code B ref 75810); Mon, 17 Mar 2025 17:05:05 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:04:10 +0000 Received: from localhost ([127.0.0.1]:60644 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDso-0002dx-6E for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42112) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDsH-0002Wu-AS for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:03:43 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDsA-00052t-OQ; Mon, 17 Mar 2025 13:03:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=fUCaHHG/eO75rZDRlbk9XFL7p37y9SICE8zVkSS6pAE=; b=cRR4pe3g4WK250IKJKcM 9pQ5FLJluEu/eCuBg4b2XxHeM3JUwkZWQhbvfA3oMViouJ7w8YDvm5/aj4hBQDjl/xHc2p0C0q6TP NjKKvvJbB6z1tgTWqYNTeJlu+3b/j1ZOPyLvLtGjITH60wjW9XILUieDVAi+zoZwEsB81AtTCN7gy 2nrTIi67ELAA6P+JjUw7mulrbrDUuScadiNkmrBueouto06N2NLfZWaNy/yuIb3poJmZjIOU5hjaO EP2KyJAKmH0MY4N4uHFR4GLJxJspKPJYYRTRE7KLVVACi3NnuaY+/l6iop8LtzevE5RfDEvQY/2fb Pf98ldlwGP5YKg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:45 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libutil/util.cc (commonChildInit): Close ‘logPipe.readSide’. Reported-by: Reepca Russelstein Change-Id: Ia9e48d1afb85d7af52770e016f2b6832792044dd --- nix/libutil/util.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index eb2d16e1cc..56f116046c 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -1279,6 +1279,9 @@ void commonChildInit(Pipe & logPipe) if (setsid() == -1) throw SysError(format("creating a new session")); + /* Close the read end so only the parent holds a reference to it. */ + logPipe.readSide.close(); + /* Dup the write side of the logger pipe into stderr. */ if (dup2(logPipe.writeSide, STDERR_FILENO) == -1) throw SysError("cannot pipe standard error into log file"); From patchwork Mon Mar 17 17:02:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40287 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 948E927BBEA; Mon, 17 Mar 2025 17:05:51 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 57B5327BBE2 for ; Mon, 17 Mar 2025 17:05:51 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDtp-00057S-T6; Mon, 17 Mar 2025 13:05:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDth-000522-Pd for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDth-0005aa-7V for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=5fbggu8STjwEXFRRV3Gq/UXyTgxUmf6fh1UKO8gjNXs=; b=Vly8ItHn5rwnMV7vC2veTfEVNWj56AI1NknVh1IQSANT5qIai6bFPiEy1pMCe+65eyOjypi5xsxnDkzjdnEIb0rNPLoVl4mCi4pvx4R2geu4lj0xNB9T+vM3u5VAwzmznYNHKyrAgAyoX7ad/SaowaNiy2gTNg5ISSg6/hRRxKiK7TltUswx6qZ1UO6lg3Bzlar5Mi2Klib0N08i0AplOgADts5ubR7O2yuLbXnTQajly+YnDqP8S6sWlDIzbupdP06ZTpCAGcDk5hfLT7DAfeXfEBDNfBThxdNpHX9ACmwWUSgjqxoejW5W3v2ETkRP36FyP58g69f/B6G7OCuShA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDtg-0002mb-LZ for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 03/16] daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:05:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223105010161 (code B ref 75810); Mon, 17 Mar 2025 17:05:04 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:04:10 +0000 Received: from localhost ([127.0.0.1]:60642 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDsm-0002di-VK for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42114) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDsJ-0002Wy-DO for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:03:43 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDsC-00053A-T7; Mon, 17 Mar 2025 13:03:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=5fbggu8STjwEXFRRV3Gq/UXyTgxUmf6fh1UKO8gjNXs=; b=KEyusKSTpns+y0uK7zkb SGlGL68UI/Zccd8yBo2zuzubOv6wDUZvPNDSiaLxTib6cK0cr18WFjp0UbPh2F8sZDflrn4qvwpG+ tPrg6rbjXG6icAqpFEncmRjL2L1FSiLaEzgo6tVd3HLZn76i1yREybpNMQB4nWqt2EmV7NsYVkR45 4te4oedE/KQeP0gg0e7w0Cd9kISgFtL9OBq1XZjecy+VAOI/ylTU0FyWrWc0llJ2JEnT2ii/nod7+ u8Zsyg+I7MQ/pAkClHaGZKMf2a8HNgIjEnh2b0K1dqz32I8Jmx1JePf6jtrglf21uvziiIsUAsgSN iRTnhaf2oD+3AA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:46 +0100 Message-ID: <2818f5c7b1eaa746d3981d9fcee48aaa35b57263.1742230219.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Those files may be missing in some contexts, for instance within the build environment. * nix/libstore/build.cc (DerivationGoal::runChild): Add /etc/resolv.conf and related files to ‘ss’ only if they exist. Change-Id: Ie19664a86c8101a1dc82cf39ad4b7abb10f8250a --- nix/libstore/build.cc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index edd01bab34..8ca5e5b732 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2093,10 +2093,11 @@ void DerivationGoal::runChild() network, so give them access to /etc/resolv.conf and so on. */ if (fixedOutput) { - ss.push_back("/etc/resolv.conf"); - ss.push_back("/etc/nsswitch.conf"); - ss.push_back("/etc/services"); - ss.push_back("/etc/hosts"); + auto files = { "/etc/resolv.conf", "/etc/nsswitch.conf", + "/etc/services", "/etc/hosts" }; + for (auto & file: files) { + if (pathExists(file)) ss.push_back(file); + } } for (auto & i : ss) dirsInChroot[i] = i; From patchwork Mon Mar 17 17:02:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40285 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 125D627BBEA; Mon, 17 Mar 2025 17:05:25 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 8B29F27BBE2 for ; Mon, 17 Mar 2025 17:05:24 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDtp-00057p-CD; Mon, 17 Mar 2025 13:05:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtk-00055B-Ry for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:10 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDtk-0005ge-68 for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=OHeVSHlKl++yMNnhWaubdTXXSn3UUkG8AbIkWMisgq8=; b=DYge08o7v6PFlGH0gbJtfRy8zM9ZLYCW7Wnit5lcy0WZBXZ+UqZoCxFnhWk6AKj7kXk/QQ8fDy6dezUihH+6kDPXVSELlQbHj4KawysjDdTrzrnyrqzua1G7cBJTRiLZvkgThEhuzkRzd5eteIc9AN/ex5ftUS3f+I/2R/ERVZr463Gt8lvkNeF0pWlmFR8/czwprUez6ZYar/SMTRKEfwfbT7NBfHyxGX6GnqCNlsNWr0Cz0itRWEKfjMDuKCKDJCpM6t4VTePljy2ub7kFBxJ3wBgJuyd5AUMFv9YyG5EziXYDOMbUdUFW+eVs2FR86+EvBr7nwy0hKq11BRUnsw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDtj-0002oI-Rp for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:07 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 04/16] daemon: Bind-mount all the inputs, not just directories. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:05:07 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223105210192 (code B ref 75810); Mon, 17 Mar 2025 17:05:07 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:04:12 +0000 Received: from localhost ([127.0.0.1]:60646 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDso-0002e7-T3 for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42128) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDsM-0002XX-9V for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:03:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDsE-000543-Ir; Mon, 17 Mar 2025 13:03:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=OHeVSHlKl++yMNnhWaubdTXXSn3UUkG8AbIkWMisgq8=; b=P8ET9BnuSV8myBnnmarl NqHO1QvQ4caTptaIUVmcZi466TVUunrpE5JUNOIkmnw0R3by5q9mVc84oszm1K3+mZ+Vc3LK5DVGg GyeC7lp9eId3uHuaDLeJfMdVtzy2gFw+BXv8/hS7nCupQ2im2LFLWQ/TLLb4timTEXQHqueWiQIom qdH7wCdOmo/pItCFEn5SHLsIQmx7eoqjwru2JQ+u0fIfzEo39eaOLdNXww+uz31kBcJ5xw7GXtVsX zEWeLMeoBLkC2b7nEr7FSysgU8rw0UsFxCK8bKp2reIrpB9xqm96FD45yA8CIRlLnqh6cqxNukF4J 5XeeYiNXrqdYzg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:47 +0100 Message-ID: <4744bfb6ab859af7e64a387d29ad6c99cb2a7aac.1742230219.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::startBuilder): Add all of ‘inputPaths’ to ‘dirsInChroot’ instead of hard-linking regular files. Special-case symlinks. (DerivationGoal)[regularInputPaths]: Remove. Reported-by: Reepca Russelstein Change-Id: I070987f92d73f187f7826a975bee9ee309d67f56 --- nix/libstore/build.cc | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 8ca5e5b732..193b279b88 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -659,9 +659,6 @@ private: /* RAII object to delete the chroot directory. */ std::shared_ptr autoDelChroot; - /* All inputs that are regular files. */ - PathSet regularInputPaths; - /* Whether this is a fixed-output derivation. */ bool fixedOutput; @@ -1850,9 +1847,7 @@ void DerivationGoal::startBuilder() /* Make the closure of the inputs available in the chroot, rather than the whole store. This prevents any access - to undeclared dependencies. Directories are bind-mounted, - while other inputs are hard-linked (since only directories - can be bind-mounted). !!! As an extra security + to undeclared dependencies. !!! As an extra security precaution, make the fake store only writable by the build user. */ Path chrootStoreDir = chrootRootDir + settings.nixStore; @@ -1863,28 +1858,22 @@ void DerivationGoal::startBuilder() throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { - struct stat st; + struct stat st; if (lstat(i->c_str(), &st)) throw SysError(format("getting attributes of path `%1%'") % *i); - if (S_ISDIR(st.st_mode)) - dirsInChroot[*i] = *i; - else { - Path p = chrootRootDir + *i; - if (link(i->c_str(), p.c_str()) == -1) { - /* Hard-linking fails if we exceed the maximum - link count on a file (e.g. 32000 of ext3), - which is quite possible after a `nix-store - --optimise'. */ - if (errno != EMLINK) - throw SysError(format("linking `%1%' to `%2%'") % p % *i); - StringSink sink; - dumpPath(*i, sink); - StringSource source(sink.s); - restorePath(p, source); - } - regularInputPaths.insert(*i); - } + if (S_ISLNK(st.st_mode)) { + /* Since bind-mounts follow symlinks, thus representing their + target and not the symlink itself, special-case + symlinks. XXX: When running unprivileged, TARGET can be + deleted by the build process. Use 'open_tree' & co. when + it's more widely available. */ + Path target = chrootRootDir + *i; + if (symlink(readLink(*i).c_str(), target.c_str()) == -1) + throw SysError(format("failed to create symlink '%1%' to '%2%'") % target % readLink(*i)); + } + else + dirsInChroot[*i] = *i; } /* If we're repairing, checking or rebuilding part of a From patchwork Mon Mar 17 17:02:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40291 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id C96CF27BBE9; Mon, 17 Mar 2025 17:06:41 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3F42E27BBE2 for ; Mon, 17 Mar 2025 17:06:40 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDtu-0005AY-Gz; Mon, 17 Mar 2025 13:05:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtp-000594-Hb for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:13 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDtp-0005hF-0K for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=ozQM+lYqSSPDiTg6Dp/w4oPIGKDs4CrGaOeKp99rZWg=; b=hLYR5ONTfOd1iJhHORdLyAEdH/YRBgSRuuk6oXFfBaVFUZt7td7SjDUGEru3oSNaJR1qHMuXMPFTZ0nqAQhs6RQoA33uDPvzLQ8JmNR0FC0dywT95SDsrJLOUBKCFn9Lk3ms6bgTYVgVtL1o6U0dipIh5a0xxeabY47DqaIWePUQZwv5KBKhFFuca74UPoGV60WEbtK9fM7xA1pPrhYbc0nx5RX6JkQybMpB8GqxR0V3rN1NO2tZXS+uhr8l9UGR65p68+L9u3YCTrQc4LO1PA/NuzirQL4jN5/28FwGZ37eR/vpphoNeDpyo2lWQf1cLAs7FhQ94+LGD7h9fEiLwA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDtn-0002qI-Ea for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:11 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 05/16] daemon: Remount inputs as read-only. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:05:11 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223105610241 (code B ref 75810); Mon, 17 Mar 2025 17:05:11 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:04:16 +0000 Received: from localhost ([127.0.0.1]:60650 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDsr-0002ei-FL for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34958) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDsd-0002am-4K for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:02 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDsS-00056P-W8; Mon, 17 Mar 2025 13:03:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=ozQM+lYqSSPDiTg6Dp/w4oPIGKDs4CrGaOeKp99rZWg=; b=ezBIk7WDTVrD0bQGziaO u3xmUfLca4YXEfQwNelHc4W2vfiKYrVep9UgCZ4G1oi54nktgAIpOr1rbk9x4LTkc+g9DToHBzy3T juWnOvovzCqI42yRzZl4f698SqLe0xH/jZRor1PNpMpLXkWowz2YP6hr5UTppjvAc/Eb5YMBdaH0C 2AgkU6jRKwxk5TVl13g//AJ5VzAR2EQwLXJYw8koCLvGvYyqLcQTGDzOzmABLX3+ouVPn9MdATLAq ycJ/XbJBujCmdPe0+PKVzVTMjBQP+497SCxJojz0Lv6THD13Al2zkdt2SBIs4hxNfRxgUD60k5WKp 6S5+9CAYD/CHdg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:48 +0100 Message-ID: <7bd937c5bb4882476092162aaf7d2dcd6080a9e8.1742230219.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::runChild): Remount ‘target’ as read-only. Reported-by: Reepca Russelstein Change-Id: Ib7201bcf4363be566f205d23d17fe2f55d3ad666 --- nix/libstore/build.cc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 193b279b88..3861a1ffd9 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2107,8 +2107,15 @@ void DerivationGoal::runChild() createDirs(dirOf(target)); writeFile(target, ""); } + + /* Extra flags passed with MS_BIND are ignored, hence the + extra MS_REMOUNT. */ if (mount(source.c_str(), target.c_str(), "", MS_BIND, 0) == -1) throw SysError(format("bind mount from `%1%' to `%2%' failed") % source % target); + if (source.compare(0, settings.nixStore.length(), settings.nixStore) == 0) { + if (mount(source.c_str(), target.c_str(), "", MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) + throw SysError(format("read-only remount of `%1%' failed") % target); + } } /* Bind a new instance of procfs on /proc to reflect our From patchwork Mon Mar 17 17:02:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40286 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 51CF327BBEA; Mon, 17 Mar 2025 17:05:45 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 07B6F27BBE2 for ; Mon, 17 Mar 2025 17:05:45 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDts-0005AN-5G; Mon, 17 Mar 2025 13:05:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtn-00057f-T1 for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDtn-0005h6-FX for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=3sOVW5n0d1cSpQd8PLRrsmflCadSWuH5XwPCIe/iTyM=; b=alB18FQ02RJgQ2t9PmgVFEVxyGnlHGMnOSmTnM+uGrabDUsdFg7+SvTlJc3tKmWEwLl2C65Mq3DGcnqWWDPdN2F9+s712D2UmrFFV74orsC90/kBbOkH/hbC343Og4NLePfJIc56/SjC9a2PePCkr+/E2yFMaE+JmCLDnBb1tY1ljrOFYS8AvnyomqXQ4eOTl0eHmvb2xNqdzd2JkojMfcmQ/dnQahXI3gMjW8xFBTSLerCLJVUEtT3eWavggGnqkUB4mdz8qFYAL+0rBRSgnIhLYp8nEr4vz9Mb9asiS8Yh7WEx+o+E5s3iMsyJwLD71znRFbdjdxYbTSIxSNCH9Q==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDtm-0002pP-0e for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:10 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 06/16] daemon: Remount root directory as read-only. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:05:09 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223105410215 (code B ref 75810); Mon, 17 Mar 2025 17:05:09 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:04:14 +0000 Received: from localhost ([127.0.0.1]:60648 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDsp-0002eL-Tq for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34942) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDsb-0002aO-Cu for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:03:59 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDsV-00057a-4w; Mon, 17 Mar 2025 13:03:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=3sOVW5n0d1cSpQd8PLRrsmflCadSWuH5XwPCIe/iTyM=; b=DQ54cPzuL/mSP1qf4akB qryPUChROs9LsSf6L0HjxSTMFy2e2XtMHrTs4/51jMpyt2nB/LJf3SN2UtEfiZS1fsSeIpKEakTcs p2uUHyga9KK0AdBmb7ubLWMD0dQFeyOdxwStuarfiq37UWdd0rUh9+eKlILtZd6fwDYy7ggrG+azu gZPvo2siO9d0Hs27mFZm73z8TJeGPzLhiC2xQrm+Go+iwBu1cpCLF/mdlSYxnIOgYN9E6Z7uuluoe r7X9FmKsRu/QOsxYxfuqJuedmIMzHHDmWi53nTf8w8ugmD048JD0wPKkCmK5hx6IXLKRYN7t+DmJS fXdkCGj663DujA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:49 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::runChild): Bind-mount the store and /tmp under ‘chrootRootDir’ to themselves as read-write. Remount / as read-only. Change-Id: I79565094c8ec8448401897c720aad75304fd1948 --- nix/libstore/build.cc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 3861a1ffd9..c8b778362a 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2091,6 +2091,18 @@ void DerivationGoal::runChild() for (auto & i : ss) dirsInChroot[i] = i; + /* Make new mounts for the store and for /tmp. That way, when + 'chrootRootDir' is made read-only below, these two mounts will + remain writable (the store needs to be writable so derivation + outputs can be written to it, and /tmp is writable by + convention). */ + auto chrootStoreDir = chrootRootDir + settings.nixStore; + if (mount(chrootStoreDir.c_str(), chrootStoreDir.c_str(), 0, MS_BIND, 0) == -1) + throw SysError(format("read-write mount of store '%1%' failed") % chrootStoreDir); + auto chrootTmpDir = chrootRootDir + "/tmp"; + if (mount(chrootTmpDir.c_str(), chrootTmpDir.c_str(), 0, MS_BIND, 0) == -1) + throw SysError(format("read-write mount of temporary directory '%1%' failed") % chrootTmpDir); + /* Bind-mount all the directories from the "host" filesystem that we want in the chroot environment. */ @@ -2164,6 +2176,10 @@ void DerivationGoal::runChild() if (rmdir("real-root") == -1) throw SysError("cannot remove real-root directory"); + + /* Remount root as read-only. */ + if (mount("/", "/", 0, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) + throw SysError(format("read-only remount of build root '%1%' failed") % chrootRootDir); } #endif From patchwork Mon Mar 17 17:02:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40294 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 3FEDB27BBEA; Mon, 17 Mar 2025 17:07:12 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id BBCB527BBE2 for ; Mon, 17 Mar 2025 17:07:10 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDu2-0005Fm-FH; Mon, 17 Mar 2025 13:05:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtz-0005DK-EX for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:23 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDty-0005jc-CU; Mon, 17 Mar 2025 13:05:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=lw8eToDQRScmZyoUY2V/zcziQfC7ZYPhSA4pL3j2gTI=; b=aZurx5syrxvQk7La4TSkBLr90uCF1wc3tskLLHFYHOuu0/A84sqIuugSwZbTyjFzZkamN8g50/uarJ43KtI6ulnOySF8s6KYiXppZeJogfgw8HD0Wz+OCQSsb1SglRSsPjhI3w5yYupmGKXyIQuuJRGEVzrcyMkg+TqJisav0Tb0nscwnHyMEVBb/OZ6e6EK381NDw4TczcYMxbKxF2nYzWt+9pNGEjbF1gk+FndbF6VjqkrGD3NhRz6mrFP6qhlU1y/mNR6iAbi+mJhWS2zO04u0KdFTC1NUMs7qF02uXP0F1anNjm4hKjYdKjEZTjIIbgOzyoyvaaAjDhBP/N5IA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDtr-0002s5-U9; Mon, 17 Mar 2025 13:05:15 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 07/16] daemon: Allow running as non-root with unprivileged user namespaces. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, maxim.cournoyer@gmail.com, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:05:15 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Maxim Cournoyer , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Maxim Cournoyer , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223110410695 (code B ref 75810); Mon, 17 Mar 2025 17:05:15 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:05:04 +0000 Received: from localhost ([127.0.0.1]:60670 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDta-0002l8-TV for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:05:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56116) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDtM-0002hf-KG for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:48 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtC-0005Lp-SN; Mon, 17 Mar 2025 13:04:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=lw8eToDQRScmZyoUY2V/zcziQfC7ZYPhSA4pL3j2gTI=; b=VppEuf++0Z0nDuLj8ONT eksnvv+z6S9njtyUy6Lfeztumsba5FR3d2+hpzIp/nCvtrizfXqS0o0VTWKvVwWIghaCBV683J3IG qxfqKji99pQpqR8sLHdwH5NXBuiVDuoXqTCiWKHRTcM5B8lUg9eHYcMpk0ZGyAubIG3OozvaNfCVS JaUlLvE9g6dzi+Sk8GrVb+trf3oUCUSQRnAT4/bj81RX2ihfDO4pAcTuWruDUI/G314aWotFNTpkC g6k/KILJgKdwmofU42qKudKAdJQr2hBR7fK0nrAJptPaUpxju8xRl8w8QGNF5kTrmH9p5rz6SQEi5 QPHg/qBi1X3lyA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:50 +0100 Message-ID: <33467d5ca0a53bff069542c7bb4314aad1c80a71.1742230219.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Ludovic Courtès Many thanks to Reepca Russelstein for their review and guidance on these changes. * nix/libstore/build.cc (guestUID, guestGID): New variables. (DerivationGoal)[readiness]: New field. (initializeUserNamespace): New function. (DerivationGoal::runChild): When ‘readiness.readSide’ is positive, read from it. (DerivationGoal::startBuilder): Call ‘chown’ only when ‘buildUser.enabled()’ is true. Pass CLONE_NEWUSER to ‘clone’ when ‘buildUser.enabled()’ is false or not running as root. Retry ‘clone’ without CLONE_NEWUSER upon EPERM. (DerivationGoal::registerOutputs): Make ‘actualPath’ writable before ‘rename’. (DerivationGoal::deleteTmpDir): Catch ‘SysError’ around ‘_chown’ call. * nix/libstore/local-store.cc (LocalStore::createUser): Do nothing if ‘dirs’ already exists. Warn instead of failing when failing to chown ‘dir’. * guix/substitutes.scm (%narinfo-cache-directory): Check for ‘_NIX_OPTIONS’ rather than getuid() == 0 to determine the cache location. * doc/guix.texi (Build Environment Setup): Reorganize a bit. Add section headings “Daemon Running as Root” and “The Isolated Build Environment”. Add “Daemon Running Without Privileges” subsection. Remove paragraph about ‘--disable-chroot’. (Invoking guix-daemon): Warn against ‘--disable-chroot’ and explain why. Reviewed-by: Reepca Russelstein --- doc/guix.texi | 102 +++++++++++++++++------ guix/substitutes.scm | 2 +- nix/libstore/build.cc | 160 +++++++++++++++++++++++++++++++----- nix/libstore/local-store.cc | 18 ++-- 4 files changed, 229 insertions(+), 53 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index d109877a32..87943afec7 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -877,6 +877,7 @@ Setting Up the Daemon @section Setting Up the Daemon @cindex daemon +@cindex build daemon During installation, the @dfn{build daemon} that must be running to use Guix has already been set up and you can run @command{guix} commands in your terminal program, @pxref{Getting Started}: @@ -921,20 +922,38 @@ Build Environment Setup @cindex build environment In a standard multi-user setup, Guix and its daemon---the @command{guix-daemon} program---are installed by the system -administrator; @file{/gnu/store} is owned by @code{root} and -@command{guix-daemon} runs as @code{root}. Unprivileged users may use -Guix tools to build packages or otherwise access the store, and the -daemon will do it on their behalf, ensuring that the store is kept in a -consistent state, and allowing built packages to be shared among users. +administrator. Unprivileged users may use Guix tools to build packages +or otherwise access the store, and the daemon will do it on their +behalf, ensuring that the store is kept in a consistent state, and +allowing built packages to be shared among users. + +There are currently two ways to set up and run the build daemon: + +@enumerate +@item +running @command{guix-daemon} as ``root'', letting it run build +processes as unprivileged users taken from a pool of build users---this +is the historical approach; + +@item +running @command{guix-daemon} as a separate unprivileged user, relying +on Linux's @dfn{unprivileged user namespace} functionality to set up +isolated environments---this is the option chosen when installing Guix +on a systemd-based distribution with the installation script +(@pxref{Binary Installation}). +@end enumerate + +The sections below describe each of these two configurations in more +detail and summarize the kind of build isolation they provide. + +@unnumberedsubsubsec Daemon Running as Root @cindex build users When @command{guix-daemon} runs as @code{root}, you may not want package build processes themselves to run as @code{root} too, for obvious security reasons. To avoid that, a special pool of @dfn{build users} should be created for use by build processes started by the daemon. -These build users need not have a shell and a home directory: they will -just be used when the daemon drops @code{root} privileges in build -processes. Having several such users allows the daemon to launch +Having several such users allows the daemon to launch distinct build processes under separate UIDs, which guarantees that they do not interfere with each other---an essential feature since builds are regarded as pure functions (@pxref{Introduction}). @@ -977,11 +996,45 @@ Build Environment Setup # guix-daemon --build-users-group=guixbuild @end example +In this setup, @file{/gnu/store} is owned by @code{root}. + +@unnumberedsubsubsec Daemon Running Without Privileges + +@cindex rootless build daemon +@cindex unprivileged build daemon +@cindex build daemon, unprivileged +The second and preferred option is to run @command{guix-daemon} +@emph{as an unprivileged user}. It has the advantage of reducing the +harm that can be done should a build process manage to exploit a +vulnerability in the daemon. This option requires the use of Linux's +unprivileged user namespace mechanism; today it is available and enabled +by most GNU/Linux distributions but can still be disabled. The +installation script automatically determines whether this option is +available on your system (@pxref{Binary Installation}). + +When using this option, you only need to create one user account, and +@command{guix-daemon} will run with the authority of that account: + +@example +# groupadd --system guix-daemon +# useradd -g guix-daemon -G guix-daemon \ + -d /var/empty -s $(which nologin) \ + -c "Guix daemon privilege separation user" \ + --system guix-daemon +@end example + +In this configuration, @file{/gnu/store} is owned by the +@code{guix-daemon} user. + +@unnumberedsubsubsec The Isolated Build Environment + @cindex chroot -@noindent -This way, the daemon starts build processes in a chroot, under one of -the @code{guixbuilder} users. On GNU/Linux, by default, the chroot -environment contains nothing but: +@cindex build environment isolation +@cindex isolated build environment +@cindex hermetic build environment +In both cases, the daemon starts build processes without privileges in +an @emph{isolated} or @emph{hermetic} build environment---a ``chroot''. +On GNU/Linux, by default, the build environment contains nothing but: @c Keep this list in sync with libstore/build.cc! ----------------------- @itemize @@ -1015,7 +1068,7 @@ Build Environment Setup @file{/homeless-shelter}. This helps to highlight inappropriate uses of @env{HOME} in the build scripts of packages. -All this usually enough to ensure details of the environment do not +All this is usually enough to ensure details of the environment do not influence build processes. In some exceptional cases where more control is needed---typically over the date, kernel, or CPU---you can resort to a virtual build machine (@pxref{build-vm, virtual build machines}). @@ -1035,14 +1088,6 @@ Build Environment Setup for fixed-output derivations (@pxref{Derivations}) or for substitutes (@pxref{Substitutes}). -If you are installing Guix as an unprivileged user, it is still possible -to run @command{guix-daemon} provided you pass @option{--disable-chroot}. -However, build processes will not be isolated from one another, and not -from the rest of the system. Thus, build processes may interfere with -each other, and may access programs, libraries, and other files -available on the system---making it much harder to view them as -@emph{pure} functions. - @node Daemon Offload Setup @subsection Using the Offload Facility @@ -1567,10 +1612,17 @@ Invoking guix-daemon @item --disable-chroot Disable chroot builds. -Using this option is not recommended since, again, it would allow build -processes to gain access to undeclared dependencies. It is necessary, -though, when @command{guix-daemon} is running under an unprivileged user -account. +@quotation Warning +Using this option is not recommended since it allows build processes to +gain access to undeclared dependencies, to interfere with one another, +and more generally to do anything that can be done with the authority of +build users or that of the daemon---which includes at least the ability +to tamper with any file in the store! + +You may find it necessary, though, when support for Linux unprivileged +user namespaces is missing (@pxref{Build Environment Setup}). Use at +your own risk! +@end quotation @item --log-compression=@var{type} Compress build logs according to @var{type}, one of @code{gzip}, diff --git a/guix/substitutes.scm b/guix/substitutes.scm index 7ca55788d5..86b9f5472a 100644 --- a/guix/substitutes.scm +++ b/guix/substitutes.scm @@ -79,7 +79,7 @@ (define %narinfo-cache-directory ;; time, 'guix substitute' is called by guix-daemon as root and stores its ;; cached data in /var/guix/…. However, when invoked from 'guix challenge' ;; as a user, it stores its cache in ~/.cache. - (if (zero? (getuid)) + (if (getenv "_NIX_OPTIONS") ;invoked by guix-daemon (or (and=> (getenv "XDG_CACHE_HOME") (cut string-append <> "/guix/substitute")) (string-append %state-directory "/substitute/cache")) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index c8b778362a..9a8278cd08 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -744,6 +744,10 @@ private: friend int childEntry(void *); + /* Pipe to notify readiness to the child process when using unprivileged + user namespaces. */ + Pipe readiness; + /* Check that the derivation outputs all exist and register them as valid. */ void registerOutputs(); @@ -1619,6 +1623,24 @@ int childEntry(void * arg) } +/* UID and GID of the build user inside its own user namespace. */ +static const uid_t guestUID = 30001; +static const gid_t guestGID = 30000; + +/* Initialize the user namespace of CHILD. */ +static void initializeUserNamespace(pid_t child, + uid_t hostUID = getuid(), + gid_t hostGID = getgid()) +{ + writeFile("/proc/" + std::to_string(child) + "/uid_map", + (format("%d %d 1") % guestUID % hostUID).str()); + + writeFile("/proc/" + std::to_string(child) + "/setgroups", "deny"); + + writeFile("/proc/" + std::to_string(child) + "/gid_map", + (format("%d %d 1") % guestGID % hostGID).str()); +} + void DerivationGoal::startBuilder() { auto f = format( @@ -1682,7 +1704,7 @@ void DerivationGoal::startBuilder() then an attacker could create in it a hardlink to a root-owned file such as /etc/shadow. If 'keepFailed' is true, the daemon would then chown that hardlink to the user, giving them write access to - that file. */ + that file. See CVE-2021-27851. */ tmpDir += "/top"; if (mkdir(tmpDir.c_str(), 0700) == 1) throw SysError("creating top-level build directory"); @@ -1799,7 +1821,7 @@ void DerivationGoal::startBuilder() if (mkdir(chrootRootDir.c_str(), 0750) == -1) throw SysError(format("cannot create ‘%1%’") % chrootRootDir); - if (chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) + if (buildUser.enabled() && chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) throw SysError(format("cannot change ownership of ‘%1%’") % chrootRootDir); /* Create a writable /tmp in the chroot. Many builders need @@ -1818,8 +1840,8 @@ void DerivationGoal::startBuilder() (format( "nixbld:x:%1%:%2%:Nix build user:/:/noshell\n" "nobody:x:65534:65534:Nobody:/:/noshell\n") - % (buildUser.enabled() ? buildUser.getUID() : getuid()) - % (buildUser.enabled() ? buildUser.getGID() : getgid())).str()); + % (buildUser.enabled() ? buildUser.getUID() : guestUID) + % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str()); /* Declare the build user's group so that programs get a consistent view of the system (e.g., "id -gn"). */ @@ -1854,7 +1876,7 @@ void DerivationGoal::startBuilder() createDirs(chrootStoreDir); chmod_(chrootStoreDir, 01775); - if (chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) + if (buildUser.enabled() && chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { @@ -1960,14 +1982,36 @@ void DerivationGoal::startBuilder() if (useChroot) { char stack[32 * 1024]; int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | SIGCHLD; - if (!fixedOutput) flags |= CLONE_NEWNET; + if (!fixedOutput) { + flags |= CLONE_NEWNET; + } + if (!buildUser.enabled() || getuid() != 0) { + flags |= CLONE_NEWUSER; + readiness.create(); + } + /* Ensure proper alignment on the stack. On aarch64, it has to be 16 bytes. */ - pid = clone(childEntry, + pid = clone(childEntry, (char *)(((uintptr_t)stack + sizeof(stack) - 8) & ~(uintptr_t)0xf), flags, this); - if (pid == -1) - throw SysError("cloning builder process"); + if (pid == -1) { + if ((flags & CLONE_NEWUSER) != 0 && getuid() != 0) + /* 'clone' fails with EPERM on distros where unprivileged user + namespaces are disabled. Error out instead of giving up on + isolation. */ + throw SysError("cannot create process in unprivileged user namespace"); + else + throw SysError("cloning builder process"); + } + + readiness.readSide.close(); + if ((flags & CLONE_NEWUSER) != 0) { + /* Initialize the UID/GID mapping of the child process. */ + initializeUserNamespace(pid); + writeFull(readiness.writeSide, (unsigned char*)"go\n", 3); + } + readiness.writeSide.close(); } else #endif { @@ -2013,23 +2057,36 @@ void DerivationGoal::runChild() _writeToStderr = 0; + if (readiness.writeSide > 0) readiness.writeSide.close(); + + if (readiness.readSide > 0) { + /* Wait for the parent process to initialize the UID/GID mapping + of our user namespace. */ + char str[20] = { '\0' }; + readFull(readiness.readSide, (unsigned char*)str, 3); + if (strcmp(str, "go\n") != 0) + throw Error("failed to initialize process in unprivileged user namespace"); + } + restoreAffinity(); commonChildInit(builderOut); #if CHROOT_ENABLED if (useChroot) { - /* Initialise the loopback interface. */ - AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); - if (fd == -1) throw SysError("cannot open IP socket"); + if (!fixedOutput) { + /* Initialise the loopback interface. */ + AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); + if (fd == -1) throw SysError("cannot open IP socket"); - struct ifreq ifr; - strcpy(ifr.ifr_name, "lo"); - ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING; - if (ioctl(fd, SIOCSIFFLAGS, &ifr) == -1) - throw SysError("cannot set loopback interface flags"); + struct ifreq ifr; + strcpy(ifr.ifr_name, "lo"); + ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING; + if (ioctl(fd, SIOCSIFFLAGS, &ifr) == -1) + throw SysError("cannot set loopback interface flags"); - fd.close(); + fd.close(); + } /* Set the hostname etc. to fixed values. */ char hostname[] = "localhost"; @@ -2180,6 +2237,27 @@ void DerivationGoal::runChild() /* Remount root as read-only. */ if (mount("/", "/", 0, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) throw SysError(format("read-only remount of build root '%1%' failed") % chrootRootDir); + + if (getuid() != 0) { + /* Create a new mount namespace to "lock" previous mounts. + See mount_namespaces(7). */ + auto uid = getuid(); + auto gid = getgid(); + + if (unshare(CLONE_NEWNS | CLONE_NEWUSER) == -1) + throw SysError(format("creating new user and mount namespaces")); + + initializeUserNamespace(getpid(), uid, gid); + + /* Check that mounts within the build environment are "locked" + together and cannot be separated from within the build + environment namespace. Since + umount(2) is documented to fail with EINVAL when attempting + to unmount one of the mounts that are locked together, + check that this is what we get. */ + int ret = umount(tmpDirInSandbox.c_str()); + assert(ret == -1 && errno == EINVAL); + } } #endif @@ -2476,8 +2554,16 @@ void DerivationGoal::registerOutputs() if (buildMode == bmRepair) replaceValidPath(path, actualPath); else - if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) - throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + if (buildMode != bmCheck) { + if (S_ISDIR(st.st_mode)) + /* Change mode on the directory to allow for + rename(2). */ + chmod(actualPath.c_str(), st.st_mode | 0700); + if (rename(actualPath.c_str(), path.c_str()) == -1) + throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + if (S_ISDIR(st.st_mode) && chmod(path.c_str(), st.st_mode) == -1) + throw SysError(format("restoring permissions on directory `%1%'") % actualPath); + } } if (buildMode != bmCheck) actualPath = path; } @@ -2736,16 +2822,46 @@ void DerivationGoal::deleteTmpDir(bool force) // Change the ownership if clientUid is set. Never change the // ownership or the group to "root" for security reasons. if (settings.clientUid != (uid_t) -1 && settings.clientUid != 0) { - _chown(tmpDir, settings.clientUid, - settings.clientGid != 0 ? settings.clientGid : -1); + uid_t uid = settings.clientUid; + gid_t gid = settings.clientGid != 0 ? settings.clientGid : -1; + bool reown = false; + + /* First remove setuid/setgid bits. */ + secureFilePerms(tmpDir); + + try { + _chown(tmpDir, uid, gid); + + if (getuid() != 0) { + /* If, without being root, the '_chown' call above + succeeded, then it means we have CAP_CHOWN. Retake + ownership of tmpDir itself so it can be renamed + below. */ + reown = true; + } + + } catch (SysError & e) { + /* When running as an unprivileged user and without + CAP_CHOWN, we cannot chown the build tree. Print a + message and keep going. */ + printMsg(lvlInfo, format("cannot change ownership of build directory '%1%': %2%") + % tmpDir % strerror(e.errNo)); + } if (top != tmpDir) { + if (reown) chown(tmpDir.c_str(), getuid(), getgid()); + // Rename tmpDir to its parent, with an intermediate step. string pivot = top + ".pivot"; if (rename(top.c_str(), pivot.c_str()) == -1) throw SysError("pivoting failed build tree"); if (rename((pivot + "/top").c_str(), top.c_str()) == -1) throw SysError("renaming failed build tree"); + + if (reown) + /* Running unprivileged but with CAP_CHOWN. */ + chown(top.c_str(), uid, gid); + rmdir(pivot.c_str()); } } diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 0883a4bbce..83e6c3e16e 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -1614,11 +1614,19 @@ void LocalStore::createUser(const std::string & userName, uid_t userId) { auto dir = settings.nixStateDir + "/profiles/per-user/" + userName; - createDirs(dir); - if (chmod(dir.c_str(), 0755) == -1) - throw SysError(format("changing permissions of directory '%s'") % dir); - if (chown(dir.c_str(), userId, -1) == -1) - throw SysError(format("changing owner of directory '%s'") % dir); + auto created = createDirs(dir); + if (!created.empty()) { + if (chmod(dir.c_str(), 0755) == -1) + throw SysError(format("changing permissions of directory '%s'") % dir); + + /* The following operation requires CAP_CHOWN or can be handled + manually by a user with CAP_CHOWN. */ + if (chown(dir.c_str(), userId, -1) == -1) { + rmdir(dir.c_str()); + string message = strerror(errno); + printMsg(lvlInfo, format("failed to change owner of directory '%1%' to %2%: %3%") % dir % userId % message); + } + } } From patchwork Mon Mar 17 17:02:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40288 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id CE4EF27BBEA; Mon, 17 Mar 2025 17:06:02 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 9021F27BBE2 for ; Mon, 17 Mar 2025 17:06:02 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDtv-0005Bv-19; Mon, 17 Mar 2025 13:05:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtr-00059d-LP for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:16 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDtq-0005hi-4X for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=wZDaJpSBiec4HWURn73Fvz7bhdz1AmvaDkV9vu9Mxas=; b=Z2VfyNft/Mo/NJnsnxzWYc5hWBCBj92Dvq7mWY/XZuMLTFieMMf2+Q0aXqwO+tkbAT0QzNUvaY4cc7vgXSfuA+A7/NGEnqLkf9xQTqPO+6GVT/wXzdiE2oZHJcrLa2wTCSPVRrBNaGXbZWFCL3ywCM4bbguAcav6rL7mirtoSkPbhBEWVGDdC+NIwTApssMIK1iU3RTj3Uy1rcb9z2dQDK113asSJVG2Agyi7AQY9BwFBag67XfFZn1n9mUwQOfGK5b7WUXVVpEONTloabKdyNRhVLoK3A309bnbTCPIrfF6Ch48NyEFBhqi94flhi63iGl/sh+OUVM9dNiBnC2nrw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDtp-0002rX-BZ for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:13 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 08/16] daemon: Create /var/guix/profiles/per-user unconditionally. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:05:13 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223109110524 (code B ref 75810); Mon, 17 Mar 2025 17:05:13 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:04:51 +0000 Received: from localhost ([127.0.0.1]:60660 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDtS-0002jT-0l for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56122) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDtM-0002hh-NJ for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:46 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtG-0005Ms-Rm; Mon, 17 Mar 2025 13:04:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=wZDaJpSBiec4HWURn73Fvz7bhdz1AmvaDkV9vu9Mxas=; b=gfgYXk+t/QfGuiRKGrVJ yL4G8ETXmaQHj8SbWq6Pg0vt+e55CX4oP9187t+QTZYgy9GBdiRZ/+UcO29toiCThK57+6gHeClAF 5Q5riGt9cso3nFI/HCFlRs7XdHMETuQHQHBYw4SI0Kc9x+m3yiBMP+S35pAd6HPmZ2RZq9AXc1mre Il2LK9IuIL3am3id0qYCabUtB2SCuSQZ5qHLNuaEUZuNjd7wsA6IOfBHyf4T3b4m+x+qumghv+mxu Is37RBFqU2NlQ4n/RghfRijvrk5GyVIi7GyKFJrzAJyJzMo36nX2EEcFskr28A9ckNjz2EREbC1j2 gHltaDvJSSwEKA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:51 +0100 Message-ID: <821f4eee184122c4a0b0f8859e436e742a78e6e0.1742230219.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/local-store.cc (LocalStore::LocalStore): Create ‘perUserDir’ unconditionally. Change-Id: I5188320f9630a81d16f79212d0fffabd55d94abe --- nix/libstore/local-store.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 83e6c3e16e..f6540c2117 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -79,12 +79,12 @@ LocalStore::LocalStore(bool reserveSpace) createSymlink(profilesDir, gcRootsDir + "/profiles"); } - /* Optionally, create directories and set permissions for a - multi-user install. */ + Path perUserDir = profilesDir + "/per-user"; + createDirs(perUserDir); + + /* Optionally, set permissions for a multi-user install. */ if (getuid() == 0 && settings.buildUsersGroup != "") { - Path perUserDir = profilesDir + "/per-user"; - createDirs(perUserDir); if (chmod(perUserDir.c_str(), 0755) == -1) throw SysError(format("could not set permissions on '%1%' to 755") % perUserDir); From patchwork Mon Mar 17 17:02:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40293 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 119BC27BBE9; Mon, 17 Mar 2025 17:07:01 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id BF16B27BBE2 for ; Mon, 17 Mar 2025 17:07:00 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDu1-0005EX-5h; Mon, 17 Mar 2025 13:05:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtw-0005CD-RT for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:21 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDtw-0005ia-Hd for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=ZFzrFk7nTXhAfaat5FBy/2gARokuQM84I/u4c9YnLJQ=; b=nwHMQue08ZeHkOb30OhJZpY8m4zTxxkn9MiOXKO4um5US8Ky8aLIWPEHIk2dvcDQmFXFFVUZkdMFi3GmE/AqHGuinKUXdWBrLpyRBfp3o4tVd/BbWcq9XAmqdgMm1dHpVH03dqNHZ7Z4A8vse7pjubkYQkwCw23glPKrEGg5SR5LtKUQ4KBhzGVpiT4p4MW/Lhok8nXivvmexfrZqnhR5pJK1iKRn414GsisvoU+VBwDtHS4a+xAMeKm/9bNj/JekjTYhDMrEnhEWnxlUWw3Lua/UDcKuJAtbEEau+lj2zZ+3Mjv6QQKkrWz7ku2ZoYkK+Irrz7VI5c8R+36IMlDSw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDtu-0002tf-2O for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:18 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 09/16] daemon: Drop Linux ambient capabilities before executing builder. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:05:17 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223110510712 (code B ref 75810); Mon, 17 Mar 2025 17:05:17 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:05:05 +0000 Received: from localhost ([127.0.0.1]:60677 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDtf-0002mQ-R8 for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:05:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36064) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDtQ-0002iQ-RC for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:49 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtJ-0005NP-PS; Mon, 17 Mar 2025 13:04:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=ZFzrFk7nTXhAfaat5FBy/2gARokuQM84I/u4c9YnLJQ=; b=kHFB1Kn5vBHcBokpzK+I /aDH3ixUyNQG4YTRjOkw+KOMU9SKQHNw7PlAIcOOUDD80bBziV78JgJN8YrAT8+/Bp7h7eYbw4lL2 FLpUCue/6xXycBJQzf0LRBFJmTr+Hnf5xBTGfC8oEER+Vc4G8lCmlLuouGErCaG7HaMBhjCtT0YyJ Qa/cAqLcYOgvMa8PaudBLt0IpGO72+divoNw7McqbnQD5sFYORUQcDDIWG4a4Jga67G3izToJ1NWB xxjicemMBw7hBaQpy6n81Zq0kadqUiP8o8SSGTgMwbGxLG8qUAAA1d5kTVUgPnjyNtm5NqgKwUaT8 T7Cu/tiNP9v/Iw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:52 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * config-daemon.ac: Check for . * nix/libstore/build.cc (DerivationGoal::runChild): When ‘useChroot’ is true, call ‘prctl’ to drop all ambient capabilities. Change-Id: If34637fc508e5fb6d278167f5df7802fc595284f --- config-daemon.ac | 2 +- nix/libstore/build.cc | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/config-daemon.ac b/config-daemon.ac index 4e949bc88a..35d9c8cd56 100644 --- a/config-daemon.ac +++ b/config-daemon.ac @@ -79,7 +79,7 @@ if test "x$guix_build_daemon" = "xyes"; then dnl Chroot support. AC_CHECK_FUNCS([chroot unshare]) AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \ - linux/close_range.h]) + linux/close_range.h sys/prctl.h]) if test "x$ac_cv_func_chroot" != "xyes"; then AC_MSG_ERROR(['chroot' function missing, bailing out]) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 9a8278cd08..51ac11e235 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -50,6 +50,9 @@ #if HAVE_SCHED_H #include #endif +#if HAVE_SYS_PRCTL_H +#include +#endif #define CHROOT_ENABLED HAVE_CHROOT && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE) @@ -2074,6 +2077,12 @@ void DerivationGoal::runChild() #if CHROOT_ENABLED if (useChroot) { +# if HAVE_SYS_PRCTL_H + /* Drop ambient capabilities such as CAP_CHOWN that might have + been granted when starting guix-daemon. */ + prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); +# endif + if (!fixedOutput) { /* Initialise the loopback interface. */ AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); From patchwork Mon Mar 17 17:02:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40292 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 180F527BBEA; Mon, 17 Mar 2025 17:06:54 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id CBA8127BBE2 for ; Mon, 17 Mar 2025 17:06:53 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDu2-0005FX-4S; Mon, 17 Mar 2025 13:05:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtx-0005Cm-AW for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:21 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDtw-0005ix-QX for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=UutMX9pAeYaOKM9If5j0ljEqrH6oIEE2IroKoS0wm4Q=; b=gJhh1QHDJvLgQWCpv1q6rOsPdo6EExDi/GJPXzaJrPJ8ZAvmkz5VPmSYb+3PaXONb7AAL1h1T9xvIIw3A8Eq/C+JsvD/FkciIXZE+uoT7/3RoKeIL+lyPaR1MqOL5l+dmK0+8Rhjqf7zzTqfsgm7NLRLqW1R2FbHVb+DSZTHG6Vud9UQ+1mjmLEGWfiZwENJBDFEZthMQci12u7i+OWhXmdItmc/qBCR9tI/4sdaXpsuBfHrpuzOUlcBz4bkR6dikikebNn6NUIzRjOkhUoVykQV9fg8NofSeB8Jk9RFqjQBHn8wrzPr91wUaApQP7EXC426KtZeQsH1UtebPVhIuQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDtw-0002u8-IW for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:20 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 10/16] daemon: Move comments where they belong. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:05:20 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223110510737 (code B ref 75810); Mon, 17 Mar 2025 17:05:20 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:05:05 +0000 Received: from localhost ([127.0.0.1]:60681 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDtg-0002mi-SU for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:05:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36070) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDtR-0002ib-Lu for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtL-0005O6-8m; Mon, 17 Mar 2025 13:04:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=UutMX9pAeYaOKM9If5j0ljEqrH6oIEE2IroKoS0wm4Q=; b=IwYZ/Lce+2YicytLDwe8 sd+3dHW1Y7b6me3vQxN2qyjUZfuV19HVYpUDCjX0CITTe+0IaMUhaEuulPxSTeKjc+oQVpc8nSTOm U4Q0LRaZwtl66Jw2PqzGxbNZWPLYBenMiheNrm7ZdAllXri90OIzNu07DmrcVyXBzr6yXws5iNar2 NI+tuTYy7wLbKID3y/U2v2T9FazNMUy/a+57pYO7rKxkD+7eYGGgWpozKQUmb1kXdN3BBF2zAEKTY mNJzj94esVKNZUcjYVJ9AhPN/5h6ZDIFg3mjgw4rUdgV10UspsfZUiPrmQ1tLFeiy07NrQsQtVWJk LJDAmI0IB59xNg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:53 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::startBuilder): Shuffle comments for clarity. Change-Id: I6557c103ade4a3ab046354548ea193c68f8c9c05 --- nix/libstore/build.cc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 51ac11e235..54d2996dd1 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -1870,18 +1870,19 @@ void DerivationGoal::startBuilder() } dirsInChroot[tmpDirInSandbox] = tmpDir; - /* Make the closure of the inputs available in the chroot, - rather than the whole store. This prevents any access - to undeclared dependencies. !!! As an extra security - precaution, make the fake store only writable by the - build user. */ + /* Create the fake store. */ Path chrootStoreDir = chrootRootDir + settings.nixStore; createDirs(chrootStoreDir); chmod_(chrootStoreDir, 01775); if (buildUser.enabled() && chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) - throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); + /* As an extra security precaution, make the fake store only + writable by the build user. */ + throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); + /* Make the closure of the inputs available in the chroot, rather than + the whole store. This prevents any access to undeclared + dependencies. */ foreach (PathSet::iterator, i, inputPaths) { struct stat st; if (lstat(i->c_str(), &st)) From patchwork Mon Mar 17 17:02:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40289 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 1A92E27BBEA; Mon, 17 Mar 2025 17:06:04 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C587B27BBE2 for ; Mon, 17 Mar 2025 17:06:03 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDu2-0005Fo-GS; Mon, 17 Mar 2025 13:05:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDu0-0005Ej-Lp for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:25 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDtz-0005jp-6U for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=VxUd1aOcvzD/pYxOxBWjge8/c0+rM0LNoWab4Huyg4s=; b=FESd+OB6S7xzh89smrc/yPTkMTFBDwGT3tqXlqadi2fERoDdRKJIHms6hb6RKVvrJ8S3tLrEvKzcayAJ7NDx45TmgfqBV3VTCrkkbaC/pGcWPoN1/Ob8jam8sbBxzZMEVu5paRnGR1shFsH91UBnOl6X99CtCBpe5HZk9n/mpMBa81K+MoPb5X6CmqVRmRYpU7lzCg7WRCZY1hCNvZOQ+txHWwm0fPXpLj5iO3cgwiqZUsLJjaImX/Q+j/hUgMURQUeAwlxTf1Fn7qlbbCjwldm6FvmC1Dw5LST/EemzuQwYM8Oap7WQNcbgrTDsDU7lQ9USgrzg8w/lPPwNTcD7JQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDty-0002v3-Es for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:22 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 11/16] linux-container: =?utf-8?q?=E2=80=98un?= =?utf-8?q?privileged-user-namespace-supported=3F=E2=80=99?= returns #f on non-Linux. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:05:22 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223110710793 (code B ref 75810); Mon, 17 Mar 2025 17:05:22 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:05:07 +0000 Received: from localhost ([127.0.0.1]:60683 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDth-0002nH-RC for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:05:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58482) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDtY-0002je-2K for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:56 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtQ-0005QN-Fc; Mon, 17 Mar 2025 13:04:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=VxUd1aOcvzD/pYxOxBWjge8/c0+rM0LNoWab4Huyg4s=; b=UEQuv85I/vuSWiKvC4CI IcavIKQ9UskkSrQ9Idf/AxP3Q/KA4LQemcLzCU+0wHtmBpYuJNWUqzyEIacy+aS8UHcFdR4lBXn6V LZcc/qKPkZe+N989CGm+9UVnKSMIdcY4nmKXnGlsGeu7nTZc61M8ELnrFN0pdSoKeYVIZrk2kILwR QNSKXfUSL+zLV8GcSqU0r4pQSXSE3hX2FuFytkbTF1kdogL+MTgl62iRTcfVgz6Hymt1cHcAlAupc FStmyNroCFhadgH9olY4ut4AmOAXeJm/Dk6mzlRyJVklnh3A3JR8NHEwoEumzZ6ZjVK8jhtUr5LGa z+tOhRfJnUZWRw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:54 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Previously this procedure would return #t on non-Linux systems. * gnu/build/linux-container.scm (unprivileged-user-namespace-supported?): When USERNS-FILE doesn’t exist, return (user-namespace-supported?). Reported-by: Reepca Russelstein Change-Id: I92050338b8b68bc3bd87100317eba69fcdf14a0a --- gnu/build/linux-container.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 5c303da8c8..a5c5d8962e 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015 David Thompson -;;; Copyright © 2017-2019, 2022, 2023 Ludovic Courtès +;;; Copyright © 2017-2019, 2022-2023, 2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -44,7 +44,7 @@ (define (unprivileged-user-namespace-supported?) (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone")) (if (file-exists? userns-file) (eqv? #\1 (call-with-input-file userns-file read-char)) - #t))) + (user-namespace-supported?)))) (define (setgroups-supported?) "Return #t if the setgroups proc file, introduced in Linux-libre 3.19, From patchwork Mon Mar 17 17:02:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40290 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A817027BBEA; Mon, 17 Mar 2025 17:06:10 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C527F27BBE2 for ; Mon, 17 Mar 2025 17:06:09 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDu9-0005JA-UH; Mon, 17 Mar 2025 13:05:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDu1-0005Eh-Hc for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:25 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDu0-0005kB-1m for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=b8CNe7Kd4LDHNqpleCFnb1ypaRvesBWH130JtOnxyOw=; b=GKvPqmuXwx1WHZCCOFQmI0zy02u+OaOXegzdotcT96BG2LdVuWLZK+wC2zljzcW1cnihkTKxs3Hsx1hhya1vJ5E37GxFbMD2vDnN7BD9Zzy0vlu11VVAqMOUB8lfFNqQ7o1VvMO/ojyH6qUcJTd+Q9JA0cwjo+lJIBXemScsTuuViTJOtV4+FdR3cES+j5d+OCUPM1otFxaOEj9xc6tuOu6DOhu5D9H5p9d4GClO6c/DU9hPNO5SgowumcL+Kxhw8t2c/3Qq1usOMByApkPzWuCwxa1xAx86FlQPKdpytAW4sXvFNo+uy+QyT/UfoTIcVCBukexsiqjJHYJT5FBvlQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDtz-0002vX-Dm for guix-patches@gnu.org; Mon, 17 Mar 2025 13:05:23 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 12/16] tests: Add missing derivation inputs. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:05:23 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223111010906 (code B ref 75810); Mon, 17 Mar 2025 17:05:23 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:05:10 +0000 Received: from localhost ([127.0.0.1]:60686 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDtj-0002o1-IM for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:05:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58488) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDtZ-0002jr-4o for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:58 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtR-0005Qh-Ez; Mon, 17 Mar 2025 13:04:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=b8CNe7Kd4LDHNqpleCFnb1ypaRvesBWH130JtOnxyOw=; b=IAvTkoPFgaQ7403jl2xe 5AS96mRUYph6k95Y99rabeGOavSli3AOCUaYKzrndU+HxdxLn88AAa94aItB2xTNnh7l2UrM9SS4L wpjtIObGUqsCvIR0aYoJNKbX/2DqMWym/l9HeRvfolepSWateDRnl1LBLgF8f2TbcO9/6DA8HeBbG j9aiJGSEIMm6FoHJKZx1R3SwrDtULvT/mAkHr60cwajkgS7OKjM2689YEE1Yq3/VltY/+cd4dHbH5 TGJvBY351tvFKfs+waLzfciuUN5oR2sguTvS20wvhb2jABJuN/2kOmQzruMMC4McPnPhcqk0iQtkR RdFDyyC6V78a7A==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:55 +0100 Message-ID: <1521a5f93fbcc986c8d814298bc2cd0af5a73444.1742230220.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches These missing inputs go unnoticed when running ‘guix-daemon --disable-chroot’ but are immediately visible otherwise. * tests/derivations.scm ("fixed-output derivation"): Add %BASH to #:sources. ("fixed-output derivation: output paths are equal"): ("fixed-output derivation, recursive"): ("derivation with a fixed-output input"): ("derivation with duplicate fixed-output inputs"): ("derivation with equivalent fixed-output inputs"): ("build derivation with coreutils"): Likewise. * tests/packages.scm (bootstrap-binary): New procedure. ("package-source-derivation, origin, sha512"): Use it instead of ‘search-bootstrap-binary’ and add BASH to #:sources. ("package-source-derivation, origin, sha3-512"): Likewise. Change-Id: I4c9087df23c47729a3aff15e9e1435b7266e36e2 --- tests/derivations.scm | 24 +++++++++++++++--------- tests/packages.scm | 13 +++++++++---- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/tests/derivations.scm b/tests/derivations.scm index 72ea9aa9cc..f30f05474e 100644 --- a/tests/derivations.scm +++ b/tests/derivations.