From patchwork Sun Mar 23 14:24:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40733 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id ED35F27BBE9; Sun, 23 Mar 2025 14:26:39 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7B79127BBE2 for ; Sun, 23 Mar 2025 14:26:38 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMHE-0002z1-1w; Sun, 23 Mar 2025 10:26:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMHC-0002ys-57 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:10 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMHB-0005Ux-Q2 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=gj2HkSqKqMC6OnWJO11zAMx01vOVuopEBzKWBjgHWEs=; b=A2eA0xFiHCWLApAF84gGAubOV0zb0Z674owyk9P3lBQN1RH2/jDW5dvjm8AlminrV3g7ajaRoT24lBm7jP54MQL6wN2oA7G+vC5brjyeuSkLF6wu0GPNkUFPCs8RdjSyZo6qD4dnbceCMZrNWS/tRC3xR9r83igayfIffs/V/V98ZE9aP8WAAAOPGxwoTsf1smArlvhpEGJuFkOSB4oYj0AeqqKsHnL79tzUVIPlQFIybmmKoc2y2JI8PexFbcMy60NAPMOowcjpeziNCDteMydcA+BWUSTlRJS61I1Wa6S2DJxuD23AXiapwmFKIjJa42k11xDN6E5mAe+LYuP+6A==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMHB-0005Wq-GO for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:09 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 01/16] daemon: Use =?utf-8?b?4oCYY2xvc2VfcmFu?= =?utf-8?b?Z2XigJk=?= where available. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:26:09 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174273995921115 (code B ref 75810); Sun, 23 Mar 2025 14:26:09 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:25:59 +0000 Received: from localhost ([127.0.0.1]:51862 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMH0-0005UH-6L for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40396) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGb-0005P1-R4 for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:35 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGW-0005RV-B8; Sun, 23 Mar 2025 10:25:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=gj2HkSqKqMC6OnWJO11zAMx01vOVuopEBzKWBjgHWEs=; b=aNt5iQSsPHOZujs2lvL9 G2jeg5PWxpNEanvL+KVZ/pCz31hO9g4CAonfss656sv0aK2wmvoHCPvCa4TS73nJV/eDGrjE/fnhh JuJ++/nCGGEbbPTb3k6KWSvI4HPsjaf8iE1loQSyCeiiH/CJaSqFeiNp3QmPEriC87cEojFXRe4ms 99m1glcADwX+QeiJ/IhRrzyIPbnMnTUGBOyN4f8NRaz10RVHzJpY5K4jArTcjuRKVeYSOkm9mykhq DmCy311K7IUtT2gvJGTtX3NR8qgrXsIDC3urQOdLgK2uASUWq2eSYgscf0i+KKBFPK8A0kdjo7jaQ fOlC2V5FAMKFOQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:24:54 +0100 Message-ID: <7f506f187a098122046a0eb7b84f55c88891ba88.1742739609.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libutil/util.cc (closeMostFDs) [HAVE_CLOSE_RANGE]: Use ‘close_range’ when ‘exceptions’ is empty. * config-daemon.ac: Check for and the ‘close_range’ symbol. Change-Id: I12fa3bde58b003fcce5ea5a1fee1dcf9a92c0359 --- config-daemon.ac | 5 +++-- nix/libutil/util.cc | 23 +++++++++++++++++------ 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/config-daemon.ac b/config-daemon.ac index 6731c68bc3..4e949bc88a 100644 --- a/config-daemon.ac +++ b/config-daemon.ac @@ -78,7 +78,8 @@ if test "x$guix_build_daemon" = "xyes"; then dnl Chroot support. AC_CHECK_FUNCS([chroot unshare]) - AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h]) + AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \ + linux/close_range.h]) if test "x$ac_cv_func_chroot" != "xyes"; then AC_MSG_ERROR(['chroot' function missing, bailing out]) @@ -95,7 +96,7 @@ if test "x$guix_build_daemon" = "xyes"; then dnl strsignal: for error reporting. dnl statx: fine-grain 'stat' call, new in glibc 2.28. AC_CHECK_FUNCS([lutimes lchown posix_fallocate sched_setaffinity \ - statvfs nanosleep strsignal statx]) + statvfs nanosleep strsignal statx close_range]) dnl Check for . AC_LANG_PUSH(C++) diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index 3206dea11b..eb2d16e1cc 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -23,6 +23,10 @@ #include #endif +#ifdef HAVE_LINUX_CLOSE_RANGE_H +# include +#endif + extern char * * environ; @@ -1087,12 +1091,19 @@ string runProgram(Path program, bool searchPath, const Strings & args) void closeMostFDs(const set & exceptions) { - int maxFD = 0; - maxFD = sysconf(_SC_OPEN_MAX); - for (int fd = 0; fd < maxFD; ++fd) - if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd != STDERR_FILENO - && exceptions.find(fd) == exceptions.end()) - close(fd); /* ignore result */ +#ifdef HAVE_CLOSE_RANGE + if (exceptions.empty()) + close_range(3, ~0U, 0); + else +#endif + { + int maxFD = 0; + maxFD = sysconf(_SC_OPEN_MAX); + for (int fd = 0; fd < maxFD; ++fd) + if (fd != STDIN_FILENO && fd != STDOUT_FILENO && fd != STDERR_FILENO + && exceptions.find(fd) == exceptions.end()) + close(fd); /* ignore result */ + } } From patchwork Sun Mar 23 14:24:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40737 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 3AD5927BBE2; Sun, 23 Mar 2025 14:26:48 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id DE41927BBEA for ; Sun, 23 Mar 2025 14:26:46 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMHI-00030E-1A; Sun, 23 Mar 2025 10:26:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMHF-0002zQ-OW for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:13 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMHF-0005VH-6E for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=fUCaHHG/eO75rZDRlbk9XFL7p37y9SICE8zVkSS6pAE=; b=o9DESZOMOJ3g+XPG3XWocNan5D81RcUcKYejhjHexdRNgYLWp/lnH1lF5UrpES3fN+Oma7j6ZptqpL/fm7m8QwzL7f+zwIH38TleGjJ18AXuMa/brLgnmSDpSdwcxR/XJR3vmfJHTozT6q0SlBTgzhmHRwGubTN6wc58FcdENqfaNoTsDK+3QA6Ul/0Idv0iDSdvjVAZnV9hDTt94CX4iO4iVGnh2zpa1XDqUmo1tjim8YFKcaED5OY/IxNU3U7XX7KNURxcyUQouRPPNF/HegCbiMbj7XhwVWTSjwKUHa2Xl5FO++8kAWFCIQ14XVHSyXUjhFwQqhhx8dOF1PBYzw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMHF-0005Xs-07 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:13 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 02/16] daemon: Close the read end of the logging pipe. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:26:12 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174273996521193 (code B ref 75810); Sun, 23 Mar 2025 14:26:12 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:26:05 +0000 Received: from localhost ([127.0.0.1]:51868 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMH3-0005Uz-09 for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43736) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGi-0005QJ-Oz for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGb-0005Rk-3C; Sun, 23 Mar 2025 10:25:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=fUCaHHG/eO75rZDRlbk9XFL7p37y9SICE8zVkSS6pAE=; b=Y4s/GyJUjCjWRu5UpqxZ VJwHWUEL9a3+AB9vBF5WrHs02V7bpMFWeN+uOBYQ+VojQrHmlP1o9ES6uoE+2KugOKTleuTeuu+CE WF0QMdSHAo3oLQv0Sofou0RrZgMfO43ZZseJ5o7tRVE2JCEZKa/oSkkYMHu/KY9eq1ZwFsO3FX3Vl /YVtGCJNsru6+pSUodTecPr0i0TRh3jwV9GI/XeetDyDbWF9lLsGOgaSqURsu0SP/+ZTqHCjaFGy9 sVQQIsA27sPWRktZvKvCjHmnR6WPzIUSV91wkelGdCDr1X4r64KMwhp84doqRBzC1No0/b2TMSYSJ LIxJmXKFHzmogA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:24:55 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libutil/util.cc (commonChildInit): Close ‘logPipe.readSide’. Reported-by: Reepca Russelstein Change-Id: Ia9e48d1afb85d7af52770e016f2b6832792044dd --- nix/libutil/util.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc index eb2d16e1cc..56f116046c 100644 --- a/nix/libutil/util.cc +++ b/nix/libutil/util.cc @@ -1279,6 +1279,9 @@ void commonChildInit(Pipe & logPipe) if (setsid() == -1) throw SysError(format("creating a new session")); + /* Close the read end so only the parent holds a reference to it. */ + logPipe.readSide.close(); + /* Dup the write side of the logger pipe into stderr. */ if (dup2(logPipe.writeSide, STDERR_FILENO) == -1) throw SysError("cannot pipe standard error into log file"); From patchwork Sun Mar 23 14:24:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40734 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D7E7B27BBEA; Sun, 23 Mar 2025 14:26:43 