From patchwork Thu Mar 20 20:54:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40520 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A713827BBEA; Thu, 20 Mar 2025 20:57:45 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 567C527BBE2 for ; Thu, 20 Mar 2025 20:57:45 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMx2-0002Zy-7B; Thu, 20 Mar 2025 16:57:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwt-0002Xd-3s for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:07 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMwp-0001MX-T2 for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=gj2HkSqKqMC6OnWJO11zAMx01vOVuopEBzKWBjgHWEs=; b=ncXb48/qJuzmEXwptYodXGRzHjooYtBa2rt8Ln2m/7z/qGE/0UKuvdKxnqnuMN2vdfPe1l1wd6TVNq43FsFDKrR5eIAV7mh+LZIRI6eR5dalv4+b4ry31U+HbVBbOeesVXkBUyIabyS21OoueDBWMEmvelbm1Emco/z7B//lQzM80qM+/Qm3tDfgojsPZ90zUBeOPMRK0lS9R/qZuDz/pOSIqDS6uWiRFMw1QjJrYSlUJ5VwgN+y1XWCrVsPDXBD1+abTL066AyUR+h75jaYQBn4ovRqz7pH67jvGKZpSVUwpc8/TpyRO8IoCOOI4XLlcqreBZzCEGX8lYtfGUZ3uQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMwp-0006Xo-KX for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 01/16] daemon: Use =?utf-8?b?4oCYY2xvc2VfcmFu?= =?utf-8?b?Z2XigJk=?= where available. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:57:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250419724966 (code B ref 75810); Thu, 20 Mar 2025 20:57:03 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:56:37 +0000 Received: from localhost ([127.0.0.1]:59174 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMwO-0006UY-B1 for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50862) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMw1-0006Qe-J7 for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:18 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMvv-0001FR-IA; Thu, 20 Mar 2025 16:56:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=gj2HkSqKqMC6OnWJO11zAMx01vOVuopEBzKWBjgHWEs=; b=AJ6hBdsHuxeZ9FdMi1YS qnH1XarggqYw/zbOMP896o92PbkKafqB/+syv3cPWJcOgny4emAuYuWKebwYhDZs/IbzjbiXZps2M ppJri1jymguwmQDxc6v1kpFg9Ru15V/Qpnt38dmdAp8wgl6KC5iSdZq4L7b9f7uUHBjfvZmUttXtv m9gKrSrLnU6m9j6/J+NogaNG2/s/G3itEkbPnHsphCY4HWXUSTkrgkALm5xmUeNbrKyZ9sgKwZMPb NEBPbiUTAaW1OS/asMDPcO22G19SPqw2Xf7L37IjrxwfSok5GunrWVXCTtBEBhcob9pdCtcfgnbAy jJfmeHZcKxsckQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:34 +0100 Message-ID: <5edb7d923d441d4be77fe8d699199678c4acb390.1742503591.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libutil/util.cc (closeMostFDs) [HAVE_CLOSE_RANGE]: Use ‘close_range’ when ‘exceptions’ is empty. * config-daemon.ac: Check for and the ‘close_range’ symbol. Change-Id: I12fa3bde58b003fcce5ea5a1fee1dcf9a92c0359 --- config-daemon.ac | 5 +++-- nix/libutil/util.cc | 23 +++++++++++++++++------ 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/config-daemon.ac b/config-daemon.ac index 6731c68bc3..4e949bc88a 100644 --- a/config-daemon.ac +++ b/config-daemon.ac @@ -78,7 +78,8 @@ if test "x$guix_build_daemon" = "xyes"; then dnl Chroot support. AC_CHECK_FUNCS([chroot unshare]) - AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h]) + AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \ + linux/close_range.h]) if test "x$ac_cv_func_chroot" != "xyes"; then AC_MSG_ERROR(['chroot' function missing, bailing out]) @@ -95,7 +96,7 @@ if test "x$guix_build_daemon" = "xyes"; then dnl strsignal: for error reporting. dnl statx: fine-grain 'stat' call, new in glibc 2.28. AC_CHECK_FUNCS([lutimes lchown posix_fallocate sched_setaffinity \ - statvfs nanosleep strsignal statx]) + statvfs nanosleep strsignal statx close_range]) dnl Check for . AC_LANG_PUSH(C++) diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index 3206dea11b..eb2d16e1cc 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -23,6 +23,10 @@ #include #endif +#ifdef HAVE_LINUX_CLOSE_RANGE_H +# include +#endif + extern char * * environ; @@ -1087,12 +1091,19 @@ string runProgram(Path program, bool searchPath, const Strings & args) void closeMostFDs(const set & exceptions) { - int maxFD = 0; - maxFD = sysconf(_SC_OPEN_MAX); - for (int fd = 0; fd < maxFD; ++fd) - if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd != STDERR_FILENO - && exceptions.find(fd) == exceptions.end()) - close(fd); /* ignore result */ +#ifdef HAVE_CLOSE_RANGE + if (exceptions.empty()) + close_range(3, ~0U, 0); + else +#endif + { + int maxFD = 0; + maxFD = sysconf(_SC_OPEN_MAX); + for (int fd = 0; fd < maxFD; ++fd) + if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd != STDERR_FILENO + && exceptions.find(fd) == exceptions.end()) + close(fd); /* ignore result */ + } } From patchwork Thu Mar 20 20:54:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40524 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id EA9B527BBEA; Thu, 20 Mar 2025 20:58:04 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 75CCE27BBE9 for ; Thu, 20 Mar 2025 20:58:04 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMx4-0002c1-NO; Thu, 20 Mar 2025 16:57:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwx-0002Ya-4N for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:13 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMwv-0001Yb-QQ for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=fUCaHHG/eO75rZDRlbk9XFL7p37y9SICE8zVkSS6pAE=; b=j1OjRn0VTUvAR/bTXQEFZtc3oYjfKAzIcaasBjTHuvi4X0u/o2Y+hazuBArhQvYn2ygPRaxXCSXzNnJRT4Sc0QvfUd+qXVFyeV9x9fBgqY5LPux8l5eb5sdtEqTfgivV367wz07haaKxymXd8eZ/UnHy/KwDZaWmhj8bfDw3rt1hycrR4Dhr3vRMsW35x6wLrEJs5fehlNY89vwQVzJYCpfFGBNuEEq2y4XEEpsQXluqJJQFOl8Rur0my8cIjqj6M7ul5S3AmXz0OdTlWxFssWohPSMcbyfLAUnaJ16yKh2sRaEWQY9hbdmXZ3aY1TjeS3KZ5HIVNYnYe2KbMbeXEw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMwv-0006Z3-J1 for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:09 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 02/16] daemon: Close the read end of the logging pipe. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:57:09 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250420625043 (code B ref 75810); Thu, 20 Mar 2025 20:57:09 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:56:46 +0000 Received: from localhost ([127.0.0.1]:59180 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMwU-0006Vb-PZ for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41198) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMw8-0006R1-6D for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:24 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMvw-0001Fi-Ow; Thu, 20 Mar 2025 16:56:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=fUCaHHG/eO75rZDRlbk9XFL7p37y9SICE8zVkSS6pAE=; b=XrWbV6giYPefhWhQYU4Y P6QWwFyqa5wg550QX5PzyQ48dVcVFy81VtGPI6PHBCNpdJWrAQVTP6wY0P1dh4qBkn0X0chwsxE0S TDCPtVMQ89PeFRb3QoUZQRIL3JbhJQwZtOw2q5OM1XIc9qkY85JCQQA6yZnQrzvtJlj77mmgqrYV6 NAW8slx9BqjdP1UQSFvEV09PqCZe2q0ez1MOu2h29e60BAYR6JZocR8CsWZWDcuusjDwZOgniIRoA Ubez7VghHqVA7x0POktfr1Vn9Ye+psrZ0V/CvPnwnIZcPm1UTOEb/IVYyp/jbpoEoRSGKMhzKhIqk 5QkYcTRCPhQUyw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:35 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libutil/util.cc (commonChildInit): Close ‘logPipe.readSide’. Reported-by: Reepca Russelstein Change-Id: Ia9e48d1afb85d7af52770e016f2b6832792044dd --- nix/libutil/util.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index eb2d16e1cc..56f116046c 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -1279,6 +1279,9 @@ void commonChildInit(Pipe & logPipe) if (setsid() == -1) throw SysError(format("creating a new session")); + /* Close the read end so only the parent holds a reference to it. */ + logPipe.readSide.close(); + /* Dup the write side of the logger pipe into stderr. */ if (dup2(logPipe.writeSide, STDERR_FILENO) == -1) throw SysError("cannot pipe standard error into log file"); From patchwork Thu Mar 20 20:54:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40519 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id DCD3A27BBEA; Thu, 20 Mar 2025 20:57:24 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id A89CD27BBE2 for ; Thu, 20 Mar 2025 20:57:23 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMwu-0002Xn-6D; Thu, 20 Mar 2025 16:57:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwq-0002XD-PO for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:05 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMwo-0001MF-OU for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=5fbggu8STjwEXFRRV3Gq/UXyTgxUmf6fh1UKO8gjNXs=; b=e9DJ+MshjTKxCFwOLSvrwzCC/C1/fHYT4kjnR6hlKolM3bhjawLV1qk2CUkkdZMBjgz33sPhEXhlVHd00yxdx60A/ilFivebr2QiV5qzvW/pf4AyojN6EhlhxlJnnGx3CrNkl2/nstN+zVSkUEM9qkwlZAbzUh4MM4nXjxrmaeh2doRfE6gyJ5+rQnuQUskuE3jI5bbi6EL+PZBUiv4eLsUZjhKIUJ4YtkbXbUynba9T0vV3MAi5X+jFfYOFCZpdA4DjSydgKvxHFcrzwLP2y59ADzHhxY0gL9Sioql5FglvKyDysjZ5jFZrXvdOjuhWkFuP9ti2CVG8rN+PnfCymQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMwo-0006XW-84 for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 03/16] daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250418024796 (code B ref 75810); Thu, 20 Mar 2025 20:57:02 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:56:20 +0000 Received: from localhost ([127.0.0.1]:59144 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMw6-0006RW-Lc for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41184) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMw3-0006Qh-9N for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:16 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMvy-0001Fq-04; Thu, 20 Mar 2025 16:56:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=5fbggu8STjwEXFRRV3Gq/UXyTgxUmf6fh1UKO8gjNXs=; b=jiMcrU0OgmsffH/MwQz+ fke3F+QHzmR3bL+Q6kbCjg9zTsaMnWJFaHR+4U0lUwU6oO5LggHptPRYWWVFTJ+Qh7LwElkWtwlUd VQuD0lRPeIe32y5B3R1gdea7cfe1eNPfMqkFzQULWApXwityjOYIaUMcSVXteL4inBCSdHaRRXAv4 nSOTv3H0Fe9++jcnNVwN2xqYfg1vIZEg9q+AmpWkHk5qQfxKFDs8axVA8xZcwhQYSMse7bh2ePhYu uY56LNkNlehh5cFM8XYeels1R0xTasBrB/mmP7rdvqMfVo5QeymZ0U7jT+7FUDja3gdeUAGW58lf6 fLsqPImAXtZ9uw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:36 +0100 Message-ID: <685be9a097b408871ef5313205552c9fbce748a6.1742503591.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Those files may be missing in some contexts, for instance within the build environment. * nix/libstore/build.cc (DerivationGoal::runChild): Add /etc/resolv.conf and related files to ‘ss’ only if they exist. Change-Id: Ie19664a86c8101a1dc82cf39ad4b7abb10f8250a --- nix/libstore/build.cc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index edd01bab34..8ca5e5b732 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2093,10 +2093,11 @@ void DerivationGoal::runChild() network, so give them access to /etc/resolv.conf and so on. */ if (fixedOutput) { - ss.push_back("/etc/resolv.conf"); - ss.push_back("/etc/nsswitch.conf"); - ss.push_back("/etc/services"); - ss.push_back("/etc/hosts"); + auto files = { "/etc/resolv.conf", "/etc/nsswitch.conf", + "/etc/services", "/etc/hosts" }; + for (auto & file: files) { + if (pathExists(file)) ss.push_back(file); + } } for (auto & i : ss) dirsInChroot[i] = i; From patchwork Thu Mar 20 20:54:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40521 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 8839E27BBEA; Thu, 20 Mar 2025 20:57:58 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 0927427BBE2 for ; Thu, 20 Mar 2025 20:57:58 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMx3-0002bM-CZ; Thu, 20 Mar 2025 16:57:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwz-0002ZA-Ej for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:14 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMww-0001Yk-UH for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=OHeVSHlKl++yMNnhWaubdTXXSn3UUkG8AbIkWMisgq8=; b=W0EV7UYcedqvQxSWl/Gc1EyPHwFLOUS/SPqd5MnqrbTCWqXiDe6PkaJSVzJny1YURc6fqEjQsDhYb0lSqPqmuFfu6QNLUB0b/hk2HJq1+CXXX6FZTQKppTLD9R0Mf7/M3PwBa2N0d7sMtwUSQXJBonsv68c80a+D1JUs0J+PPe+txleG/bvZO9gmzvJ092l96EBI/lb392Ga0vpHP86zLoQ7/rLsucT3h207+0vJ5kzFRiRkooVp4s3U96OB5FT9Tfa3jAqcpW6xXm5FDQW6hWnQ7u+Hn/u3a07EhKR2jYeqYigWFN1aDK6oUo9DkZSk4vKU0ROOpcXfjdtLaedcjA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMww-0006ZE-NL for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:10 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 04/16] daemon: Bind-mount all the inputs, not just directories. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:57:10 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250421025068 (code B ref 75810); Thu, 20 Mar 2025 20:57:10 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:56:50 +0000 Received: from localhost ([127.0.0.1]:59182 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMwY-0006Vx-Lh for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41200) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwA-0006RD-F6 for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:26 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMvz-0001G0-2l; Thu, 20 Mar 2025 16:56:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=OHeVSHlKl++yMNnhWaubdTXXSn3UUkG8AbIkWMisgq8=; b=jzC8XOA1Bh9UaxNI+7zM DODwbwlhVkJ4OLC+9Ui0zevvwGbZW8ncawcqAqsxrck4ZzGc2ZR/wjOTmyi5uhV9N6c06oByt4pDY wSCuxvT1O4aPTD4CKZXve8zCHh85ms46Br1Ehk1IXcEng16iQApIvTretyTc4dtvDcmQZbhu/SRQg 0E6NIXI433bHM3OjJYZnNb13Yzl51oyYwT2qBqVdyLP866CbOB5he6gmFOxfYFgmHGU3YRskyao7W mur+N1CDP9z3tKdHYe7o8vP9uPtplll/qljjauYIp8QO/Zp7fPQs+aAPZibauz6tNmfik1AGEiA+B k0+OYcLWZLPJqw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:37 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::startBuilder): Add all of ‘inputPaths’ to ‘dirsInChroot’ instead of hard-linking regular files. Special-case symlinks. (DerivationGoal)[regularInputPaths]: Remove. Reported-by: Reepca Russelstein Change-Id: I070987f92d73f187f7826a975bee9ee309d67f56 --- nix/libstore/build.cc | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 8ca5e5b732..193b279b88 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -659,9 +659,6 @@ private: /* RAII object to delete the chroot directory. */ std::shared_ptr autoDelChroot; - /* All inputs that are regular files. */ - PathSet regularInputPaths; - /* Whether this is a fixed-output derivation. */ bool fixedOutput; @@ -1850,9 +1847,7 @@ void DerivationGoal::startBuilder() /* Make the closure of the inputs available in the chroot, rather than the whole store. This prevents any access - to undeclared dependencies. Directories are bind-mounted, - while other inputs are hard-linked (since only directories - can be bind-mounted). !!! As an extra security + to undeclared dependencies. !!! As an extra security precaution, make the fake store only writable by the build user. */ Path chrootStoreDir = chrootRootDir + settings.nixStore; @@ -1863,28 +1858,22 @@ void DerivationGoal::startBuilder() throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { - struct stat st; + struct stat st; if (lstat(i->c_str(), &st)) throw SysError(format("getting attributes of path `%1%'") % *i); - if (S_ISDIR(st.st_mode)) - dirsInChroot[*i] = *i; - else { - Path p = chrootRootDir + *i; - if (link(i->c_str(), p.c_str()) == -1) { - /* Hard-linking fails if we exceed the maximum - link count on a file (e.g. 32000 of ext3), - which is quite possible after a `nix-store - --optimise'. */ - if (errno != EMLINK) - throw SysError(format("linking `%1%' to `%2%'") % p % *i); - StringSink sink; - dumpPath(*i, sink); - StringSource source(sink.s); - restorePath(p, source); - } - regularInputPaths.insert(*i); - } + if (S_ISLNK(st.st_mode)) { + /* Since bind-mounts follow symlinks, thus representing their + target and not the symlink itself, special-case + symlinks. XXX: When running unprivileged, TARGET can be + deleted by the build process. Use 'open_tree' & co. when + it's more widely available. */ + Path target = chrootRootDir + *i; + if (symlink(readLink(*i).c_str(), target.c_str()) == -1) + throw SysError(format("failed to create symlink '%1%' to '%2%'") % target % readLink(*i)); + } + else + dirsInChroot[*i] = *i; } /* If we're repairing, checking or rebuilding part of a From patchwork Thu Mar 20 20:54:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40523 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 4B29C27BBEA; Thu, 20 Mar 2025 20:58:04 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 07A7727BBE2 for ; Thu, 20 Mar 2025 20:58:04 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMx2-0002aO-Eh; Thu, 20 Mar 2025 16:57:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwz-0002Z9-DX for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:14 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMwx-0001Ys-PN for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=ozQM+lYqSSPDiTg6Dp/w4oPIGKDs4CrGaOeKp99rZWg=; b=Q75DlApb9TXeKltUGobJt87QcXJYLSLcoirdZ9Vya9+rRTb5VrSDgl1Nc4FsfNJbT4zN1Pj8UwS0wl9D3zZsUOcFph12+kbE+fGP0pG29i7gR3OGuA7Kn/fZ+/EzB7M03fn+yTrKkhfPT603BclAAHU8ePdmNeSJhu+pN6LNcWHgIaikCfZJgx+m9lvyMlGRiJ9Lf8Hj5jCydXRAniGrk/xbXBpfEtawGx6CFwfaOUE5ZSAcTHPhP/QGgXnzjTIIUVAmjaptd/Sl9lpGlaQZakWw3Yh6D1iLxap0fc3oMQiR3vrITYc14BaPGMiy7WW8KFQ4ilDnkL4w1SGYpIoSdQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMwx-0006ZQ-Jp for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:11 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 05/16] daemon: Remount inputs as read-only. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:57:11 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250421425101 (code B ref 75810); Thu, 20 Mar 2025 20:57:11 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:56:54 +0000 Received: from localhost ([127.0.0.1]:59184 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMwc-0006WN-EM for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41202) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwB-0006RR-ES for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:27 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMw0-0001G6-27; Thu, 20 Mar 2025 16:56:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=ozQM+lYqSSPDiTg6Dp/w4oPIGKDs4CrGaOeKp99rZWg=; b=i3BqnwDkbZHnTgOm4lNc OynN/H5vzCzwpGBMK5jFpl/WytGJZ/mtPVtOel6Zd7Uiwa/j7PrrEPzfQ4u85aab/zkyrBib7+oAZ My5nqM0Qa/n4AgmS0U78BRDqAGSCZILTz2/Os47XciYu2QUiTnWZYhORxe85pzQDHoEZyE4K1d6fC P6yAU6fit2DYDgOUuDlJWXwQAU+LnOs/v7LjGSPEiO5uyTjETFmayvDKcQSIdwNbp+7CssV0jqPyE /9m+aGWWljc3c5bLGqkpnIL63lhF1qNaPqTDzhsTVLYM0TWv9RBoku6y+2zsXSp5lglmhbyoGzwoC znjR/bWPZemOEA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:38 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::runChild): Remount ‘target’ as read-only. Reported-by: Reepca Russelstein Change-Id: Ib7201bcf4363be566f205d23d17fe2f55d3ad666 --- nix/libstore/build.cc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 193b279b88..3861a1ffd9 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2107,8 +2107,15 @@ void DerivationGoal::runChild() createDirs(dirOf(target)); writeFile(target, ""); } + + /* Extra flags passed with MS_BIND are ignored, hence the + extra MS_REMOUNT. */ if (mount(source.c_str(), target.c_str(), "", MS_BIND, 0) == -1) throw SysError(format("bind mount from `%1%' to `%2%' failed") % source % target); + if (source.compare(0, settings.nixStore.length(), settings.nixStore) == 0) { + if (mount(source.c_str(), target.c_str(), "", MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) + throw SysError(format("read-only remount of `%1%' failed") % target); + } } /* Bind a new instance of procfs on /proc to reflect our From patchwork Thu Mar 20 20:54:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40522 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 093A827BBEA; Thu, 20 Mar 2025 20:58:00 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C49E527BBE2 for ; Thu, 20 Mar 2025 20:57:59 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMx2-0002Zu-6o; Thu, 20 Mar 2025 16:57:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwu-0002YG-Kg for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMwt-0001VQ-Ua for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=3sOVW5n0d1cSpQd8PLRrsmflCadSWuH5XwPCIe/iTyM=; b=g8GWsPX8REOLwevhoyXgEAR58eOmdtPzKiKh0vx+S87tJh4PBYLrkBmBbOw6+2nK8rMFyKWZReLHDy1Sk0Qwk0PwJDr1sgeZBCYTFBnNFQz0cwAHEZbZPQFkR5bCsVuPEntPlixIgwWU7GcVoffEIIv5s8nCaKPJONTibVHx+3xzQ4Jlz5u7uLgkYUA5aCeGIITHwAmAgJb4b+8LMQvqvG/mJlGJ7MCbXRTDFoY9xL1Aw1BDFx9zOA91lCy8NtJcLrSrKTkBFXei1crV9d+VN/ADJbXs0kSV7+pD9tEkihc+MIbdYf2C4OYXvtXFWhjUBuBwb0K2sTEHXvKb8E4spA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMwt-0006Yj-Ls for guix-patches@gnu.org; Thu, 20 Mar 2025 16:57:07 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 06/16] daemon: Remount root directory as read-only. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:57:07 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250420325026 (code B ref 75810); Thu, 20 Mar 2025 20:57:07 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:56:43 +0000 Received: from localhost ([127.0.0.1]:59178 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMwT-0006VR-R7 for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41196) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMw7-0006Qz-0i for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:21 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMw1-0001GI-3V; Thu, 20 Mar 2025 16:56:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=3sOVW5n0d1cSpQd8PLRrsmflCadSWuH5XwPCIe/iTyM=; b=OvaQ5z0ANTbpsqF0NS2e vxv3e4Hl+Dl7rnyiGZQdX5Mql0ZLeIDoofdRmK4wSYA8CjNK2EXcmGr/d+CtOoD1qZSFt4gm7TsMA x2qdnWfmnViM1JDle3Cg4ldkssc1X02YEIVLkSLMs92oYcIRx9t075qXyvTP845N7pMWBw7kD2/h/ k4/VdhzLC2okKLqBm29fglZVMyX2Be3z/Z/lfRG+AiUJ/DoKx3kR4yPG17UlHrfldMztHG+Lpshff qBIodCntT+y8Ple/knLyzuvDGh95JOd1s8UMMC17WKOjcen+olgdoBoj+1Z8xOO7g5Ng6Vu4VACUG 3wFIz1pi9XhcUQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:39 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::runChild): Bind-mount the store and /tmp under ‘chrootRootDir’ to themselves as read-write. Remount / as read-only. Change-Id: I79565094c8ec8448401897c720aad75304fd1948 --- nix/libstore/build.cc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 3861a1ffd9..c8b778362a 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2091,6 +2091,18 @@ void DerivationGoal::runChild() for (auto & i : ss) dirsInChroot[i] = i; + /* Make new mounts for the store and for /tmp. That way, when + 'chrootRootDir' is made read-only below, these two mounts will + remain writable (the store needs to be writable so derivation + outputs can be written to it, and /tmp is writable by + convention). */ + auto chrootStoreDir = chrootRootDir + settings.nixStore; + if (mount(chrootStoreDir.c_str(), chrootStoreDir.c_str(), 0, MS_BIND, 0) == -1) + throw SysError(format("read-write mount of store '%1%' failed") % chrootStoreDir); + auto chrootTmpDir = chrootRootDir + "/tmp"; + if (mount(chrootTmpDir.c_str(), chrootTmpDir.c_str(), 0, MS_BIND, 0) == -1) + throw SysError(format("read-write mount of temporary directory '%1%' failed") % chrootTmpDir); + /* Bind-mount all the directories from the "host" filesystem that we want in the chroot environment. */ @@ -2164,6 +2176,10 @@ void DerivationGoal::runChild() if (rmdir("real-root") == -1) throw SysError("cannot remove real-root directory"); + + /* Remount root as read-only. */ + if (mount("/", "/", 0, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) + throw SysError(format("read-only remount of build root '%1%' failed") % chrootRootDir); } #endif From patchwork Thu Mar 20 20:54:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40529 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 5AB7127BBEC; Thu, 20 Mar 2025 20:58:21 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id EA84E27BBE2 for ; Thu, 20 Mar 2025 20:58:19 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMxy-0003Dx-MU; Thu, 20 Mar 2025 16:58:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMxx-0003Cc-10 for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:13 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMxw-0002py-NH; Thu, 20 Mar 2025 16:58:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=YoCVmhHTeo9VRQVHqR2FhxsLwN9CxAbYohnVIH94Xfs=; b=rjQhnN6hkVCMf4mAbtWP5ZPc/4fWLk42QVjKR86wo4dvlqRIwthIH2XiuV7crKPPyqv/m32kQ6/3nCbDjFhnXuH1pA/fwYhyUy9jb7RX6m27JAm0FsJH1VNIH0/u2/78Y6ZJ6VvvXUbBUNczbbm2D8jm0HtIBxYdPEgFoIyEHcdxChPO9MHIfjTyJd8OEvvnJn8SHqCfQuBtBQPb78IAElHaOKugH5WXaRBBxAIvA1JjSr/44N7mUnHcvcU0hnz0QNJYGmyQqxxVbHTfePdGGFngdwYiuIoiiDfiEFkgwED1Ovx3Z2gE7g2VTazVanbH4dNgshxleUSVgCEInUW9mg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMxq-0006gF-GT; Thu, 20 Mar 2025 16:58:06 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 07/16] daemon: Allow running as non-root with unprivileged user namespaces. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, maxim.cournoyer@gmail.com, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:58:06 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Maxim Cournoyer , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Maxim Cournoyer , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250424925395 (code B ref 75810); Thu, 20 Mar 2025 20:58:06 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:57:29 +0000 Received: from localhost ([127.0.0.1]:59201 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMxA-0006b4-W8 for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:57:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43264) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwF-0006SL-0A for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:32 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMw2-0001GU-Fm; Thu, 20 Mar 2025 16:56:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=YoCVmhHTeo9VRQVHqR2FhxsLwN9CxAbYohnVIH94Xfs=; b=TIlWowZ6pThFHOND5fDr 5KQFktNS7xNGAoD1+s0r0FgtPKAta80VXYApAyiqV+O86gzSonKDlZKjUg1vPbki01mbu9EYL79ps DFjkKoGHKGCyxKx+cXJ8hEtF3k6m+DGSM1rgCRNmukUlZNzXdaKCq+2pjPhbqqcq0JglFsENoN9YK tDbHnHP3aXJID+eJI2wj2QOMArPsfVa1nQRoX0nC8BClohnz8pnVdyfFkA+xxU24Sd7Zv/BH9amiu G8Ea3/czjU6KwbM8AXzzCgZtL/p+10C0jfnxiVClL6nuBEzqp2o9aKJ+5PqOTgOqRTqMsig73Joef f+mcaiZqStS+FQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:40 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Ludovic Courtès Many thanks to Reepca Russelstein for their review and guidance on these changes. * nix/libstore/build.cc (guestUID, guestGID): New variables. (DerivationGoal)[readiness]: New field. (initializeUserNamespace): New function. (DerivationGoal::runChild): When ‘readiness.readSide’ is positive, read from it. (DerivationGoal::startBuilder): Call ‘chown’ only when ‘buildUser.enabled()’ is true. Pass CLONE_NEWUSER to ‘clone’ when ‘buildUser.enabled()’ is false or not running as root. Retry ‘clone’ without CLONE_NEWUSER upon EPERM. (DerivationGoal::registerOutputs): Make ‘actualPath’ writable before ‘rename’. (DerivationGoal::deleteTmpDir): Catch ‘SysError’ around ‘_chown’ call. * nix/libstore/local-store.cc (LocalStore::createUser): Do nothing if ‘dirs’ already exists. Warn instead of failing when failing to chown ‘dir’. * guix/substitutes.scm (%narinfo-cache-directory): Check for ‘_NIX_OPTIONS’ rather than getuid() == 0 to determine the cache location. * doc/guix.texi (Build Environment Setup): Reorganize a bit. Add section headings “Daemon Running as Root” and “The Isolated Build Environment”. Add “Daemon Running Without Privileges” subsection. Remove paragraph about ‘--disable-chroot’. (Invoking guix-daemon): Warn against ‘--disable-chroot’ and explain why. * tests/derivations.scm ("builder is outside the store"): New test. Reviewed-by: Reepca Russelstein --- doc/guix.texi | 102 +++++++++++++++----- guix/substitutes.scm | 2 +- nix/libstore/build.cc | 180 +++++++++++++++++++++++++++++++----- nix/libstore/local-store.cc | 18 +++- tests/derivations.scm | 10 ++ 5 files changed, 257 insertions(+), 55 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index fe43ed2504..ab9e21e42e 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -877,6 +877,7 @@ Setting Up the Daemon @section Setting Up the Daemon @cindex daemon +@cindex build daemon During installation, the @dfn{build daemon} that must be running to use Guix has already been set up and you can run @command{guix} commands in your terminal program, @pxref{Getting Started}: @@ -921,20 +922,38 @@ Build Environment Setup @cindex build environment In a standard multi-user setup, Guix and its daemon---the @command{guix-daemon} program---are installed by the system -administrator; @file{/gnu/store} is owned by @code{root} and -@command{guix-daemon} runs as @code{root}. Unprivileged users may use -Guix tools to build packages or otherwise access the store, and the -daemon will do it on their behalf, ensuring that the store is kept in a -consistent state, and allowing built packages to be shared among users. +administrator. Unprivileged users may use Guix tools to build packages +or otherwise access the store, and the daemon will do it on their +behalf, ensuring that the store is kept in a consistent state, and +allowing built packages to be shared among users. + +There are currently two ways to set up and run the build daemon: + +@enumerate +@item +running @command{guix-daemon} as ``root'', letting it run build +processes as unprivileged users taken from a pool of build users---this +is the historical approach; + +@item +running @command{guix-daemon} as a separate unprivileged user, relying +on Linux's @dfn{unprivileged user namespace} functionality to set up +isolated environments---this is the option chosen when installing Guix +on a systemd-based distribution with the installation script +(@pxref{Binary Installation}). +@end enumerate + +The sections below describe each of these two configurations in more +detail and summarize the kind of build isolation they provide. + +@unnumberedsubsubsec Daemon Running as Root @cindex build users When @command{guix-daemon} runs as @code{root}, you may not want package build processes themselves to run as @code{root} too, for obvious security reasons. To avoid that, a special pool of @dfn{build users} should be created for use by build processes started by the daemon. -These build users need not have a shell and a home directory: they will -just be used when the daemon drops @code{root} privileges in build -processes. Having several such users allows the daemon to launch +Having several such users allows the daemon to launch distinct build processes under separate UIDs, which guarantees that they do not interfere with each other---an essential feature since builds are regarded as pure functions (@pxref{Introduction}). @@ -977,11 +996,45 @@ Build Environment Setup # guix-daemon --build-users-group=guixbuild @end example +In this setup, @file{/gnu/store} is owned by @code{root}. + +@unnumberedsubsubsec Daemon Running Without Privileges + +@cindex rootless build daemon +@cindex unprivileged build daemon +@cindex build daemon, unprivileged +The second and preferred option is to run @command{guix-daemon} +@emph{as an unprivileged user}. It has the advantage of reducing the +harm that can be done should a build process manage to exploit a +vulnerability in the daemon. This option requires the use of Linux's +unprivileged user namespace mechanism; today it is available and enabled +by most GNU/Linux distributions but can still be disabled. The +installation script automatically determines whether this option is +available on your system (@pxref{Binary Installation}). + +When using this option, you only need to create one user account, and +@command{guix-daemon} will run with the authority of that account: + +@example +# groupadd --system guix-daemon +# useradd -g guix-daemon -G guix-daemon \ + -d /var/empty -s $(which nologin) \ + -c "Guix daemon privilege separation user" \ + --system guix-daemon +@end example + +In this configuration, @file{/gnu/store} is owned by the +@code{guix-daemon} user. + +@unnumberedsubsubsec The Isolated Build Environment + @cindex chroot -@noindent -This way, the daemon starts build processes in a chroot, under one of -the @code{guixbuilder} users. On GNU/Linux, by default, the chroot -environment contains nothing but: +@cindex build environment isolation +@cindex isolated build environment +@cindex hermetic build environment +In both cases, the daemon starts build processes without privileges in +an @emph{isolated} or @emph{hermetic} build environment---a ``chroot''. +On GNU/Linux, by default, the build environment contains nothing but: @c Keep this list in sync with libstore/build.cc! ----------------------- @itemize @@ -1015,7 +1068,7 @@ Build Environment Setup @file{/homeless-shelter}. This helps to highlight inappropriate uses of @env{HOME} in the build scripts of packages. -All this usually enough to ensure details of the environment do not +All this is usually enough to ensure details of the environment do not influence build processes. In some exceptional cases where more control is needed---typically over the date, kernel, or CPU---you can resort to a virtual build machine (@pxref{build-vm, virtual build machines}). @@ -1035,14 +1088,6 @@ Build Environment Setup for fixed-output derivations (@pxref{Derivations}) or for substitutes (@pxref{Substitutes}). -If you are installing Guix as an unprivileged user, it is still possible -to run @command{guix-daemon} provided you pass @option{--disable-chroot}. -However, build processes will not be isolated from one another, and not -from the rest of the system. Thus, build processes may interfere with -each other, and may access programs, libraries, and other files -available on the system---making it much harder to view them as -@emph{pure} functions. - @node Daemon Offload Setup @subsection Using the Offload Facility @@ -1567,10 +1612,17 @@ Invoking guix-daemon @item --disable-chroot Disable chroot builds. -Using this option is not recommended since, again, it would allow build -processes to gain access to undeclared dependencies. It is necessary, -though, when @command{guix-daemon} is running under an unprivileged user -account. +@quotation Warning +Using this option is not recommended since it allows build processes to +gain access to undeclared dependencies, to interfere with one another, +and more generally to do anything that can be done with the authority of +build users or that of the daemon---which includes at least the ability +to tamper with any file in the store! + +You may find it necessary, though, when support for Linux unprivileged +user namespaces is missing (@pxref{Build Environment Setup}). Use at +your own risk! +@end quotation @item --log-compression=@var{type} Compress build logs according to @var{type}, one of @code{gzip}, diff --git a/guix/substitutes.scm b/guix/substitutes.scm index 7ca55788d5..86b9f5472a 100644 --- a/guix/substitutes.scm +++ b/guix/substitutes.scm @@ -79,7 +79,7 @@ (define %narinfo-cache-directory ;; time, 'guix substitute' is called by guix-daemon as root and stores its ;; cached data in /var/guix/…. However, when invoked from 'guix challenge' ;; as a user, it stores its cache in ~/.cache. - (if (zero? (getuid)) + (if (getenv "_NIX_OPTIONS") ;invoked by guix-daemon (or (and=> (getenv "XDG_CACHE_HOME") (cut string-append <> "/guix/substitute")) (string-append %state-directory "/substitute/cache")) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index c8b778362a..e6cd45aba4 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -744,6 +744,10 @@ private: friend int childEntry(void *); + /* Pipe to notify readiness to the child process when using unprivileged + user namespaces. */ + Pipe readiness; + /* Check that the derivation outputs all exist and register them as valid. */ void registerOutputs(); @@ -1619,6 +1623,24 @@ int childEntry(void * arg) } +/* UID and GID of the build user inside its own user namespace. */ +static const uid_t guestUID = 30001; +static const gid_t guestGID = 30000; + +/* Initialize the user namespace of CHILD. */ +static void initializeUserNamespace(pid_t child, + uid_t hostUID = getuid(), + gid_t hostGID = getgid()) +{ + writeFile("/proc/" + std::to_string(child) + "/uid_map", + (format("%d %d 1") % guestUID % hostUID).str()); + + writeFile("/proc/" + std::to_string(child) + "/setgroups", "deny"); + + writeFile("/proc/" + std::to_string(child) + "/gid_map", + (format("%d %d 1") % guestGID % hostGID).str()); +} + void DerivationGoal::startBuilder() { auto f = format( @@ -1682,7 +1704,7 @@ void DerivationGoal::startBuilder() then an attacker could create in it a hardlink to a root-owned file such as /etc/shadow. If 'keepFailed' is true, the daemon would then chown that hardlink to the user, giving them write access to - that file. */ + that file. See CVE-2021-27851. */ tmpDir += "/top"; if (mkdir(tmpDir.c_str(), 0700) == 1) throw SysError("creating top-level build directory"); @@ -1799,7 +1821,7 @@ void DerivationGoal::startBuilder() if (mkdir(chrootRootDir.c_str(), 0750) == -1) throw SysError(format("cannot create ‘%1%’") % chrootRootDir); - if (chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) + if (buildUser.enabled() && chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) throw SysError(format("cannot change ownership of ‘%1%’") % chrootRootDir); /* Create a writable /tmp in the chroot. Many builders need @@ -1818,8 +1840,8 @@ void DerivationGoal::startBuilder() (format( "nixbld:x:%1%:%2%:Nix build user:/:/noshell\n" "nobody:x:65534:65534:Nobody:/:/noshell\n") - % (buildUser.enabled() ? buildUser.getUID() : getuid()) - % (buildUser.enabled() ? buildUser.getGID() : getgid())).str()); + % (buildUser.enabled() ? buildUser.getUID() : guestUID) + % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str()); /* Declare