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012-2024 Ludovic Courtès +;;; Copyright © 2012-2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -443,7 +443,7 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (string-append "fixed-" (symbol->string hash-algorithm)) %bash `(,builder) - #:sources `(,builder) ;optional + #:sources (list %bash builder) #:hash hash #:hash-algo hash-algorithm))) (build-derivations %store (list drv)) @@ -462,9 +462,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (drv2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (succeeded? (build-derivations %store (list drv1 drv2)))) (and succeeded? @@ -477,7 +479,7 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv (derivation %store "fixed-rec" %bash `(,builder) - #:sources (list builder) + #:sources (list %bash builder) #:hash (base32 "0sg9f58l1jj88w6pdrfdpj5x9b1zrwszk84j81zvby36q9whhhqa") #:hash-algo 'sha256 #:recursive? #t)) @@ -511,9 +513,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (fixed1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (fixed2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (fixed-out (derivation->output-path fixed1)) (builder3 (add-text-to-store @@ -548,9 +552,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (fixed1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (fixed2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (builder3 (add-text-to-store %store "builder.sh" "echo fake builder")) @@ -580,21 +586,21 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) '())) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv1 (derivation %store "fixed" %bash (list builder1) - #:sources (list builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (drv2 (derivation %store "fixed" %bash (list builder2) - #:sources (list builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (drv3a (derivation %store "fixed-user" %bash (list builder3) #:outputs '("one" "two") - #:sources (list builder3) + #:sources (list %bash builder3) #:inputs (list (derivation-input drv1)))) (drv3b (derivation %store "fixed-user" %bash (list builder3) #:outputs '("one" "two") - #:sources (list builder3) + #:sources (list %bash builder3) #:inputs (list (derivation-input drv2)))) (drv4 (derivation %store "fixed-user-user" %bash (list builder1) - #:sources (list builder1) + #:sources (list %bash builder1) #:inputs (list (derivation-input drv3a '("one")) (derivation-input drv3b '("two")))))) (match (derivation-inputs drv4) @@ -878,7 +884,7 @@ (define %coreutils ,(string-append (derivation->output-path %coreutils) "/bin"))) - #:sources (list builder) + #:sources (list %bash builder) #:inputs (list (derivation-input %coreutils)))) (succeeded? (build-derivations %store (list drv)))) diff --git a/tests/packages.scm b/tests/packages.scm index 50c1cab915..f56c63128d 100644 --- a/tests/packages.scm +++ b/tests/packages.scm @@ -80,6 +80,11 @@ (define %store ;; When grafting, do not add dependency on 'glibc-utf8-locales'. (%graft-with-utf8-locale? #f) +(define (bootstrap-binary name) + (let ((bin (search-bootstrap-binary name (%current-system)))) + (and %store + (add-to-store %store name #t "sha256" bin)))) + (test-begin "packages") @@ -609,14 +614,14 @@ (define %store (test-equal "package-source-derivation, origin, sha512" "hello" - (let* ((bash (search-bootstrap-binary "bash" (%current-system))) + (let* ((bash (bootstrap-binary "bash")) (builder (add-text-to-store %store "my-fixed-builder.sh" "echo -n hello > $out" '())) (method (lambda* (url hash-algo hash #:optional name #:rest rest) (and (eq? hash-algo 'sha512) (raw-derivation name bash (list builder) - #:sources (list builder) + #:sources (list bash builder) #:hash hash #:hash-algo hash-algo)))) (source (origin @@ -635,14 +640,14 @@ (define %store (test-equal "package-source-derivation, origin, sha3-512" "hello, sha3" - (let* ((bash (search-bootstrap-binary "bash" (%current-system))) + (let* ((bash (bootstrap-binary "bash")) (builder (add-text-to-store %store "my-fixed-builder.sh" "echo -n hello, sha3 > $out" '())) (method (lambda* (url hash-algo hash #:optional name #:rest rest) (and (eq? hash-algo 'sha3-512) (raw-derivation name bash (list builder) - #:sources (list builder) + #:sources (list bash builder) #:hash hash #:hash-algo hash-algo)))) (source (origin From patchwork Mon Mar 17 17:02:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40296 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 536F227BBEA; Mon, 17 Mar 2025 17:07:23 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 2930F27BBE2 for ; Mon, 17 Mar 2025 17:07:22 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDvq-0006CE-7a; Mon, 17 Mar 2025 13:07:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDun-0005aU-2R for guix-patches@gnu.org; Mon, 17 Mar 2025 13:06:14 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDuj-00060C-6o for guix-patches@gnu.org; Mon, 17 Mar 2025 13:06:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=46sXtSC4BF2MFB1vCWkw8ErjEqxl/gPSRof2zzVtuu0=; b=ZADDPNJvh8tiazh/j0XKyNFNgh9LbmsqmmbkDx6zA/x6bb7M+Dp8r6k1l0qeoqxArdOhOzJ83YV+dXREfGzTDax06zig9N1X0hx8hj6KF29PUS7/RH7JN6gw47dtz9EcoVA+rDXDXRK5XUCAjZ7b/QYK4Osa7gk3wEzdbOMklQsFKrZQMajBJGJgj6kCYqmnkJGx/DX+5mgRA0LrVzJu66XA2m5uTj8wjm0GXS76RWado0FMqTu7yS/WRqSqTSIXxxgCAVygDKGWhzD8qplewGgyvIVqZDIIP5yHOYDlb7ajCUd3soCaeOm+ocNDruke4dStznuAdBVVIOd7WAknCQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDui-00032w-Hk for guix-patches@gnu.org; Mon, 17 Mar 2025 13:06:08 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 13/16] tests: Run in a chroot and unprivileged user namespaces. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:06:08 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223116011615 (code B ref 75810); Mon, 17 Mar 2025 17:06:08 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:06:00 +0000 Received: from localhost ([127.0.0.1]:60706 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDuW-00030e-5I for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:05:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58502) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDtZ-0002ju-EE for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:05:01 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtT-0005Qw-EM; Mon, 17 Mar 2025 13:04:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=46sXtSC4BF2MFB1vCWkw8ErjEqxl/gPSRof2zzVtuu0=; b=c7fEqH3BwJMEHv6TrpVs 42Em7eglXrTZBEfxsy01GEbvbfIQ25eWDI15UyXR5ASBTgf4f1vwITchdkaiGH/7BAqCZTgCkyAEl CegHIUr9FH/OSMlZ3TAVKlAuIxpRkG57IxY7w1GkdhC1Ne4M3m8c8anuBQveLanYg3Ino1ejpUCaT SXAhTq1cpfQwVK2bMN7iSYVzgiGdJTcM0EOgPgYG0WfDOaSubh3gBJWNrKubrWLNhNEvqk8UBFks+ /0AUZ9AQJrpUHOEAgGV/f3jDH+2VGfek/jm0QkG4rbb3JyVohzpVnhlYFf+cWwjRyWI4VNUhd/fSa NS7cQUCKyTm2ug==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:56 +0100 Message-ID: <5a3d8d90c08fd27dddf5d8c94465597bf2cded92.1742230220.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * build-aux/test-env.in: Pass ‘--disable-chroot’ only when unprivileged user namespace support is lacking and warn in that case. * tests/store.scm ("build-things, check mode"): Use ‘gettimeofday’ rather than a shared file as a source of entropy. ("symlink is symlink") ("isolated environment", "inputs are read-only") ("inputs cannot be remounted read-write") ("build root cannot be made world-readable") ("/tmp, store, and /dev/{null,full} are writable") ("network is unreachable"): New tests. * tests/processes.scm ("client + lock"): Skip when ‘unprivileged-user-namespace-supported?’ returns true. Change-Id: I3b3c3ebdf6db5fd36ee70251d07b893c17ca1b84 --- build-aux/test-env.in | 18 ++- tests/processes.scm | 9 +- tests/store.scm | 247 ++++++++++++++++++++++++++++++++++++------ 3 files changed, 236 insertions(+), 38 deletions(-) diff --git a/build-aux/test-env.in b/build-aux/test-env.in index 9caa29da58..86c2e585d7 100644 --- a/build-aux/test-env.in +++ b/build-aux/test-env.in @@ -1,7 +1,7 @@ #!/bin/sh # GNU Guix --- Functional package management for GNU -# Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2021 Ludovic Courtès +# Copyright © 2012-2019, 2021, 2025 Ludovic Courtès # # This file is part of GNU Guix. # @@ -102,10 +102,24 @@ then rm -rf "$GUIX_STATE_DIRECTORY/daemon-socket" mkdir -m 0700 "$GUIX_STATE_DIRECTORY/daemon-socket" + # If unprivileged user namespaces are not supported, pass + # '--disable-chroot'. + if [ -f /proc/self/ns/user ] \ + && { [ ! -f /proc/sys/kernel/unprivileged_userns_clone ] \ + || [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -eq 1 ]; } + then + extra_options="" + else + extra_options="--disable-chroot" + echo "unprivileged user namespaces not supported; \ +running 'guix-daemon $extra_options'" >&2 + fi + # Launch the daemon without chroot support because is may be # unavailable, for instance if we're not running as root. "@abs_top_builddir@/pre-inst-env" \ - "@abs_top_builddir@/guix-daemon" --disable-chroot \ + "@abs_top_builddir@/guix-daemon" \ + $extra_options \ --substitute-urls="$GUIX_BINARY_SUBSTITUTE_URL" & daemon_pid=$! diff --git a/tests/processes.scm b/tests/processes.scm index ba518f2d9e..a72ba16f58 100644 --- a/tests/processes.scm +++ b/tests/processes.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2018 Ludovic Courtès +;;; Copyright © 2018, 2025 Ludovic Courtès ;;; Copyright © 2019 Mathieu Othacehe ;;; ;;; This file is part of GNU Guix. @@ -25,6 +25,8 @@ (define-module (test-processes) #:use-module (guix gexp) #:use-module ((guix utils) #:select (call-with-temporary-directory)) #:use-module (gnu packages bootstrap) + #:use-module ((gnu build linux-container) + #:select (unprivileged-user-namespace-supported?)) #:use-module (guix tests) #:use-module (srfi srfi-1) #:use-module (srfi srfi-64) @@ -84,6 +86,11 @@ (define-syntax-rule (test-assert* description exp) (and (kill (process-id daemon) 0) (string-suffix? "guix-daemon" (first (process-command daemon))))))) +(when (unprivileged-user-namespace-supported?) + ;; The test below assumes the build process can communicate with the outside + ;; world via the TOKEN1 and TOKEN2 files, which is impossible when + ;; guix-daemon is set up to build in separate namespaces. + (test-skip 1)) (test-assert* "client + lock" (with-store store (call-with-temporary-directory diff --git a/tests/store.scm b/tests/store.scm index 45948f4f43..b1ddff2082 100644 --- a/tests/store.scm +++ b/tests/store.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012-2021, 2023 Ludovic Courtès +;;; Copyright © 2012-2021, 2023, 2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,8 +28,12 @@ (define-module (test-store) #:use-module (guix base32) #:use-module (guix packages) #:use-module (guix derivations) + #:use-module ((guix modules) + #:select (source-module-closure)) #:use-module (guix serialization) #:use-module (guix build utils) + #:use-module ((gnu build linux-container) + #:select (unprivileged-user-namespace-supported?)) #:use-module (guix gexp) #:use-module (gnu packages) #:use-module (gnu packages bootstrap) @@ -391,6 +395,188 @@ (define %shell (equal? (valid-derivers %store o) (list (derivation-file-name d)))))) +(test-assert "symlink is symlink" + (let* ((a (add-text-to-store %store "hello.txt" (random-text))) + (b (build-expression->derivation + %store "symlink" + '(symlink (assoc-ref %build-inputs "a") %output) + #:inputs `(("a" ,a)))) + (c (build-expression->derivation + %store "symlink-reference" + `(call-with-output-file %output + (lambda (port) + ;; Check that B is indeed visible as a symlink. This should + ;; always be the case, both in the '--disable-chroot' and in + ;; the user namespace setups. + (pk 'stat (lstat (assoc-ref %build-inputs "b"))) + (display (readlink (assoc-ref %build-inputs "b")) + port))) + #:inputs `(("b" ,b))))) + (and (build-derivations %store (list c)) + (string=? (call-with-input-file (derivation->output-path c) + get-string-all) + a)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-equal "isolated environment" + (string-join (append + '("PID: 1" "UID: 30001") + (delete-duplicates + (sort (list "/dev" "/tmp" "/proc" "/etc" + (match (string-tokenize (%store-prefix) + (char-set-complement + (char-set #\/))) + ((top _ ...) (string-append "/" top)))) + string $out")) + (s (add-to-store %store "bash" #t "sha256" + (search-bootstrap-binary "bash" + (%current-system)))) + (d (derivation %store "the-thing" + s `("-e" ,b) + #:env-vars `(("foo" . ,(random-text))) + #:sources (list b s))) + (o (derivation->output-path d))) + (and (build-derivations %store (list d)) + (call-with-input-file o get-string-all)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-equal "inputs are read-only" + "All good!" + (let* ((input (plain-file (string-append "might-be-tampered-with-" + (number->string + (car (gettimeofday)) + 16)) + "All good!")) + (drv + (run-with-store %store + (gexp->derivation + "attempt-to-write-to-input" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((input #$input)) + (chmod input #o666) + (call-with-output-file input + (lambda (port) + (display "BAD!" port))) + (mkdir #$output)))))))) + (and (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv))) + (call-with-input-file (run-with-store %store + (lower-object input)) + get-string-all)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "inputs cannot be remounted read-write" + (let ((drv + (run-with-store %store + (gexp->derivation + "attempt-to-remount-input-read-write" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((input #$(plain-file "input-that-might-be-tampered-with" + "All good!"))) + (mount "none" input "none" (logior MS_BIND MS_REMOUNT)) + (call-with-output-file input + (lambda (port) + (display "BAD!" port))) + (mkdir #$output)))))))) + (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv)) + #f))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "build root cannot be made world-readable" + (let ((drv + (run-with-store %store + (gexp->derivation + "attempt-to-make-root-world-readable" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (catch 'system-error + (lambda () + (chmod "/" #o777)) + (lambda args + (format #t "failed to make root writable: ~a~%" + (strerror (system-error-errno args))) + (format #t "attempting read-write remount~%") + (mount "none" "/" "/" (logior MS_BIND MS_REMOUNT)) + (chmod "/" #o777))) + + ;; At this point, the build process could create a + ;; world-readable setuid binary under its root (so in the + ;; store) that would remain visible until the build + ;; completes. + (mkdir #$output))))))) + (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv)) + #f))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "/tmp, store, and /dev/{null,full} are writable" + ;; All of /tmp and all of the store must be writable (the store is writable + ;; so that derivation outputs can be written to it, but in practice it's + ;; always been wide open). Things like /dev/null must be writable too. + (let ((drv (run-with-store %store + (gexp->derivation + "check-tmp-and-store-are-writable" + #~(begin + (mkdir "/tmp/something") + (mkdir (in-vicinity (getenv "NIX_STORE") + "some-other-thing")) + (call-with-output-file "/dev/null" + (lambda (port) + (display "Welcome to the void." port))) + (catch 'system-error + (lambda () + (call-with-output-file "/dev/full" + (lambda (port) + (display "No space left!" port))) + (error "Should have thrown!")) + (lambda args + (unless (= ENOSPC (system-error-errno args)) + (apply throw args)))) + (mkdir #$output)))))) + (build-derivations %store (list drv)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "network is unreachable" + (let ((drv (run-with-store %store + (gexp->derivation + "check-network-unreachable" + #~(let ((check-connection-failure + (lambda (address expected-code) + (let ((s (socket AF_INET SOCK_STREAM 0))) + (catch 'system-error + (lambda () + (connect s AF_INET (inet-pton AF_INET address) 80)) + (lambda args + (let ((errno (system-error-errno args))) + (unless (= expected-code errno) + (error "wrong error code" + errno (strerror errno)))))))))) + (check-connection-failure "127.0.0.1" ECONNREFUSED) + (check-connection-failure "9.9.9.9" ENETUNREACH) + (mkdir #$output)))))) + (build-derivations %store (list drv)))) + (test-equal "with-build-handler" 'success (let* ((b (add-text-to-store %store "build" "echo $foo > $out" '())) @@ -1333,40 +1519,31 @@ (define %shell (test-assert "build-things, check mode" (with-store store - (call-with-temporary-output-file - (lambda (entropy entropy-port) - (write (random-text) entropy-port) - (force-output entropy-port) - (let* ((drv (build-expression->derivation - store "non-deterministic" - `(begin - (use-modules (rnrs io ports)) - (let ((out (assoc-ref %outputs "out"))) - (call-with-output-file out - (lambda (port) - ;; Rely on the fact that tests do not use the - ;; chroot, and thus ENTROPY is readable. - (display (call-with-input-file ,entropy - get-string-all) - port))) - #t)) - #:guile-for-build - (package-derivation store %bootstrap-guile (%current-system)))) - (file (derivation->output-path drv))) - (and (build-things store (list (derivation-file-name drv))) - (begin - (write (random-text) entropy-port) - (force-output entropy-port) - (guard (c ((store-protocol-error? c) - (pk 'determinism-exception c) - (and (not (zero? (store-protocol-error-status c))) - (string-contains (store-protocol-error-message c) - "deterministic")))) - ;; This one will produce a different result. Since we're in - ;; 'check' mode, this must fail. - (build-things store (list (derivation-file-name drv)) - (build-mode check)) - #f)))))))) + (let* ((drv (build-expression->derivation + store "non-deterministic" + `(begin + (use-modules (rnrs io ports)) + (let ((out (assoc-ref %outputs "out"))) + (call-with-output-file out + (lambda (port) + (let ((now (gettimeofday))) + (display (+ (car now) (cdr now)) port)))) + #t)) + #:guile-for-build + (package-derivation store %bootstrap-guile (%current-system)))) + (file (derivation->output-path drv))) + (and (build-things store (list (derivation-file-name drv))) + (begin + (guard (c ((store-protocol-error? c) + (pk 'determinism-exception c) + (and (not (zero? (store-protocol-error-status c))) + (string-contains (store-protocol-error-message c) + "deterministic")))) + ;; This one will produce a different result. Since we're in + ;; 'check' mode, this must fail. + (build-things store (list (derivation-file-name drv)) + (build-mode check)) + #f)))))) (test-assert "build-succeeded trace in check mode" (string-contains From patchwork Mon Mar 17 17:02:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40298 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 59F5A27BBEA; Mon, 17 Mar 2025 17:07:40 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id E4FC627BBE2 for ; Mon, 17 Mar 2025 17:07:39 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDvt-0006JQ-CI; Mon, 17 Mar 2025 13:07:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDvc-00060s-IB for guix-patches@gnu.org; Mon, 17 Mar 2025 13:07:08 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDvc-0006E5-0k for guix-patches@gnu.org; Mon, 17 Mar 2025 13:07:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=Ngm8ANKAcfFhwlcmZn793WD7YKtaQddq8o8d6i84570=; b=AFTS62U1qfTGYYJIwbkXqWjoaoD+QgVu8ft18LyAmupqHT+2YWe+rXyDnotL+awmVbRBxzA+oOfKsNX8EvctG/MiJPCH/QAiDfuy1/2MS9/+vdl8jexK9AlN4q0x54eKrOeYFq6JjvwszH/W0GVjBeGf0OM2p+yrFq/Dy6po8hhKqRyXFc2ag/65R0dhRkxmYiBbCHXSBjybQCvH0dE1Rz1PewqFJEGOB/ri4dS4et1g0MiSs+slFq/s7lJ5oySdVWBtQqt1ybopONhKkjHB/Yt+K7M8B5c6AQtFa9Wpe3ZD77qEcFDM3eix4Z+QD3Xv/qiGaJ6k90s3IaKjGkHOxg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDva-000397-9r for guix-patches@gnu.org; Mon, 17 Mar 2025 13:07:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 14/16] etc: systemd services: Run =?utf-8?b?4oCYZ3VpeC1kYWVtb27igJk=?= as an unprivileged user. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:07:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223117911778 (code B ref 75810); Mon, 17 Mar 2025 17:07:02 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:06:19 +0000 Received: from localhost ([127.0.0.1]:60713 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDup-00033Y-BI for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:06:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58512) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDtb-0002kH-Bk for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:05:00 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtU-0005Rh-L1; Mon, 17 Mar 2025 13:04:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=Ngm8ANKAcfFhwlcmZn793WD7YKtaQddq8o8d6i84570=; b=QCMcrqlyjO/46sY3a6ef OOxEQC6uFme+ZgxHpDVsrdk7bqM0L9IJZ/eCTOmV7aqv+dyndEY/CKWKEgIARwIg7qyP+vTlBjCIM mLDQsP5r7f5fwCeEK6Ar+Vtpzp+kK1J/604VRD5v/t4ynyv7sWd+FSjuSl08Cu7MH6APfmtF5nFih q/0zKmHfWElmky4rmpvCZ7nhmwBRh46GlqYRw7+Wn0UFvqqsEkRVYeYIk5MVNHRas38BhDCNcrK3u rZ384f5Nuc9gj2QUz/4rb0/zx7I078gTt3IamCdWiwomeBUndlQLQMQGsrw3yxRd8rqCKlumiWFj2 8yovB3r1/KZp4w==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:57 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/guix-daemon.service.in (ExecStart): Remove ‘--build-users-group’. (Environment): Add ‘GUIX_STATE_DIRECTORY’. (Before, User, AmbientCapabilities, PrivateMounts, BindPaths): New fields. * etc/gnu-store.mount.in (Before): Remove. (WantedBy): Change to ‘multi-user.target’. Change-Id: Id826b8ab535844b6024d777f6bd15fd49db6d65e --- etc/gnu-store.mount.in | 3 +-- etc/guix-daemon.service.in | 22 ++++++++++++++++++++-- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in index c94f2db72b..f9918c9e52 100644 --- a/etc/gnu-store.mount.in +++ b/etc/gnu-store.mount.in @@ -2,10 +2,9 @@ Description=Read-only @storedir@ for GNU Guix DefaultDependencies=no ConditionPathExists=@storedir@ -Before=guix-daemon.service [Install] -WantedBy=guix-daemon.service +WantedBy=multi-user.target [Mount] What=@storedir@ diff --git a/etc/guix-daemon.service.in b/etc/guix-daemon.service.in index 5c43d9b7f1..6a5ef97f9b 100644 --- a/etc/guix-daemon.service.in +++ b/etc/guix-daemon.service.in @@ -5,11 +5,29 @@ [Unit] Description=Build daemon for GNU Guix +# Start before 'gnu-store.mount' to get a writable view of the store. +Before=gnu-store.mount + [Service] ExecStart=@localstatedir@/guix/profiles/per-user/root/current-guix/bin/guix-daemon \ - --build-users-group=guixbuild --discover=no \ + --discover=no \ --substitute-urls='@GUIX_SUBSTITUTE_URLS@' -Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8 +Environment='GUIX_STATE_DIRECTORY=@localstatedir@/guix' 'GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8 + +# Run under a dedicated unprivileged user account. +User=guix-daemon + +# Bind-mount the store read-write in a private namespace, to counter the +# effect of 'gnu-store.mount'. +PrivateMounts=true +BindPaths=@storedir@ + +# Provide the CAP_CHOWN capability so that guix-daemon can create and chown +# /var/guix/profiles/per-user/$USER and also chown failed build directories +# when using '--keep-failed'. Note that guix-daemon explicitly drops ambient +# capabilities before executing build processes so they don't inherit them. +AmbientCapabilities=CAP_CHOWN + StandardOutput=journal StandardError=journal From patchwork Mon Mar 17 17:02:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40295 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D4F0827BBE9; Mon, 17 Mar 2025 17:07:14 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id B63B627BBE2 for ; Mon, 17 Mar 2025 17:07:12 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDvS-0005rb-4A; Mon, 17 Mar 2025 13:06:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDum-0005aT-QJ for guix-patches@gnu.org; Mon, 17 Mar 2025 13:06:14 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDuh-0005zo-8n for guix-patches@gnu.org; Mon, 17 Mar 2025 13:06:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=zRzyCRKNi7OLYtMltAIWBXxpQUCJgq5z2G4rnUFbrMY=; b=rVFKEXXGYcg3uo+VhkPsrgghFIhuWgSO2VLeWUv7Rhh1UxZAGX4lly2jDAl7f11u7spkPbxJTlurz61kjpWwkgd4jxBGmDI4nVE+MSjODEm3SyoCQNiUhGMMHlO4ycJ725XheF4HV6brvoclNRgqPKvfV9WN5MssmFWuBcqORYaR7WdXkCDa1iYJTAZmEtVVXx2jDy55dlkVa+Bbl8dpVfW9hCJn3y3NVO1bhEBfpQAV/+iOH0jMk8w2iwhAnnnzMJRTnhSG0oDMowVsvM+VPwCv2jCYOO08TDNC5WfDIewZ7yVscPGQX1BJjN8ZkgZej07helO8LtQPIvDaBWot0g==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDug-00032W-90 for guix-patches@gnu.org; Mon, 17 Mar 2025 13:06:06 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 15/16] guix-install.sh: Support the unprivileged daemon where possible. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:06:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223115611575 (code B ref 75810); Mon, 17 Mar 2025 17:06:05 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:05:56 +0000 Received: from localhost ([127.0.0.1]:60704 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDuU-00030J-1h for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:05:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58514) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDta-0002k6-Fz for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:04:59 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtU-0005Rj-Lx; Mon, 17 Mar 2025 13:04:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=zRzyCRKNi7OLYtMltAIWBXxpQUCJgq5z2G4rnUFbrMY=; b=h62nyM8vYaVwGKubCdFq PONw6a8oB5bLl4a3cWbte5PhVAmLUQ6JrGX2FKo9oFe8trha3S8LKiB8y3IbGbxj9fXsL+SAaF8AW aLkTbSPn8jgIdAhBXWhhv0j/5kXMsS10gFgRV1mmSIblDmayudaf6nm132UMmeiekROPzauowudCJ 3j10ylsWwkXzpez/6yhtF9I1rI3nHcUpN4F9/5njogbetbfZcgNaoNZ64sBdVnLhvKqh/klATnLIM zbU8+wCDu5FplQETzhDMv8lmtbGwt6hwLLgwLP4HeMZkVUZgmJ5t2l603Agj1gKkFQ0Dkaos1DQNf xp2Ikj5+O1/qYQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:58 +0100 Message-ID: <07c5b1b1ef05c002ad7092976e67eceb45f0c5da.1742230220.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/guix-install.sh (create_account): New function. (sys_create_build_user): Use it. When ‘guix-daemon.service’ contains “User=guix-daemon” only create the ‘guix-daemon’ user and group. (sys_delete_build_user): Delete the ‘guix-daemon’ user and group. (can_install_unprivileged_daemon): New function. (sys_create_store): When installing the unprivileged daemon, change ownership of /gnu and /var/guix, and create /var/log/guix. (sys_authorize_build_farms): When the ‘guix-daemon’ account exists, change ownership of /etc/guix. Change-Id: I73e573f1cc5c0cb3794aaaa6b576616b66e0c5e9 --- etc/guix-install.sh | 124 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 99 insertions(+), 25 deletions(-) diff --git a/etc/guix-install.sh b/etc/guix-install.sh index 8887204df4..30e4bc4223 100755 --- a/etc/guix-install.sh +++ b/etc/guix-install.sh @@ -414,6 +414,11 @@ sys_create_store() cd "$tmp_path" _msg_info "Installing /var/guix and /gnu..." # Strip (skip) the leading ‘.’ component, which fails on read-only ‘/’. + # + # TODO: Eventually extract with ‘--owner=guix-daemon’ when installing + # and unprivileged guix-daemon service; for now, this script may install + # from both an old release that does not support unprivileged guix-daemon + # and a new release that does, so ‘chown -R’ later if needed. tar --extract --strip-components=1 --file "$pkg" -C / _msg_info "Linking the root user's profile" @@ -441,38 +446,95 @@ sys_delete_store() rm -rf ~root/.config/guix } +create_account() +{ + local user="$1" + local group="$2" + local supplementary_groups="$3" + local comment="$4" + + if id "$user" &>/dev/null; then + _msg_info "user '$user' is already in the system, reset" + usermod -g "$group" -G "$supplementary_groups" \ + -d /var/empty -s "$(which nologin)" \ + -c "$comment" "$user" + else + useradd -g "$group" -G "$supplementary_groups" \ + -d /var/empty -s "$(which nologin)" \ + -c "$comment" --system "$user" + _msg_pass "user added <$user>" + fi +} + +install_unprivileged_daemon() +{ # Return true when installing guix-daemon running without privileges. + [ "$INIT_SYS" = systemd ] && \ + grep -q "User=guix-daemon" \ + ~root/.config/guix/current/lib/systemd/system/guix-daemon.service +} + sys_create_build_user() { # Create the group and user accounts for build users. _debug "--- [ ${FUNCNAME[0]} ] ---" - if getent group guixbuild > /dev/null; then - _msg_info "group guixbuild exists" - else - groupadd --system guixbuild - _msg_pass "group created" - fi - if getent group kvm > /dev/null; then _msg_info "group kvm exists and build users will be added to it" local KVMGROUP=,kvm fi - for i in $(seq -w 1 10); do - if id "guixbuilder${i}" &>/dev/null; then - _msg_info "user is already in the system, reset" - usermod -g guixbuild -G guixbuild"$KVMGROUP" \ - -d /var/empty -s "$(which nologin)" \ - -c "Guix build user $i" \ - "guixbuilder${i}"; - else - useradd -g guixbuild -G guixbuild"$KVMGROUP" \ - -d /var/empty -s "$(which nologin)" \ - -c "Guix build user $i" --system \ - "guixbuilder${i}"; - _msg_pass "user added " - fi - done + if install_unprivileged_daemon + then + _msg_info "installing guix-daemon to run as an unprivileged user" + + # Installing guix-daemon to run as a non-root user requires + # unprivileged user namespaces. + if [ -f /proc/sys/kernel/unprivileged_userns_clone ] \ + && [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -ne 1 ] + then + echo 1 > /proc/sys/kernel/unprivileged_userns_clone || \ + _err "failed to enable unprivileged user namespaces" + + _msg_warn "Unprivileged user namespaces were disabled and have been enabled now." + _msg_warn "This Linux feature is required by guix-daemon. To enable it permanently, run:" + _msg_warn ' echo 1 > /proc/sys/kernel/unprivileged_userns_clone' + _msg_warn "from the relevant startup script." + fi + + + if getent group guix-daemon > /dev/null; then + _msg_info "group guix-daemon exists" + else + groupadd --system guix-daemon + _msg_pass "group guix-daemon created" + fi + + create_account guix-daemon guix-daemon \ + guix-daemon$KVMGROUP \ + "Unprivileged Guix Daemon User" + + # ‘tar xf’ creates root:root files. Change that. + chown -R guix-daemon:guix-daemon /gnu /var/guix + chown -R root:root /var/guix/profiles/per-user/root + + # The unprivileged daemon cannot create the log directory by itself. + mkdir /var/log/guix + chown guix-daemon:guix-daemon /var/log/guix + chmod 755 /var/log/guix + else + if getent group guixbuild > /dev/null; then + _msg_info "group guixbuild exists" + else + groupadd --system guixbuild + _msg_pass "group created" + fi + + for i in $(seq -w 1 10); do + create_account "guixbuilder${i}" "guixbuild" \ + "guixbuild${KVMGROUP}" \ + "Guix build user $i" + done + fi } sys_delete_build_user() @@ -487,6 +549,14 @@ sys_delete_build_user() if getent group guixbuild &>/dev/null; then groupdel -f guixbuild fi + + _msg_info "remove guix-daemon user" + if id guix-daemon &>/dev/null; then + userdel -f guix-daemon + fi + if getent group guix-daemon &>/dev/null; then + groupdel -f guix-daemon + fi } sys_enable_guix_daemon() @@ -529,11 +599,11 @@ sys_enable_guix_daemon() # Install after guix-daemon.service to avoid a harmless warning. # systemd .mount units must be named after the target directory. - # Here we assume a hard-coded name of /gnu/store. - install_unit gnu-store.mount + install_unit gnu-store.mount systemctl daemon-reload && - systemctl start guix-daemon; } && + systemctl start guix-daemon && + systemctl start gnu-store.mount; } && _msg_pass "enabled Guix daemon via systemd" ;; sysv-init) @@ -654,6 +724,10 @@ project's build farms?"; then && guix archive --authorize < "$key" \ && _msg_pass "Authorized public key for $host" done + if id guix-daemon &>/dev/null; then + # /etc/guix/acl must be readable by the unprivileged guix-daemon. + chown -R guix-daemon:guix-daemon /etc/guix + fi else _msg_info "Skipped authorizing build farm public keys" fi From patchwork Mon Mar 17 17:02:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40297 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id C487D27BBEA; Mon, 17 Mar 2025 17:07:29 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 972EC27BBE2 for ; Mon, 17 Mar 2025 17:07:29 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tuDvq-0006Dp-Gg; Mon, 17 Mar 2025 13:07:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDun-0005aV-A0 for guix-patches@gnu.org; Mon, 17 Mar 2025 13:06:14 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tuDuk-00060g-AY for guix-patches@gnu.org; Mon, 17 Mar 2025 13:06:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=AJlK2QAuKjco1IVqQ+QWTule1xdp+HyiHot4+iuRsE8=; b=F0YDEtfbN8Qewop8DyUAxK9EqYpm7vc97lkL/qLklHV2Q5EoHX8Lf2iufkNJYcqC/sDBqzvjHqRjk+LUepMGtGQj5HvntdCcALA77KodmQFSOHQk3in7SXFHoAzIMLijHxf+BZGkdrXTAAzgHipfQtHeTbjx+NVDHQiOezXzKWfeQ5MrcKnXOn+UG4uP+zGNqU942hDXbJET8iVl2xAl5P2PVQJrbDjGDGM50wyDY8307dIGSui5rIXQz+rfERXGeyenH48XrIRpmxbjo5UOjzDLdfq6XGdChL4OsZU8mb3SLAParYXGbExIPm0ja65d6v7N/ie136Ti0kaWmL4PQg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tuDuj-000336-Go for guix-patches@gnu.org; Mon, 17 Mar 2025 13:06:09 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v6 16/16] DRAFT gnu: guix: Update to 07c5b1b Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 17 Mar 2025 17:06:09 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174223116611680 (code B ref 75810); Mon, 17 Mar 2025 17:06:09 +0000 Received: (at 75810) by debbugs.gnu.org; 17 Mar 2025 17:06:06 +0000 Received: from localhost ([127.0.0.1]:60708 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tuDuZ-00031H-Tn for submit@debbugs.gnu.org; Mon, 17 Mar 2025 13:06:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58526) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tuDtb-0002kK-HY for 75810@debbugs.gnu.org; Mon, 17 Mar 2025 13:05:00 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tuDtV-0005SA-QG; Mon, 17 Mar 2025 13:04:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=AJlK2QAuKjco1IVqQ+QWTule1xdp+HyiHot4+iuRsE8=; b=HkrWaQ3bfhMzBjK1kxMl Rj+Z5nJ4wiT1jwhGqB5ar9NyXB4rSXdZHLALFsZUCTynGbf5J+A2gp8BbN8agQ/TnLW7uormsbAIK bGkTufH40ZrccYlMCjo7Nk6xD98JRj7118EzkXb7lU3gqxeUx0C1UtlI8l8gqnuvNaimusurB6zVB 9zXQXe+QYsh0QbbQ9j65Fi3WL26u1L4bl4uSf+4A9dOY0UdKc+wt+nNH9qVLpfoa9O6XLQw4rN9Ff dRddj2mFbVJcQCEKdeknoB/CTz+gT3SzZbr54552kJpWmE4pD4T/g+/llII7yW5F0rlnhLISyDNK0 Pdi3GuocIbCeYw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 17 Mar 2025 18:02:59 +0100 Message-ID: <19b479fe168b1afdc6dbc46f8c363d797cfb7178.1742230220.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches DRAFT: Temporary commit. * gnu/packages/package-management.scm (guix): Update to 07c5b1b. Change-Id: Id7c3275da249075cdb23d7f4f63fd1bcf7dd933b --- gnu/packages/package-management.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index a4a96878f7..11cfd10197 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -179,8 +179,8 @@ (define-public guix ;; Note: the 'update-guix-package.scm' script expects this definition to ;; start precisely like this. (let ((version "1.4.0") - (commit "5058b40aba825ab6e7b9e518dd1147d1e35fd7de") - (revision 34)) + (commit "07c5b1b1ef05c002ad7092976e67eceb45f0c5da") + (revision 35)) (package (name "guix") @@ -196,7 +196,7 @@ (define-public guix (commit commit))) (sha256 (base32 - "04vk4lslcd6h22yj5pxvb1pdyyxd8421gjfyvyb1bl3xn7c77246")) + "0hl692xzb8jylc8rwwvmgbdv08dnx35dx116vsw1s4c0ph8fr50a")) (file-name (string-append "guix-" version "-checkout")))) (build-system gnu-build-system) (arguments