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 9DC8C27BBE2 for ; Sun, 23 Mar 2025 14:26:43 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMHG-0002zk-Lv; Sun, 23 Mar 2025 10:26:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMHE-0002z2-Jb for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMHE-0005V6-Ao for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=5fbggu8STjwEXFRRV3Gq/UXyTgxUmf6fh1UKO8gjNXs=; b=mAnaqiJTBqrmUnGfDxvKO8jWmskKQnqjA17zzh0VIGF3tymcSb6Nv/DKWDrsboGZqlxJWPMgJGm0HWFJWy3w2Ca4WzNKyWPbVN3iXbQKyZG9LF1F790Xg+sRQGHV/VPzlpg6/Yg+qQ9ML+cT2JIuAcvsyaDlpxoY3yHPL7XYtS/a4IBPT99wRnBXlpTTNVjq9hRgIyK9+RhQwZ/OIXMC/rQcKAzxVKV2ZfB8GuKaje92LIWaYfv64ylYTHPDtiF9IzG4qfr+yGUHa2OJhJKnG1vCMF1CyvTFmCtj+z6hMz52TB/T/apf+WtFywzCIQU8CRJEIq6AxhB4K8guC52rdw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMHD-0005XU-VV for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:11 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 03/16] daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:26:11 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174273996121148 (code B ref 75810); Sun, 23 Mar 2025 14:26:11 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:26:01 +0000 Received: from localhost ([127.0.0.1]:51864 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMH1-0005UU-8f for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43722) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGh-0005Q0-7q for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:40 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGb-0005Rq-Tc; Sun, 23 Mar 2025 10:25:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=5fbggu8STjwEXFRRV3Gq/UXyTgxUmf6fh1UKO8gjNXs=; b=W2EV1L3V0Dc7frUkdtLK 79XeH4Eis3nztqB3bJjMv8s0dXJr28I6symcecnaRfYQfa9q8MELovp22556LJQ8FrxyAUEjD2xlJ JxRsIy3RCGF0boeOFNWIgq887L60kXOv8BK/zIeRsBPeKWVBqZvoFujWlEHLT8SMtk/CcLHiVCCWN 99KvHcfYe/D+3c9ZPVoGJXK7PR9bih9VdNBvdQYrMYkFRrlPA2Rn7dWST6aciww43b5uY/vowT848 9wn4EVYws6aojSxxrElgR5ppl6eh96QhoVCug4rS+y3eAaNT6eyVw+1CkOt6/dlaG2/9TXFFxmqgQ t5yIVgbSrcZgMw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:24:56 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Those files may be missing in some contexts, for instance within the build environment. * nix/libstore/build.cc (DerivationGoal::runChild): Add /etc/resolv.conf and related files to ‘ss’ only if they exist. Change-Id: Ie19664a86c8101a1dc82cf39ad4b7abb10f8250a --- nix/libstore/build.cc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index edd01bab34..8ca5e5b732 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2093,10 +2093,11 @@ void DerivationGoal::runChild() network, so give them access to /etc/resolv.conf and so on. */ if (fixedOutput) { - ss.push_back("/etc/resolv.conf"); - ss.push_back("/etc/nsswitch.conf"); - ss.push_back("/etc/services"); - ss.push_back("/etc/hosts"); + auto files = { "/etc/resolv.conf", "/etc/nsswitch.conf", + "/etc/services", "/etc/hosts" }; + for (auto & file: files) { + if (pathExists(file)) ss.push_back(file); + } } for (auto & i : ss) dirsInChroot[i] = i; From patchwork Sun Mar 23 14:24:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40738 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 65D9B27BBE2; Sun, 23 Mar 2025 14:26:48 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id E5F3827BBEB for ; Sun, 23 Mar 2025 14:26:46 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMHJ-00031a-M1; Sun, 23 Mar 2025 10:26:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMHH-000304-AF for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:15 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMHG-0005VU-Pb for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=OHeVSHlKl++yMNnhWaubdTXXSn3UUkG8AbIkWMisgq8=; b=cdqhS4TEJVCC9+iiUMemtLTeRJom+n37mcb5zMnIqZbOwUg3PWJ4oWJ1r8RB3QUc+wru2wH/HVPUtSebQTQI4KhvcdVedDHx6zRPvGImHwNhuxz/X4KfJY64YUAfrGdh0sT+3AnxuVyIBtd9KRxzuXxLkZkIZHSM07TsWRafUz7z7tQlRnEedI0nPeDJCK57KvKnZVeDrzqytyeMUOkRMc+7u4Y/IdB7JxwO39MbX+KPifUvDIhFxXiU8YyUcCkMXUyYchH3erZzDxOVimB79L0gyilYiRtTtLnNeDgfxPYAmigl/IhxsWjPiTu8fxNUut+bgYel5gl5vTaWe1zgPg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMHG-0005YP-Ix for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:14 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 04/16] daemon: Bind-mount all the inputs, not just directories. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:26:14 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174273997021272 (code B ref 75810); Sun, 23 Mar 2025 14:26:14 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:26:10 +0000 Received: from localhost ([127.0.0.1]:51874 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMH8-0005WG-P9 for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43726) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGi-0005QE-Iy for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGc-0005Ry-SK; Sun, 23 Mar 2025 10:25:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=OHeVSHlKl++yMNnhWaubdTXXSn3UUkG8AbIkWMisgq8=; b=Y36G2pyhn5cD6EDdZASY lxFdsM/L9S+X+0mL8dgGOxaH70uHZUVwHQBZiMGKwkkj8px64eze+FYN8AIAK9wsAKGG6nNv1gdMB YjGP8eTQvLX4txILzy2sr1T7zPxTajvO/S0koKQi9LzykTAt/3hnhf1ZobMNY9UIjqKGv6IROVves vFl/jF6D5BAxvljgsfE3zhnsSbBoJKUogVRxd1GDWe5CaY5d4JyitpsWEM8RnwoV+NfPm5i7PlBPF WvO72fMTOkwRH8QFU5ntCZ+TSfVANB+7w85H8jvKzDt4FFbnBJ717N/jUYfSc9Nxgtgsow+QaEYgp EBcsZNXVqhwjfw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:24:57 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::startBuilder): Add all of ‘inputPaths’ to ‘dirsInChroot’ instead of hard-linking regular files. Special-case symlinks. (DerivationGoal)[regularInputPaths]: Remove. Reported-by: Reepca Russelstein Change-Id: I070987f92d73f187f7826a975bee9ee309d67f56 --- nix/libstore/build.cc | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 8ca5e5b732..193b279b88 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -659,9 +659,6 @@ private: /* RAII object to delete the chroot directory. */ std::shared_ptr autoDelChroot; - /* All inputs that are regular files. */ - PathSet regularInputPaths; - /* Whether this is a fixed-output derivation. */ bool fixedOutput; @@ -1850,9 +1847,7 @@ void DerivationGoal::startBuilder() /* Make the closure of the inputs available in the chroot, rather than the whole store. This prevents any access - to undeclared dependencies. Directories are bind-mounted, - while other inputs are hard-linked (since only directories - can be bind-mounted). !!! As an extra security + to undeclared dependencies. !!! As an extra security precaution, make the fake store only writable by the build user. */ Path chrootStoreDir = chrootRootDir + settings.nixStore; @@ -1863,28 +1858,22 @@ void DerivationGoal::startBuilder() throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { - struct stat st; + struct stat st; if (lstat(i->c_str(), &st)) throw SysError(format("getting attributes of path `%1%'") % *i); - if (S_ISDIR(st.st_mode)) - dirsInChroot[*i] = *i; - else { - Path p = chrootRootDir + *i; - if (link(i->c_str(), p.c_str()) == -1) { - /* Hard-linking fails if we exceed the maximum - link count on a file (e.g. 32000 of ext3), - which is quite possible after a `nix-store - --optimise'. */ - if (errno != EMLINK) - throw SysError(format("linking `%1%' to `%2%'") % p % *i); - StringSink sink; - dumpPath(*i, sink); - StringSource source(sink.s); - restorePath(p, source); - } - regularInputPaths.insert(*i); - } + if (S_ISLNK(st.st_mode)) { + /* Since bind-mounts follow symlinks, thus representing their + target and not the symlink itself, special-case + symlinks. XXX: When running unprivileged, TARGET can be + deleted by the build process. Use 'open_tree' & co. when + it's more widely available. */ + Path target = chrootRootDir + *i; + if (symlink(readLink(*i).c_str(), target.c_str()) == -1) + throw SysError(format("failed to create symlink '%1%' to '%2%'") % target % readLink(*i)); + } + else + dirsInChroot[*i] = *i; } /* If we're repairing, checking