the build user's group so that programs get a consistent view of the system (e.g., "id -gn"). */ @@ -1854,7 +1876,7 @@ void DerivationGoal::startBuilder() createDirs(chrootStoreDir); chmod_(chrootStoreDir, 01775); - if (chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) + if (buildUser.enabled() && chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { @@ -1960,14 +1982,36 @@ void DerivationGoal::startBuilder() if (useChroot) { char stack[32 * 1024]; int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | SIGCHLD; - if (!fixedOutput) flags |= CLONE_NEWNET; + if (!fixedOutput) { + flags |= CLONE_NEWNET; + } + if (!buildUser.enabled() || getuid() != 0) { + flags |= CLONE_NEWUSER; + readiness.create(); + } + /* Ensure proper alignment on the stack. On aarch64, it has to be 16 bytes. */ - pid = clone(childEntry, + pid = clone(childEntry, (char *)(((uintptr_t)stack + sizeof(stack) - 8) & ~(uintptr_t)0xf), flags, this); - if (pid == -1) - throw SysError("cloning builder process"); + if (pid == -1) { + if ((flags & CLONE_NEWUSER) != 0 && getuid() != 0) + /* 'clone' fails with EPERM on distros where unprivileged user + namespaces are disabled. Error out instead of giving up on + isolation. */ + throw SysError("cannot create process in unprivileged user namespace"); + else + throw SysError("cloning builder process"); + } + + readiness.readSide.close(); + if ((flags & CLONE_NEWUSER) != 0) { + /* Initialize the UID/GID mapping of the child process. */ + initializeUserNamespace(pid); + writeFull(readiness.writeSide, (unsigned char*)"go\n", 3); + } + readiness.writeSide.close(); } else #endif { @@ -2013,23 +2057,37 @@ void DerivationGoal::runChild() _writeToStderr = 0; + if (readiness.writeSide >= 0) readiness.writeSide.close(); + + if (readiness.readSide >= 0) { + /* Wait for the parent process to initialize the UID/GID mapping + of our user namespace. */ + char str[20] = { '\0' }; + readFull(readiness.readSide, (unsigned char*)str, 3); + readiness.readSide.close(); + if (strcmp(str, "go\n") != 0) + throw Error("failed to initialize process in unprivileged user namespace"); + } + restoreAffinity(); commonChildInit(builderOut); #if CHROOT_ENABLED if (useChroot) { - /* Initialise the loopback interface. */ - AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); - if (fd == -1) throw SysError("cannot open IP socket"); + if (!fixedOutput) { + /* Initialise the loopback interface. */ + AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); + if (fd == -1) throw SysError("cannot open IP socket"); - struct ifreq ifr; - strcpy(ifr.ifr_name, "lo"); - ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING; - if (ioctl(fd, SIOCSIFFLAGS, &ifr) == -1) - throw SysError("cannot set loopback interface flags"); + struct ifreq ifr; + strcpy(ifr.ifr_name, "lo"); + ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING; + if (ioctl(fd, SIOCSIFFLAGS, &ifr) == -1) + throw SysError("cannot set loopback interface flags"); - fd.close(); + fd.close(); + } /* Set the hostname etc. to fixed values. */ char hostname[] = "localhost"; @@ -2180,6 +2238,27 @@ void DerivationGoal::runChild() /* Remount root as read-only. */ if (mount("/", "/", 0, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) throw SysError(format("read-only remount of build root '%1%' failed") % chrootRootDir); + + if (getuid() != 0) { + /* Create a new mount namespace to "lock" previous mounts. + See mount_namespaces(7). */ + auto uid = getuid(); + auto gid = getgid(); + + if (unshare(CLONE_NEWNS | CLONE_NEWUSER) == -1) + throw SysError(format("creating new user and mount namespaces")); + + initializeUserNamespace(getpid(), uid, gid); + + /* Check that mounts within the build environment are "locked" + together and cannot be separated from within the build + environment namespace. Since + umount(2) is documented to fail with EINVAL when attempting + to unmount one of the mounts that are locked together, + check that this is what we get. */ + int ret = umount(tmpDirInSandbox.c_str()); + assert(ret == -1 && errno == EINVAL); + } } #endif @@ -2262,6 +2341,7 @@ void DerivationGoal::runChild() writeFull(STDERR_FILENO, "\n"); /* Execute the program. This should not return. */ + string builderBasename; if (isBuiltin(drv)) { try { logType = ltFlat; @@ -2285,11 +2365,25 @@ void DerivationGoal::runChild() writeFull(STDERR_FILENO, "error: " + string(e.what()) + "\n"); _exit(1); } - } + } else { + /* Ensure that the builder is within the store. This prevents + users from using /proc/self/exe (or a symlink to it) as their + builder, which could allow them to overwrite the guix-daemon + binary (CVE-2019-5736). + + This attack is possible even if the target of /proc/self/exe is + outside the chroot (it's as if it were a hard link), though it + requires that its ELF interpreter and dependencies be in the + chroot. + + Note: 'canonPath' throws if 'drv.builder' cannot be resolved + within the chroot. */ + builderBasename = baseNameOf(drv.builder); + drv.builder = canonPath(drv.builder, true); + } /* Fill in the arguments. */ Strings args; - string builderBasename = baseNameOf(drv.builder); args.push_back(builderBasename); foreach (Strings::iterator, i, drv.args) args.push_back(rewriteHashes(*i, rewritesToTmp)); @@ -2476,8 +2570,16 @@ void DerivationGoal::registerOutputs() if (buildMode == bmRepair) replaceValidPath(path, actualPath); else - if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) - throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + if (buildMode != bmCheck) { + if (S_ISDIR(st.st_mode)) + /* Change mode on the directory to allow for + rename(2). */ + chmod(actualPath.c_str(), st.st_mode | 0700); + if (rename(actualPath.c_str(), path.c_str()) == -1) + throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + if (S_ISDIR(st.st_mode) && chmod(path.c_str(), st.st_mode) == -1) + throw SysError(format("restoring permissions on directory `%1%'") % actualPath); + } } if (buildMode != bmCheck) actualPath = path; } @@ -2736,16 +2838,46 @@ void DerivationGoal::deleteTmpDir(bool force) // Change the ownership if clientUid is set. Never change the // ownership or the group to "root" for security reasons. if (settings.clientUid != (uid_t) -1 && settings.clientUid != 0) { - _chown(tmpDir, settings.clientUid, - settings.clientGid != 0 ? settings.clientGid : -1); + uid_t uid = settings.clientUid; + gid_t gid = settings.clientGid != 0 ? settings.clientGid : -1; + bool reown = false; + + /* First remove setuid/setgid bits. */ + secureFilePerms(tmpDir); + + try { + _chown(tmpDir, uid, gid); + + if (getuid() != 0) { + /* If, without being root, the '_chown' call above + succeeded, then it means we have CAP_CHOWN. Retake + ownership of tmpDir itself so it can be renamed + below. */ + reown = true; + } + + } catch (SysError & e) { + /* When running as an unprivileged user and without + CAP_CHOWN, we cannot chown the build tree. Print a + message and keep going. */ + printMsg(lvlInfo, format("cannot change ownership of build directory '%1%': %2%") + % tmpDir % strerror(e.errNo)); + } if (top != tmpDir) { + if (reown) chown(tmpDir.c_str(), getuid(), getgid()); + // Rename tmpDir to its parent, with an intermediate step. string pivot = top + ".pivot"; if (rename(top.c_str(), pivot.c_str()) == -1) throw SysError("pivoting failed build tree"); if (rename((pivot + "/top").c_str(), top.c_str()) == -1) throw SysError("renaming failed build tree"); + + if (reown) + /* Running unprivileged but with CAP_CHOWN. */ + chown(top.c_str(), uid, gid); + rmdir(pivot.c_str()); } } diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 0883a4bbce..83e6c3e16e 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -1614,11 +1614,19 @@ void LocalStore::createUser(const std::string & userName, uid_t userId) { auto dir = settings.nixStateDir + "/profiles/per-user/" + userName; - createDirs(dir); - if (chmod(dir.c_str(), 0755) == -1) - throw SysError(format("changing permissions of directory '%s'") % dir); - if (chown(dir.c_str(), userId, -1) == -1) - throw SysError(format("changing owner of directory '%s'") % dir); + auto created = createDirs(dir); + if (!created.empty()) { + if (chmod(dir.c_str(), 0755) == -1) + throw SysError(format("changing permissions of directory '%s'") % dir); + + /* The following operation requires CAP_CHOWN or can be handled + manually by a user with CAP_CHOWN. */ + if (chown(dir.c_str(), userId, -1) == -1) { + rmdir(dir.c_str()); + string message = strerror(errno); + printMsg(lvlInfo, format("failed to change owner of directory '%1%' to %2%: %3%") % dir % userId % message); + } + } } diff --git a/tests/derivations.scm b/tests/derivations.scm index 72ea9aa9cc..9ea8b4a300 100644 --- a/tests/derivations.scm +++ b/tests/derivations.scm @@ -858,6 +858,16 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (call-with-input-file (derivation->output-path drv) get-string-all)))) +(test-assert "builder is outside the store" + (let* ((builder (add-file-tree-to-store %store + `("builder" symlink "/proc/self/exe"))) + (drv (derivation %store "attempt-to-run-guix-daemon" builder '() + #:env-vars + '(("LD_PRELOAD" . "attacker-controlled.so"))))) + (guard (c ((store-protocol-error? c) c)) + (build-derivations %store (list drv)) + #f))) + (define %coreutils (false-if-exception From patchwork Thu Mar 20 20:54:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40533 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id B6E7127BBE2; Thu, 20 Mar 2025 20:58:17 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 2498727BBE9 for ; Thu, 20 Mar 2025 20:58:17 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMxs-00034k-7f; Thu, 20 Mar 2025 16:58:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMxr-00034W-C7 for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:07 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMxr-0002oB-3E for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=wZDaJpSBiec4HWURn73Fvz7bhdz1AmvaDkV9vu9Mxas=; b=GI6gAk84qx33/WqGONEXbX19dErFl44f4K/UfY7gTRoYq3xvrFcsFYw9WPhK4bP5fPeiOGDqNQPHiVSITHlHXntAICTBNlTYHPMJtkTCSVRhkg0pkuxlEPujvm6pmHLuKM+01mg2Fv6Xc+n4dIwVnq+OpGRBjNkboWORPi59nzHWyfMADRvNjEJ41sWl/8eXZh8+12o0m45IRz8dQ1UOJa15PJ4q/U1NfcNn3Ga04BdqrxnitvA27Kozmiti6W2l0aagC7s/NTKcDPsCyQK//XGPnJy6gav9IELmkdfEDAZpTTDWgud8QlRtk2Yiuf/JjNMCCL+lSDavHMuKsMUnxQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMxq-0006gN-Uu for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:06 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 08/16] daemon: Create /var/guix/profiles/per-user unconditionally. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:58:06 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250425025410 (code B ref 75810); Thu, 20 Mar 2025 20:58:06 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:57:30 +0000 Received: from localhost ([127.0.0.1]:59203 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMxE-0006bY-KI for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:57:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43246) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwE-0006S5-AM for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:27 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMw4-0001Gq-Ti; Thu, 20 Mar 2025 16:56:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=wZDaJpSBiec4HWURn73Fvz7bhdz1AmvaDkV9vu9Mxas=; b=d5vsrWNB3mXIzROjoTEK rnb9lRejIfyOhi/N1PzaOSMsDvnOXIrlAhjgfR2qINZDNvCE6HcsBtgSpK/y/ApscQIdnvsPopugj 5vz8vbGOUTruf0+uBOLzJ60EJEpqybWdHaJ2b2ygwIXIp0UXM0mgoHQeGxq6PR7UVd9vdw0Yw9KvR 6nKSZHAk9A9WOUUGam7Je48UMtg51CMEXlGl7eoRb/dgdPdPEBQ86wlnZ9+/Hw8chVdKFvjELaI8O ggiIG35/Gxat/ZnLntXkVz8EuzQk/3ej7HWjO0NQ5riQea+b8yWD0skQzrj12DxXLgVszhWBXG2kJ UsmPvDlkGdjsIg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:41 +0100 Message-ID: <9267d0a9de0def5e4dd30fb3c2e420b116ddb5af.1742503591.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/local-store.cc (LocalStore::LocalStore): Create ‘perUserDir’ unconditionally. Change-Id: I5188320f9630a81d16f79212d0fffabd55d94abe --- nix/libstore/local-store.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 83e6c3e16e..f6540c2117 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -79,12 +79,12 @@ LocalStore::LocalStore(bool reserveSpace) createSymlink(profilesDir, gcRootsDir + "/profiles"); } - /* Optionally, create directories and set permissions for a - multi-user install. */ + Path perUserDir = profilesDir + "/per-user"; + createDirs(perUserDir); + + /* Optionally, set permissions for a multi-user install. */ if (getuid() == 0 && settings.buildUsersGroup != "") { - Path perUserDir = profilesDir + "/per-user"; - createDirs(perUserDir); if (chmod(perUserDir.c_str(), 0755) == -1) throw SysError(format("could not set permissions on '%1%' to 755") % perUserDir); From patchwork Thu Mar 20 20:54:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40525 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id B788627BBE9; Thu, 20 Mar 2025 20:58:10 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 27A1D27BBE2 for ; Thu, 20 Mar 2025 20:58:09 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMxp-000333-TN; Thu, 20 Mar 2025 16:58:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMxn-0002z9-QD for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMxn-0002mF-EN for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=vFG6iPVFQp7C1RpVfJcQhN1IdM6ZNKaKsQYqPVGNrlk=; b=MTrJXSOPVGK7yI5THHEwGJvn+TKYu3CTeLcvweCg6Gl5oQCwZm5K295PdhlJa8DgDfOHI9ElsqqVoILnnl9De2ZWA51dvx3m6/Q9N++UNhHJTN7km96BKajQzWjBux31DTQUHznWISys/q9HfHYG9OXwLzj+IttsoH98KX35MibGVVCsI+e64x8JQ1k0nOhJWhSB7rhnEHRr82Nx9K7qlWPK34q3cyeuf4MMOalTCGIR0JE/ZoSk0InMUYHBih6XHpnoPzAKyNGR378JyML74FhxcJBF8IV66K7ZN5sXtNV9b7zJMBrAaw86NCuBtHqua8VLkt6yYBtfLfdZsT9e9Q==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMxn-0006fZ-7d for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 09/16] daemon: Drop Linux ambient capabilities before executing builder. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:58:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250423825298 (code B ref 75810); Thu, 20 Mar 2025 20:58:03 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:57:18 +0000 Received: from localhost ([127.0.0.1]:59193 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMx3-0006Zp-82 for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:57:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43252) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwE-0006S8-G0 for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:29 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMw5-0001H7-Pe; Thu, 20 Mar 2025 16:56:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=vFG6iPVFQp7C1RpVfJcQhN1IdM6ZNKaKsQYqPVGNrlk=; b=abyaoCi1w5HjKpcRFl+e HxYOoClTP3qRNWcnDX1/mN/zJzSNy/Lowy1GtbA5IvVS77jzrUS+aD91LRFJWWZLKnUz+qTBMUj9G j9frhXhtCcJSz0FonHP5nxLxF9BD5+NQowXIJUtJvJ7csdMRjgY3IlOcgayFVbtbi+D+jjLt47pxW LQKiCzbIhUibNohHNJIFFZAypIrPY7aOxJaiuRNTMraG4ev9cWyzfbq8lvQqk3QGgLLiKImDU2t+A 5Po7QhBUDzAa9ZX1cmaS//PnAu07wx5w04v09LRxoDXJxcHYmQfkIoOKHVtz3M3qr54il/aA40i56 DvuoX+e6HNVcdQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:42 +0100 Message-ID: <50bb8842d557522b6929215bbd5a721b1fa4c69b.1742503591.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * config-daemon.ac: Check for . * nix/libstore/build.cc (DerivationGoal::runChild): When ‘useChroot’ is true, call ‘prctl’ to drop all ambient capabilities. Change-Id: If34637fc508e5fb6d278167f5df7802fc595284f --- config-daemon.ac | 2 +- nix/libstore/build.cc | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/config-daemon.ac b/config-daemon.ac index 4e949bc88a..35d9c8cd56 100644 --- a/config-daemon.ac +++ b/config-daemon.ac @@ -79,7 +79,7 @@ if test "x$guix_build_daemon" = "xyes"; then dnl Chroot support. AC_CHECK_FUNCS([chroot unshare]) AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \ - linux/close_range.h]) + linux/close_range.h sys/prctl.h]) if test "x$ac_cv_func_chroot" != "xyes"; then AC_MSG_ERROR(['chroot' function missing, bailing out]) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index e6cd45aba4..fa0f293aac 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -50,6 +50,9 @@ #if HAVE_SCHED_H #include #endif +#if HAVE_SYS_PRCTL_H +#include +#endif #define CHROOT_ENABLED HAVE_CHROOT && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE) @@ -2075,6 +2078,12 @@ void DerivationGoal::runChild() #if CHROOT_ENABLED if (useChroot) { +# if HAVE_SYS_PRCTL_H + /* Drop ambient capabilities such as CAP_CHOWN that might have + been granted when starting guix-daemon. */ + prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); +# endif + if (!fixedOutput) { /* Initialise the loopback interface. */ AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); From patchwork Thu Mar 20 20:54:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40527 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 611EE27BBEB; Thu, 20 Mar 2025 20:58:16 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3B97527BBE9 for ; Thu, 20 Mar 2025 20:58:16 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMxu-00037R-Nq; Thu, 20 Mar 2025 16:58:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMxs-00034j-2q for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:08 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMxr-0002oJ-KP for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=s48JGBS7+1eAYxbQMZkgTk7NEwh17Swmtw6Ux+K/rLQ=; b=V9HYgjAsKwkzuTIzCNgI6rg79oyKv0FLF1bo4ASGM9EjZtZUOXhIs86+cAR0V+MEaibZBJQ1VbuhgP6QAU3+bQU94U6pqDkru+KE0xSjq9m7BJ6HooqHARfwZ7cMkYF0n/M6nC0Dj+5KKd7m6l1uEHDuMRHMcsXJeY7dY60ABqhXC/yC9ZdnXPPqxeciyzBd14p8WQOQK+9hUtUkHMPIbqx45HDs61a/9sTS3uznmmcSW22NisiW6yguS3lhoP1alWHfv9Y5tJqS3QX3Z4xLQ8Ug1m83Nwp2heQBnTWhTfOp87YW+fVXt6NhzYIanlcoyhTsI7PiFeFahIPm7asrag==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMxr-0006gV-FA for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:07 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 10/16] daemon: Move comments where they belong. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:58:07 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250425225439 (code B ref 75810); Thu, 20 Mar 2025 20:58:07 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:57:32 +0000 Received: from localhost ([127.0.0.1]:59205 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMxF-0006bn-P3 for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:57:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43258) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwE-0006SE-Pr for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:29 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMw9-0001HX-0I; Thu, 20 Mar 2025 16:56:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=s48JGBS7+1eAYxbQMZkgTk7NEwh17Swmtw6Ux+K/rLQ=; b=jofrqaIlcnE0qa/Wdx9w Pk5rZFUUnlnv7jh759fKfrteiU8+/3PW5taUW4+QmwimtAaDQrWHFuuk5ry8XgCiBnXN8YJG183DT WYQx8d9VM4cWKHXRSokrXfECVQJMqHGZBK7B1tGrC9ulSy95CFrLnPiBjWgM5EvzF+J/8hTRQ2oUC kpDJRuY0rjn5LVKVp+B4RXU+UmUs0uUaFiY4JDkbRMyP00o8oZLhBA9iQoHOLbbcjcEXvslVPuJj/ +Oav9uClWkDcPzhZZ6AAt/lAWxzudcxt5eem5JU7B0bpn8D6E8I6SV6AxTQWXSS2gI3HPP3X01qb1 eNuFW0Kjc76rjQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:43 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::startBuilder): Shuffle comments for clarity. Change-Id: I6557c103ade4a3ab046354548ea193c68f8c9c05 --- nix/libstore/build.cc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index fa0f293aac..1733322316 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -1870,18 +1870,19 @@ void DerivationGoal::startBuilder() } dirsInChroot[tmpDirInSandbox] = tmpDir; - /* Make the closure of the inputs available in the chroot, - rather than the whole store. This prevents any access - to undeclared dependencies. !!! As an extra security - precaution, make the fake store only writable by the - build user. */ + /* Create the fake store. */ Path chrootStoreDir = chrootRootDir + settings.nixStore; createDirs(chrootStoreDir); chmod_(chrootStoreDir, 01775); if (buildUser.enabled() && chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) - throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); + /* As an extra security precaution, make the fake store only + writable by the build user. */ + throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); + /* Make the closure of the inputs available in the chroot, rather than + the whole store. This prevents any access to undeclared + dependencies. */ foreach (PathSet::iterator, i, inputPaths) { struct stat st; if (lstat(i->c_str(), &st)) From patchwork Thu Mar 20 20:54:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40532 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id E771E27BBEA; Thu, 20 Mar 2025 20:58:28 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id A9BE627BBE2 for ; Thu, 20 Mar 2025 20:58:28 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMxr-00034N-9z; Thu, 20 Mar 2025 16:58:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMxp-00032V-Dm for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:05 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMxp-0002np-4U for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=VxUd1aOcvzD/pYxOxBWjge8/c0+rM0LNoWab4Huyg4s=; b=HAwijRnk/IcBBg9YbA5Z5m0QKKRirkquVJ1tLTtGc0WMsKHesUTyccY+2eOGhqRfvPr1IfjM/wtRx2K6VfZaci76tvLRkGHVgxdjI3C6YSfyBKbtomOtVXYKHLwlEHN3CfgUGW4bkf29nXY/aZ53glztGBJa/iicfXwgttSoocdvIPw7RJxyDCK3bIzW6JPFqOpP9Sy9yYwdhh9b3C7fjCBRSL3b3eMH3rpHbRcfArr/6FWcjDFqx33tP5AHstBYnokFai8nVcstAUWBFmqnd3+7JXvvXisan96s76A+A2Yze6ek7I8Ao9KbzNvMwWXGFOv1cnB/XmI/RayAwwmfsw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMxo-0006fu-Ts for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 11/16] linux-container: =?utf-8?q?=E2=80=98un?= =?utf-8?q?privileged-user-namespace-supported=3F=E2=80=99?= returns #f on non-Linux. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:58:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250424425355 (code B ref 75810); Thu, 20 Mar 2025 20:58:04 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:57:24 +0000 Received: from localhost ([127.0.0.1]:59197 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMx6-0006aR-Ip for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:57:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43276) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwF-0006SU-Qh for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwA-0001Hu-6I; Thu, 20 Mar 2025 16:56:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=VxUd1aOcvzD/pYxOxBWjge8/c0+rM0LNoWab4Huyg4s=; b=sOIW8HgIG9yji1FC69p9 fcpPRcY+R3yPMeO+3jLKZZ9uxsNTZA70jxiZisQwpR95+Ea8a6+z6Ei2t6Vf7DlRICecSr4H1wUTf ez4BNrDPJhQlqjy3aoxfLbg6qg89fQW0OrEACoCDgYirBdTDFTr/3k4ef6T5c7AsP9DaUGy5/hih6 okC0t+c5HTXOpoVa0lgLhQSZf4owf0f6Tj0ku9itw0gexL3T/PsEex6PDl4pFAk5hZgXjUSdCFlPc p02MLyETwosDnDOJDy6HNzU5WOErh1ZwCM50pWFE01l3GcFTe+cXOv/otAmxPTa8wzbM+7Jv/gLqP FWyY351rylHxGw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:44 +0100 Message-ID: <83d801db84571a21ca93b2d177fca07888b99644.1742503591.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Previously this procedure would return #t on non-Linux systems. * gnu/build/linux-container.scm (unprivileged-user-namespace-supported?): When USERNS-FILE doesn’t exist, return (user-namespace-supported?). Reported-by: Reepca Russelstein Change-Id: I92050338b8b68bc3bd87100317eba69fcdf14a0a --- gnu/build/linux-container.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 5c303da8c8..a5c5d8962e 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015 David Thompson -;;; Copyright © 2017-2019, 2022, 2023 Ludovic Courtès +;;; Copyright © 2017-2019, 2022-2023, 2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -44,7 +44,7 @@ (define (unprivileged-user-namespace-supported?) (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone")) (if (file-exists? userns-file) (eqv? #\1 (call-with-input-file userns-file read-char)) - #t))) + (user-namespace-supported?)))) (define (setgroups-supported?) "Return #t if the setgroups proc file, introduced in Linux-libre 3.19, From patchwork Thu Mar 20 20:54:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40528 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 8E28B27BBE9; Thu, 20 Mar 2025 20:58:16 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id B071C27BBE2 for ; Thu, 20 Mar 2025 20:58:15 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMxp-000335-Uf; Thu, 20 Mar 2025 16:58:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMxo-00031G-LI for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMxo-0002nd-B5 for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=h7pyHW14Ad8JD4BI17aR8N2pOM+R05MYeaIc86GwjoI=; b=kaAxp+GtqCpz/6rpRgFE+HMbfeuNqm4jJi+n+TWVeewaYMAE7VCJXK/nRf/MxX1GmRtFyd+RxDfixL/HK5wFs9CHnVsoGNDozoMiNIL6Q9WpCP7BdSZVBdrzpa4+utHE0Eqrp6VD6Zwtye1K4olmKZPTojsUKmvUbeN/pfOvcgR9wcpksvAWlnH4wP27FLvwGeIVZJOkBUoo36CBtFdhhJmeOSLzmnISWn1qq6m5YdLEiyYJCC72M+fY16PR+HeVUsr3kMxqwWw752HkuBIQyssrRnnbo1b7GKkuvS/RUtpxIRHXC9b1LQPVgw8gtLx3TnDUWOiXzuhBycBvn090qw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMxo-0006fl-3o for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 12/16] tests: Add missing derivation inputs. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:58:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250424125327 (code B ref 75810); Thu, 20 Mar 2025 20:58:04 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:57:21 +0000 Received: from localhost ([127.0.0.1]:59195 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMx4-0006Zx-Do for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:57:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43278) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwH-0006Sh-00 for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwB-0001I9-Fv; Thu, 20 Mar 2025 16:56:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=h7pyHW14Ad8JD4BI17aR8N2pOM+R05MYeaIc86GwjoI=; b=nUzjFVSiVMGh9BsBMpwN CLB7hAlstMwvK3iEiocpmPyZ/71z3RCRmjBz0ANi4WbkLsOMg1SsAtLQ9nRuNIRQrjz5d3WGWaZc8 HTsjCz+SFSztQQ49NicpIVX2vZAcFkFh4pyCJoRi31TTRfBU8E2LD2wJ+AtEHLs0zBPhrkVBuqIDo tRQ2OHtw5plA0D6KDKSZUkwG8BBhaf0CBdFqlc+2K2Sy8HTYUlakVAXRsL+etLFi9RSV11/bjPecu F0xYj46zCjKx/9duCt3oOzFc7f0EA/hPEJl8pGe3GlJU0BMrQrSMtpJKwJaHyFksKY34fVw7Aylau L+AEmitaOrgflw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:45 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches These missing inputs go unnoticed when running ‘guix-daemon --disable-chroot’ but are immediately visible otherwise. * tests/derivations.scm ("fixed-output derivation"): Add %BASH to #:sources. ("fixed-output derivation: output paths are equal"): ("fixed-output derivation, recursive"): ("derivation with a fixed-output input"): ("derivation with duplicate fixed-output inputs"): ("derivation with equivalent fixed-output inputs"): ("build derivation with coreutils"): Likewise. * tests/packages.scm (bootstrap-binary): New procedure. ("package-source-derivation, origin, sha512"): Use it instead of ‘search-bootstrap-binary’ and add BASH to #:sources. ("package-source-derivation, origin, sha3-512"): Likewise. Change-Id: I4c9087df23c47729a3aff15e9e1435b7266e36e2 --- tests/derivations.scm | 24 +++++++++++++++--------- tests/packages.scm | 13 +++++++++---- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/tests/derivations.scm b/tests/derivations.scm index 9ea8b4a300..b364110de0 100644 --- a/tests/derivations.scm +++ b/tests/derivations.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012-2024 Ludovic Courtès +;;; Copyright © 2012-2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -443,7 +443,7 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (string-append "fixed-" (symbol->string hash-algorithm)) %bash `(,builder) - #:sources `(,builder) ;optional + #:sources (list %bash builder) #:hash hash #:hash-algo hash-algorithm))) (build-derivations %store (list drv)) @@ -462,9 +462,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (drv2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (succeeded? (build-derivations %store (list drv1 drv2)))) (and succeeded? @@ -477,7 +479,7 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv (derivation %store "fixed-rec" %bash `(,builder) - #:sources (list builder) + #:sources (list %bash builder) #:hash (base32 "0sg9f58l1jj88w6pdrfdpj5x9b1zrwszk84j81zvby36q9whhhqa") #:hash-algo 'sha256 #:recursive? #t)) @@ -511,9 +513,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (fixed1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (fixed2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (fixed-out (derivation->output-path fixed1)) (builder3 (add-text-to-store @@ -548,9 +552,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (fixed1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (fixed2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (builder3 (add-text-to-store %store "builder.sh" "echo fake builder")) @@ -580,21 +586,21 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) '())) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv1 (derivation %store "fixed" %bash (list builder1) - #:sources (list builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (drv2 (derivation %store "fixed" %bash (list builder2) - #:sources (list builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (drv3a (derivation %store "fixed-user" %bash (list builder3) #:outputs '("one" "two") - #:sources (list builder3) + #:sources (list %bash builder3) #:inputs (list (derivation-input drv1)))) (drv3b (derivation %store "fixed-user" %bash (list builder3) #:outputs '("one" "two") - #:sources (list builder3) + #:sources (list %bash builder3) #:inputs (list (derivation-input drv2)))) (drv4 (derivation %store "fixed-user-user" %bash (list builder1) - #:sources (list builder1) + #:sources (list %bash builder1) #:inputs (list (derivation-input drv3a '("one")) (derivation-input drv3b '("two")))))) (match (derivation-inputs drv4) @@ -888,7 +894,7 @@ (define %coreutils ,(string-append (derivation->output-path %coreutils) "/bin"))) - #:sources (list builder) + #:sources (list %bash builder) #:inputs (list (derivation-input %coreutils)))) (succeeded? (build-derivations %store (list drv)))) diff --git a/tests/packages.scm b/tests/packages.scm index 50c1cab915..f56c63128d 100644 --- a/tests/packages.scm +++ b/tests/packages.scm @@ -80,6 +80,11 @@ (define %store ;; When grafting, do not add dependency on 'glibc-utf8-locales'. (%graft-with-utf8-locale? #f) +(define (bootstrap-binary name) + (let ((bin (search-bootstrap-binary name (%current-system)))) + (and %store + (add-to-store %store name #t "sha256" bin)))) + (test-begin "packages") @@ -609,14 +614,14 @@ (define %store (test-equal "package-source-derivation, origin, sha512" "hello" - (let* ((bash (search-bootstrap-binary "bash" (%current-system))) + (let* ((bash (bootstrap-binary "bash")) (builder (add-text-to-store %store "my-fixed-builder.sh" "echo -n hello > $out" '())) (method (lambda* (url hash-algo hash #:optional name #:rest rest) (and (eq? hash-algo 'sha512) (raw-derivation name bash (list builder) - #:sources (list builder) + #:sources (list bash builder) #:hash hash #:hash-algo hash-algo)))) (source (origin @@ -635,14 +640,14 @@ (define %store (test-equal "package-source-derivation, origin, sha3-512" "hello, sha3" - (let* ((bash (search-bootstrap-binary "bash" (%current-system))) + (let* ((bash (bootstrap-binary "bash")) (builder (add-text-to-store %store "my-fixed-builder.sh" "echo -n hello, sha3 > $out" '())) (method (lambda* (url hash-algo hash #:optional name #:rest rest) (and (eq? hash-algo 'sha3-512) (raw-derivation name bash (list builder) - #:sources (list builder) + #:sources (list bash builder) #:hash hash #:hash-algo hash-algo)))) (source (origin From patchwork Thu Mar 20 20:54:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40534 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id C4B6527BBE9; Thu, 20 Mar 2025 20:58:44 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 0DF3327BBE2 for ; Thu, 20 Mar 2025 20:58:43 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMxv-00039f-IJ; Thu, 20 Mar 2025 16:58:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMxs-00034t-Ai for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:08 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMxs-0002oV-1R for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=46sXtSC4BF2MFB1vCWkw8ErjEqxl/gPSRof2zzVtuu0=; b=se1uQANqpWhtzkkpAk+QwcUWZqEpi2PnPWI5UE+V4tiG4Cac3OaFzRSjihXRxeXUmoVjtX0Bc1gtK6z/nQFic5sgPAg2/hPB7jFmK3k/Abs7ekL7gtoxf0zK/psg76ejB1pzg9pJ789pjr2+xulbacKM+HKQmmVUei+xB8VMefQau+Laii8Wm7jRvuzWPV5eh9tYQXG3gahe3wOdvi4zijxlM9Qkrvuyx9b6bEEc/XG/qCv9x2uJdgURiBO9s91LTZavYv09G9uxyZAobdWTvHDz0Gj7eBtLar+4Io83DKXVVRnRiG4T7opxGlXwGaQw9DBiPb+aa8S8NUzGAq7YVw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMxr-0006gc-TY for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:07 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 13/16] tests: Run in a chroot and unprivileged user namespaces. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:58:07 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250425625482 (code B ref 75810); Thu, 20 Mar 2025 20:58:07 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:57:36 +0000 Received: from localhost ([127.0.0.1]:59207 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMxH-0006cG-Ja for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:57:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43294) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwH-0006Sw-Uy for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:32 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwC-0001IW-Gi; Thu, 20 Mar 2025 16:56:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=46sXtSC4BF2MFB1vCWkw8ErjEqxl/gPSRof2zzVtuu0=; b=aKUt1IwJzaNnU1l2dpCo PkGwFNCfZMx7OOaf+NZ5vf5okykq+PxpiL9IcjwOFg5pNHd/KVuOZohQdjSp4WRXg4+ALzGMxXO5q 08b6mlLHCV94vvE5pzdQ7SWAwU45qmkAnMoYo322xx3CQE/pymaQ0q/qG7s80N4HgeJJDkoMEMkri 0GbtDD09nr5b5CjorinxDqdMxP/IiARFAqW9tfuFFaaQU1anRRpL+lQsdc5XA2r+Eu+Tiu1LD2GNy wu2tkiMotuvyubZqcTDXNoXu1q6Bf62baCxT42PnSvCU1JhpXoZpQ3BDvTQo/SgtV6jZd2mUhriQ6 W03k1s9Y5KA0lw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:46 +0100 Message-ID: <335f3ea4e1f909e6ba8d7c95edbe78b56ea475da.1742503591.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * build-aux/test-env.in: Pass ‘--disable-chroot’ only when unprivileged user namespace support is lacking and warn in that case. * tests/store.scm ("build-things, check mode"): Use ‘gettimeofday’ rather than a shared file as a source of entropy. ("symlink is symlink") ("isolated environment", "inputs are read-only") ("inputs cannot be remounted read-write") ("build root cannot be made world-readable") ("/tmp, store, and /dev/{null,full} are writable") ("network is unreachable"): New tests. * tests/processes.scm ("client + lock"): Skip when ‘unprivileged-user-namespace-supported?’ returns true. Change-Id: I3b3c3ebdf6db5fd36ee70251d07b893c17ca1b84 --- build-aux/test-env.in | 18 ++- tests/processes.scm | 9 +- tests/store.scm | 247 ++++++++++++++++++++++++++++++++++++------ 3 files changed, 236 insertions(+), 38 deletions(-) diff --git a/build-aux/test-env.in b/build-aux/test-env.in index 9caa29da58..86c2e585d7 100644 --- a/build-aux/test-env.in +++ b/build-aux/test-env.in @@ -1,7 +1,7 @@ #!/bin/sh # GNU Guix --- Functional package management for GNU -# Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2021 Ludovic Courtès +# Copyright © 2012-2019, 2021, 2025 Ludovic Courtès # # This file is part of GNU Guix. # @@ -102,10 +102,24 @@ then rm -rf "$GUIX_STATE_DIRECTORY/daemon-socket" mkdir -m 0700 "$GUIX_STATE_DIRECTORY/daemon-socket" + # If unprivileged user namespaces are not supported, pass + # '--disable-chroot'. + if [ -f /proc/self/ns/user ] \ + && { [ ! -f /proc/sys/kernel/unprivileged_userns_clone ] \ + || [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -eq 1 ]; } + then + extra_options="" + else + extra_options="--disable-chroot" + echo "unprivileged user namespaces not supported; \ +running 'guix-daemon $extra_options'" >&2 + fi + # Launch the daemon without chroot support because is may be # unavailable, for instance if we're not running as root. "@abs_top_builddir@/pre-inst-env" \ - "@abs_top_builddir@/guix-daemon" --disable-chroot \ + "@abs_top_builddir@/guix-daemon" \ + $extra_options \ --substitute-urls="$GUIX_BINARY_SUBSTITUTE_URL" & daemon_pid=$! diff --git a/tests/processes.scm b/tests/processes.scm index ba518f2d9e..a72ba16f58 100644 --- a/tests/processes.scm +++ b/tests/processes.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2018 Ludovic Courtès +;;; Copyright © 2018, 2025 Ludovic Courtès ;;; Copyright © 2019 Mathieu Othacehe ;;; ;;; This file is part of GNU Guix. @@ -25,6 +25,8 @@ (define-module (test-processes) #:use-module (guix gexp) #:use-module ((guix utils) #:select (call-with-temporary-directory)) #:use-module (gnu packages bootstrap) + #:use-module ((gnu build linux-container) + #:select (unprivileged-user-namespace-supported?)) #:use-module (guix tests) #:use-module (srfi srfi-1) #:use-module (srfi srfi-64) @@ -84,6 +86,11 @@ (define-syntax-rule (test-assert* description exp) (and (kill (process-id daemon) 0) (string-suffix? "guix-daemon" (first (process-command daemon))))))) +(when (unprivileged-user-namespace-supported?) + ;; The test below assumes the build process can communicate with the outside + ;; world via the TOKEN1 and TOKEN2 files, which is impossible when + ;; guix-daemon is set up to build in separate namespaces. + (test-skip 1)) (test-assert* "client + lock" (with-store store (call-with-temporary-directory diff --git a/tests/store.scm b/tests/store.scm index 45948f4f43..b1ddff2082 100644 --- a/tests/store.scm +++ b/tests/store.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012-2021, 2023 Ludovic Courtès +;;; Copyright © 2012-2021, 2023, 2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,8 +28,12 @@ (define-module (test-store) #:use-module (guix base32) #:use-module (guix packages) #:use-module (guix derivations) + #:use-module ((guix modules) + #:select (source-module-closure)) #:use-module (guix serialization) #:use-module (guix build utils) + #:use-module ((gnu build linux-container) + #:select (unprivileged-user-namespace-supported?)) #:use-module (guix gexp) #:use-module (gnu packages) #:use-module (gnu packages bootstrap) @@ -391,6 +395,188 @@ (define %shell (equal? (valid-derivers %store o) (list (derivation-file-name d)))))) +(test-assert "symlink is symlink" + (let* ((a (add-text-to-store %store "hello.txt" (random-text))) + (b (build-expression->derivation + %store "symlink" + '(symlink (assoc-ref %build-inputs "a") %output) + #:inputs `(("a" ,a)))) + (c (build-expression->derivation + %store "symlink-reference" + `(call-with-output-file %output + (lambda (port) + ;; Check that B is indeed visible as a symlink. This should + ;; always be the case, both in the '--disable-chroot' and in + ;; the user namespace setups. + (pk 'stat (lstat (assoc-ref %build-inputs "b"))) + (display (readlink (assoc-ref %build-inputs "b")) + port))) + #:inputs `(("b" ,b))))) + (and (build-derivations %store (list c)) + (string=? (call-with-input-file (derivation->output-path c) + get-string-all) + a)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-equal "isolated environment" + (string-join (append + '("PID: 1" "UID: 30001") + (delete-duplicates + (sort (list "/dev" "/tmp" "/proc" "/etc" + (match (string-tokenize (%store-prefix) + (char-set-complement + (char-set #\/))) + ((top _ ...) (string-append "/" top)))) + string $out")) + (s (add-to-store %store "bash" #t "sha256" + (search-bootstrap-binary "bash" + (%current-system)))) + (d (derivation %store "the-thing" + s `("-e" ,b) + #:env-vars `(("foo" . ,(random-text))) + #:sources (list b s))) + (o (derivation->output-path d))) + (and (build-derivations %store (list d)) + (call-with-input-file o get-string-all)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-equal "inputs are read-only" + "All good!" + (let* ((input (plain-file (string-append "might-be-tampered-with-" + (number->string + (car (gettimeofday)) + 16)) + "All good!")) + (drv + (run-with-store %store + (gexp->derivation + "attempt-to-write-to-input" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((input #$input)) + (chmod input #o666) + (call-with-output-file input + (lambda (port) + (display "BAD!" port))) + (mkdir #$output)))))))) + (and (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv))) + (call-with-input-file (run-with-store %store + (lower-object input)) + get-string-all)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "inputs cannot be remounted read-write" + (let ((drv + (run-with-store %store + (gexp->derivation + "attempt-to-remount-input-read-write" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((input #$(plain-file "input-that-might-be-tampered-with" + "All good!"))) + (mount "none" input "none" (logior MS_BIND MS_REMOUNT)) + (call-with-output-file input + (lambda (port) + (display "BAD!" port))) + (mkdir #$output)))))))) + (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv)) + #f))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "build root cannot be made world-readable" + (let ((drv + (run-with-store %store + (gexp->derivation + "attempt-to-make-root-world-readable" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (catch 'system-error + (lambda () + (chmod "/" #o777)) + (lambda args + (format #t "failed to make root writable: ~a~%" + (strerror (system-error-errno args))) + (format #t "attempting read-write remount~%") + (mount "none" "/" "/" (logior MS_BIND MS_REMOUNT)) + (chmod "/" #o777))) + + ;; At this point, the build process could create a + ;; world-readable setuid binary under its root (so in the + ;; store) that would remain visible until the build + ;; completes. + (mkdir #$output))))))) + (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv)) + #f))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "/tmp, store, and /dev/{null,full} are writable" + ;; All of /tmp and all of the store must be writable (the store is writable + ;; so that derivation outputs can be written to it, but in practice it's + ;; always been wide open). Things like /dev/null must be writable too. + (let ((drv (run-with-store %store + (gexp->derivation + "check-tmp-and-store-are-writable" + #~(begin + (mkdir "/tmp/something") + (mkdir (in-vicinity (getenv "NIX_STORE") + "some-other-thing")) + (call-with-output-file "/dev/null" + (lambda (port) + (display "Welcome to the void." port))) + (catch 'system-error + (lambda () + (call-with-output-file "/dev/full" + (lambda (port) + (display "No space left!" port))) + (error "Should have thrown!")) + (lambda args + (unless (= ENOSPC (system-error-errno args)) + (apply throw args)))) + (mkdir #$output)))))) + (build-derivations %store (list drv)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "network is unreachable" + (let ((drv (run-with-store %store + (gexp->derivation + "check-network-unreachable" + #~(let ((check-connection-failure + (lambda (address expected-code) + (let ((s (socket AF_INET SOCK_STREAM 0))) + (catch 'system-error + (lambda () + (connect s AF_INET (inet-pton AF_INET address) 80)) + (lambda args + (let ((errno (system-error-errno args))) + (unless (= expected-code errno) + (error "wrong error code" + errno (strerror errno)))))))))) + (check-connection-failure "127.0.0.1" ECONNREFUSED) + (check-connection-failure "9.9.9.9" ENETUNREACH) + (mkdir #$output)))))) + (build-derivations %store (list drv)))) + (test-equal "with-build-handler" 'success (let* ((b (add-text-to-store %store "build" "echo $foo > $out" '())) @@ -1333,40 +1519,31 @@ (define %shell (test-assert "build-things, check mode" (with-store store - (call-with-temporary-output-file - (lambda (entropy entropy-port) - (write (random-text) entropy-port) - (force-output entropy-port) - (let* ((drv (build-expression->derivation - store "non-deterministic" - `(begin - (use-modules (rnrs io ports)) - (let ((out (assoc-ref %outputs "out"))) - (call-with-output-file out - (lambda (port) - ;; Rely on the fact that tests do not use the - ;; chroot, and thus ENTROPY is readable. - (display (call-with-input-file ,entropy - get-string-all) - port))) - #t)) - #:guile-for-build - (package-derivation store %bootstrap-guile (%current-system)))) - (file (derivation->output-path drv))) - (and (build-things store (list (derivation-file-name drv))) - (begin - (write (random-text) entropy-port) - (force-output entropy-port) - (guard (c ((store-protocol-error? c) - (pk 'determinism-exception c) - (and (not (zero? (store-protocol-error-status c))) - (string-contains (store-protocol-error-message c) - "deterministic")))) - ;; This one will produce a different result. Since we're in - ;; 'check' mode, this must fail. - (build-things store (list (derivation-file-name drv)) - (build-mode check)) - #f)))))))) + (let* ((drv (build-expression->derivation + store "non-deterministic" + `(begin + (use-modules (rnrs io ports)) + (let ((out (assoc-ref %outputs "out"))) + (call-with-output-file out + (lambda (port) + (let ((now (gettimeofday))) + (display (+ (car now) (cdr now)) port)))) + #t)) + #:guile-for-build + (package-derivation store %bootstrap-guile (%current-system)))) + (file (derivation->output-path drv))) + (and (build-things store (list (derivation-file-name drv))) + (begin + (guard (c ((store-protocol-error? c) + (pk 'determinism-exception c) + (and (not (zero? (store-protocol-error-status c))) + (string-contains (store-protocol-error-message c) + "deterministic")))) + ;; This one will produce a different result. Since we're in + ;; 'check' mode, this must fail. + (build-things store (list (derivation-file-name drv)) + (build-mode check)) + #f)))))) (test-assert "build-succeeded trace in check mode" (string-contains From patchwork Thu Mar 20 20:54:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40526 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A72D627BBEB; Thu, 20 Mar 2025 20:58:12 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 536A327BBE2 for ; Thu, 20 Mar 2025 20:58:12 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMxr-00034I-A2; Thu, 20 Mar 2025 16:58:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMxq-00033G-7i for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMxp-0002o3-Uy for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=Ngm8ANKAcfFhwlcmZn793WD7YKtaQddq8o8d6i84570=; b=KyvImLosoPGDLJBTeIf+ogSeLJXOJwxRyYDwKoYvDFMnh4QUZhVgHXpghMI7698MMjieAWQbwQGg0ULWn1A0GGMdbeqIQJ/ffphTKVyl1OKIKQ+afFnJUbH41tFTFri1QnCGh4+f+lHjq7O99I/42kawo5TLRgyzvoxrjq2grYOxl9FH39JPSuScrao3QlkyVY2WaNJS1EC8mg5kpG3MCsaIXt5+yxAyS8CvryzzD3emOk4eaq02Ps+MfAIm09tjxBWs1cJIX2i1Mi3zLDShaMWyzA7+wOe4ZEx6DAXau67z4oaltFc23Ik93A350ZZC4USM7EnEAtPoUddgPNLcsg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMxp-0006g5-Ox for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 14/16] etc: systemd services: Run =?utf-8?b?4oCYZ3VpeC1kYWVtb27igJk=?= as an unprivileged user. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:58:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250424525365 (code B ref 75810); Thu, 20 Mar 2025 20:58:05 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:57:25 +0000 Received: from localhost ([127.0.0.1]:59199 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMxA-0006az-H2 for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:57:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43306) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwI-0006T3-UP for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:32 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwD-0001Ih-Jk; Thu, 20 Mar 2025 16:56:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=Ngm8ANKAcfFhwlcmZn793WD7YKtaQddq8o8d6i84570=; b=qLarU0dj+QJphzNxQq1I 8XZfdZLpvm4KYSeRlgM4hkR4eTrGjVQ7eY3sZFExyAlsDYF8S+o84jbbpiSdR5Kz+PlKBbdwRmSUY robLVz8T16NDutJYCP7epsmfGiscIneTWDWuWgfVIVg/iJxy1CYHv4Lt7kSN5kcnxe0rxkjwNX66E hPTKk5uF0f7eqFGnr8x3AiBcsNK6ZeySJo5NitQTuSTHf/I/AxCtt+GcPTCCOTnib4rgzM5iOYU6J jkfa8ipc/JcumGjYOR8tsA+fV21wFEpnDGUnrKbELwrmCbvrSNvQn5YnM5BpSxOz0eAYApYE6GPRF 7RU/rXAAS0I+2w==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:47 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/guix-daemon.service.in (ExecStart): Remove ‘--build-users-group’. (Environment): Add ‘GUIX_STATE_DIRECTORY’. (Before, User, AmbientCapabilities, PrivateMounts, BindPaths): New fields. * etc/gnu-store.mount.in (Before): Remove. (WantedBy): Change to ‘multi-user.target’. Change-Id: Id826b8ab535844b6024d777f6bd15fd49db6d65e --- etc/gnu-store.mount.in | 3 +-- etc/guix-daemon.service.in | 22 ++++++++++++++++++++-- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in index c94f2db72b..f9918c9e52 100644 --- a/etc/gnu-store.mount.in +++ b/etc/gnu-store.mount.in @@ -2,10 +2,9 @@ Description=Read-only @storedir@ for GNU Guix DefaultDependencies=no ConditionPathExists=@storedir@ -Before=guix-daemon.service [Install] -WantedBy=guix-daemon.service +WantedBy=multi-user.target [Mount] What=@storedir@ diff --git a/etc/guix-daemon.service.in b/etc/guix-daemon.service.in index 5c43d9b7f1..6a5ef97f9b 100644 --- a/etc/guix-daemon.service.in +++ b/etc/guix-daemon.service.in @@ -5,11 +5,29 @@ [Unit] Description=Build daemon for GNU Guix +# Start before 'gnu-store.mount' to get a writable view of the store. +Before=gnu-store.mount + [Service] ExecStart=@localstatedir@/guix/profiles/per-user/root/current-guix/bin/guix-daemon \ - --build-users-group=guixbuild --discover=no \ + --discover=no \ --substitute-urls='@GUIX_SUBSTITUTE_URLS@' -Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8 +Environment='GUIX_STATE_DIRECTORY=@localstatedir@/guix' 'GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8 + +# Run under a dedicated unprivileged user account. +User=guix-daemon + +# Bind-mount the store read-write in a private namespace, to counter the +# effect of 'gnu-store.mount'. +PrivateMounts=true +BindPaths=@storedir@ + +# Provide the CAP_CHOWN capability so that guix-daemon can create and chown +# /var/guix/profiles/per-user/$USER and also chown failed build directories +# when using '--keep-failed'. Note that guix-daemon explicitly drops ambient +# capabilities before executing build processes so they don't inherit them. +AmbientCapabilities=CAP_CHOWN + StandardOutput=journal StandardError=journal From patchwork Thu Mar 20 20:54:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40531 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id BE65027BBEA; Thu, 20 Mar 2025 20:58:22 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D707427BBE2 for ; Thu, 20 Mar 2025 20:58:21 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMxx-0003DS-Vm; Thu, 20 Mar 2025 16:58:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMxs-00035n-TA for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:09 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMxs-0002og-J6 for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=U9fQ0OTjBRU5j/IE3K+dWpDNxDzyNub8ZawVN/rMOKM=; b=LVtb1MpDHOZVbwAOePr01jaVEVt+z2MaQIstmYDllZuaBR5C7cLQtBZ6aaZ7jUoIdyow3RsQOuLsj3CXbnapce/4pu8qrAWBv3x5vkePRROIjNzrwX0GIkYZ2396YC+3HHXILG6QbHIjGkzYIG48+n2NSTPiZ4vs4Zmji/BayIOlebV26KOxZMRpGjNhRrVSZRFBM/itI2F8s17jbyDy4v6vLwlXpAWAD/cbkrP9BkeL9P30r1CJog97kkjJ19OyDuUtltQIq6/3dKFxixGXZ6Smi/1oxysrrtiGYUQJRrc4KofgAwqvpWVcLQpio/Iu+j0ed8M4PvYlkwcbtvyJXA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMxs-0006gl-Cp for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:08 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 15/16] guix-install.sh: Support the unprivileged daemon where possible. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:58:08 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250425725492 (code B ref 75810); Thu, 20 Mar 2025 20:58:08 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:57:37 +0000 Received: from localhost ([127.0.0.1]:59209 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMxM-0006cx-8l for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:57:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43310) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwK-0006TQ-MQ for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:33 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwE-0001Is-N2; Thu, 20 Mar 2025 16:56:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=U9fQ0OTjBRU5j/IE3K+dWpDNxDzyNub8ZawVN/rMOKM=; b=ai2NwQ1KD8h7mDBYNmCQ fsseLN2VRnHwjgKZ3HxDBamvT9Kif2iSf1QwZikI2ECwVgB482gQWbZtwLeF4PGlpXKqGyZy1HxaT swE6+wRxpFnHC02QOnNRcYRAJVrMuD7QcV6ig3tVj80gI7xQegUB0SbNMHAkvQ6KU5xwN68XmfFgy UV0Hd693IhphjKnFr5bIk/HiQO2vZa1SiLsP2HS6kXrt4eoXtBQt1CGSaMEfvUKjHuR63y8prYLYr jKAnOiLDnTr+hRhx4kEJJ+WprPUmLd8RyZQBvEcVp+aC81tH4pD9SQ+XcyEydnB/3W4szFAkZxmiq 8E2OCTALPhWZCA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:48 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/guix-install.sh (create_account): New function. (sys_create_build_user): Use it. When ‘guix-daemon.service’ contains “User=guix-daemon” only create the ‘guix-daemon’ user and group. (sys_delete_build_user): Delete the ‘guix-daemon’ user and group. (can_install_unprivileged_daemon): New function. (sys_create_store): When installing the unprivileged daemon, change ownership of /gnu and /var/guix, and create /var/log/guix. (sys_authorize_build_farms): When the ‘guix-daemon’ account exists, change ownership of /etc/guix. Change-Id: I73e573f1cc5c0cb3794aaaa6b576616b66e0c5e9 --- etc/guix-install.sh | 124 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 99 insertions(+), 25 deletions(-) diff --git a/etc/guix-install.sh b/etc/guix-install.sh index 8887204df4..b5d833cd64 100755 --- a/etc/guix-install.sh +++ b/etc/guix-install.sh @@ -414,6 +414,11 @@ sys_create_store() cd "$tmp_path" _msg_info "Installing /var/guix and /gnu..." # Strip (skip) the leading ‘.’ component, which fails on read-only ‘/’. + # + # TODO: Eventually extract with ‘--owner=guix-daemon’ when installing + # and unprivileged guix-daemon service; for now, this script may install + # from both an old release that does not support unprivileged guix-daemon + # and a new release that does, so ‘chown -R’ later if needed. tar --extract --strip-components=1 --file "$pkg" -C / _msg_info "Linking the root user's profile" @@ -441,38 +446,95 @@ sys_delete_store() rm -rf ~root/.config/guix } +create_account() +{ + local user="$1" + local group="$2" + local supplementary_groups="$3" + local comment="$4" + + if id "$user" &>/dev/null; then + _msg_info "user '$user' is already in the system, reset" + usermod -g "$group" -G "$supplementary_groups" \ + -d /var/empty -s "$(which nologin)" \ + -c "$comment" "$user" + else + useradd -g "$group" -G "$supplementary_groups" \ + -d /var/empty -s "$(which nologin)" \ + -c "$comment" --system "$user" + _msg_pass "user added <$user>" + fi +} + +install_unprivileged_daemon() +{ # Return true when installing guix-daemon running without privileges. + [ "$INIT_SYS" = systemd ] && \ + grep -q "User=guix-daemon" \ + ~root/.config/guix/current/lib/systemd/system/guix-daemon.service +} + sys_create_build_user() { # Create the group and user accounts for build users. _debug "--- [ ${FUNCNAME[0]} ] ---" - if getent group guixbuild > /dev/null; then - _msg_info "group guixbuild exists" - else - groupadd --system guixbuild - _msg_pass "group created" - fi - if getent group kvm > /dev/null; then _msg_info "group kvm exists and build users will be added to it" local KVMGROUP=,kvm fi - for i in $(seq -w 1 10); do - if id "guixbuilder${i}" &>/dev/null; then - _msg_info "user is already in the system, reset" - usermod -g guixbuild -G guixbuild"$KVMGROUP" \ - -d /var/empty -s "$(which nologin)" \ - -c "Guix build user $i" \ - "guixbuilder${i}"; - else - useradd -g guixbuild -G guixbuild"$KVMGROUP" \ - -d /var/empty -s "$(which nologin)" \ - -c "Guix build user $i" --system \ - "guixbuilder${i}"; - _msg_pass "user added " - fi - done + if install_unprivileged_daemon + then + _msg_info "installing guix-daemon to run as an unprivileged user" + + # Installing guix-daemon to run as a non-root user requires + # unprivileged user namespaces. + if [ -f /proc/sys/kernel/unprivileged_userns_clone ] \ + && [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -ne 1 ] + then + echo 1 > /proc/sys/kernel/unprivileged_userns_clone || \ + _err "failed to enable unprivileged user namespaces" + + _msg_warn "Unprivileged user namespaces were disabled and have been enabled now." + _msg_warn "This Linux feature is required by guix-daemon. To enable it permanently, run:" + _msg_warn ' echo 1 > /proc/sys/kernel/unprivileged_userns_clone' + _msg_warn "from the relevant startup script." + fi + + + if getent group guix-daemon > /dev/null; then + _msg_info "group guix-daemon exists" + else + groupadd --system guix-daemon + _msg_pass "group guix-daemon created" + fi + + create_account guix-daemon guix-daemon \ + guix-daemon$KVMGROUP \ + "Unprivileged Guix Daemon User" + + # ‘tar xf’ creates root:root files. Change that. + chown -R guix-daemon:guix-daemon /gnu /var/guix + chown -R root:root /var/guix/profiles/per-user/root + + # The unprivileged daemon cannot create the log directory by itself. + mkdir -p /var/log/guix + chown guix-daemon:guix-daemon /var/log/guix + chmod 755 /var/log/guix + else + if getent group guixbuild > /dev/null; then + _msg_info "group guixbuild exists" + else + groupadd --system guixbuild + _msg_pass "group created" + fi + + for i in $(seq -w 1 10); do + create_account "guixbuilder${i}" "guixbuild" \ + "guixbuild${KVMGROUP}" \ + "Guix build user $i" + done + fi } sys_delete_build_user() @@ -487,6 +549,14 @@ sys_delete_build_user() if getent group guixbuild &>/dev/null; then groupdel -f guixbuild fi + + _msg_info "remove guix-daemon user" + if id guix-daemon &>/dev/null; then + userdel -f guix-daemon + fi + if getent group guix-daemon &>/dev/null; then + groupdel -f guix-daemon + fi } sys_enable_guix_daemon() @@ -529,11 +599,11 @@ sys_enable_guix_daemon() # Install after guix-daemon.service to avoid a harmless warning. # systemd .mount units must be named after the target directory. - # Here we assume a hard-coded name of /gnu/store. - install_unit gnu-store.mount + install_unit gnu-store.mount systemctl daemon-reload && - systemctl start guix-daemon; } && + systemctl start guix-daemon && + systemctl start gnu-store.mount; } && _msg_pass "enabled Guix daemon via systemd" ;; sysv-init) @@ -654,6 +724,10 @@ project's build farms?"; then && guix archive --authorize < "$key" \ && _msg_pass "Authorized public key for $host" done + if id guix-daemon &>/dev/null; then + # /etc/guix/acl must be readable by the unprivileged guix-daemon. + chown -R guix-daemon:guix-daemon /etc/guix + fi else _msg_info "Skipped authorizing build farm public keys" fi From patchwork Thu Mar 20 20:54:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40530 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id EF6BD27BBEA; Thu, 20 Mar 2025 20:58:21 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id B0FC327BBEA for ; Thu, 20 Mar 2025 20:58:20 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvMxw-0003AC-Ip; Thu, 20 Mar 2025 16:58:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMxt-00036I-G5 for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:09 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvMxt-0002p6-01 for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=X0/tFNKBOJDt5zziEmv0iW9Ld3YPlqHLdNS+SKnSB7U=; b=HvqehBP0bqLWnJUk++NfyIhA1sFbVJ5vGLKnFveKbvGltncaBClJFdjWPcrkiZvScCroHH4gKQmWpwiKckqlnfybPhkLkg1JOLCOi3wZ0huipe+tmVoxw2nYIJFSX405OaXtXBzDhY2NTaR4eHpQHoH/HC0Gjvg7J0Ctg3iWToZFOeP2fW0wgJFBGTqE74Rk+zuB/VJlUya2ASVBxKRrq4kqjKtXg/C0YQfIrh+7LaXtnC0C+U+LYG5NodLBClMWRiYvb1+3hF/FcWB+RAivr4MkttZVkkjj9FzEFCNTUrNyR2rlLinDvh9L1e2SH5xzlb7UZlyP2z8YEKLe0iTD8Q==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvMxs-0006gt-Rn for guix-patches@gnu.org; Thu, 20 Mar 2025 16:58:08 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v7 16/16] DRAFT gnu: guix: Update to f447941. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Mar 2025 20:58:08 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174250425825499 (code B ref 75810); Thu, 20 Mar 2025 20:58:08 +0000 Received: (at 75810) by debbugs.gnu.org; 20 Mar 2025 20:57:38 +0000 Received: from localhost ([127.0.0.1]:59211 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvMxN-0006d7-DI for submit@debbugs.gnu.org; Thu, 20 Mar 2025 16:57:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43324) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tvMwK-0006TT-Vt for 75810@debbugs.gnu.org; Thu, 20 Mar 2025 16:56:33 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvMwF-0001J7-Lk; Thu, 20 Mar 2025 16:56:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=X0/tFNKBOJDt5zziEmv0iW9Ld3YPlqHLdNS+SKnSB7U=; b=cevL2Gf/CYTyg4yvzuB1 xwXI0lAbdVF790ZYrZBQhgBR/RaX/rrBb1/l4g1liuJGDRY7Go1gxHfjwiusIn265vPZYAMIYqMmW JaaeFBWP/azHs8L/QE5HyezgpUwAo/d+lPS6K3qTF02DJ2S+uyXPEU7EYD85RYDV7ls5XGH+mUFGx E3JzA/L7Ym4RRfz7B3Sv1mMOM0mSHQiCQrh6C91sO/8VBBun3P+94kwy8rfwSkDn7v1og7b3NXAam VZX6gxDgoct69KqYThbSYtzItUBpxhnIpCl7x9jyaW2FCBRhlJztXd7D4JM2Cd7+yeY4o7Oxwu8IH 1deVr7oKUffbjA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Thu, 20 Mar 2025 21:54:49 +0100 Message-ID: <2cc77c23147a687c75b2f300c7570b805e518944.1742503591.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches DRAFT: Temporary commit. * gnu/packages/package-management.scm (guix): Update to f447941. Change-Id: I16b10e721b98e8721bf206c3b3824407147d9649 --- gnu/packages/package-management.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index a4a96878f7..a5d5083993 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -179,8 +179,8 @@ (define-public guix ;; Note: the 'update-guix-package.scm' script expects this definition to ;; start precisely like this. (let ((version "1.4.0") - (commit "5058b40aba825ab6e7b9e518dd1147d1e35fd7de") - (revision 34)) + (commit "f447941a9c03769bfd17d3193a5aaad32342da53") + (revision 35)) (package (name "guix") @@ -196,7 +196,7 @@ (define-public guix (commit commit))) (sha256 (base32 - "04vk4lslcd6h22yj5pxvb1pdyyxd8421gjfyvyb1bl3xn7c77246")) + "10id738y2cpg74jjfz8i2k8phw5lgbz91zx0nl0109z0ag0har34")) (file-name (string-append "guix-" version "-checkout")))) (build-system gnu-build-system) (arguments