or rebuilding part of a From patchwork Sun Mar 23 14:24:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40739 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id E912527BBEC; Sun, 23 Mar 2025 14:26:54 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id A801A27BBE2 for ; Sun, 23 Mar 2025 14:26:54 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMHJ-00031c-N7; Sun, 23 Mar 2025 10:26:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMHI-00030F-35 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:16 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMHH-0005Vf-Pz for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=ozQM+lYqSSPDiTg6Dp/w4oPIGKDs4CrGaOeKp99rZWg=; b=UNcQeGdxev3HwtYxvIKhpfowwPV1gzJZplrdonMaWsfmU4lp+CXhQ/t2wVkB1WCXvQTzzdonGVILj3NKOH6HAnWoxJ0fxaESBiXAZiR2GMzkwcnCZClXpqbaHgcmTqiYWT7EBaMGBZc04f7l4S7OS/Ktc73kBahF7b8Vf5QF9zkI3blh9BFoneAe/yd6p8GunzooDtFHNyLVMUvftxVOhlxs3bfZJ+IG1dKTj2Z5JeIkOzXDyMPqpUCKKjasQ4AvlBDG1j2QF2lnX+gNFJ10d3PThzwYZwDb1SccBcYm5v0ztaSzFPIOTI1CZcf+CfMSrpWp7fytgvO/qbatR5ZdQA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMHH-0005Yc-JT for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:15 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 05/16] daemon: Remount inputs as read-only. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:26:15 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174273997221292 (code B ref 75810); Sun, 23 Mar 2025 14:26:15 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:26:12 +0000 Received: from localhost ([127.0.0.1]:51883 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMHC-0005X3-34 for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43748) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGj-0005QV-LY for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGd-0005SB-S2; Sun, 23 Mar 2025 10:25:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=ozQM+lYqSSPDiTg6Dp/w4oPIGKDs4CrGaOeKp99rZWg=; b=hCz08O0HEKDKyyBjWhiP DgNzFpyC/QunHL+e3/QC6BxM6DJGQYK7MhX/L7iCkZN1zROc15cLLjLkWHhjxVUYDFy7yrph3LBgA +Pprb5QcMI4C7+3FEbQtjSt02kA2cOZACubBCUYdwjax8RPgTXvmCvFTaYaKD7Nnq3nEwi6cK9TyC epO1Q3pEFc8ZNr8HmspkkYPnhy/ZM1oYq1qtSg96PDccZ5xplgm8QplLSnlDH2KYQ/dr+NNrdU5Q7 Rw97JX7NBqNAYW6GfV8J81oKEicnIH4e1BWPwANqx3ew2GU8Q718e7gcYy22YPzUqx4uCc1jWS3bb x1WuurwKqCtLGw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:24:58 +0100 Message-ID: <3fd52374c8bf223596845b5d50a2aaba74120c98.1742739609.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::runChild): Remount ‘target’ as read-only. Reported-by: Reepca Russelstein Change-Id: Ib7201bcf4363be566f205d23d17fe2f55d3ad666 --- nix/libstore/build.cc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 193b279b88..3861a1ffd9 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2107,8 +2107,15 @@ void DerivationGoal::runChild() createDirs(dirOf(target)); writeFile(target, ""); } + + /* Extra flags passed with MS_BIND are ignored, hence the + extra MS_REMOUNT. */ if (mount(source.c_str(), target.c_str(), "", MS_BIND, 0) == -1) throw SysError(format("bind mount from `%1%' to `%2%' failed") % source % target); + if (source.compare(0, settings.nixStore.length(), settings.nixStore) == 0) { + if (mount(source.c_str(), target.c_str(), "", MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) + throw SysError(format("read-only remount of `%1%' failed") % target); + } } /* Bind a new instance of procfs on /proc to reflect our From patchwork Sun Mar 23 14:24:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40740 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id AA78F27BBE9; Sun, 23 Mar 2025 14:26:55 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C036A27BBEB for ; Sun, 23 Mar 2025 14:26:54 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMHI-00030I-7D; Sun, 23 Mar 2025 10:26:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMHG-0002zc-7B for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:14 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMHF-0005VN-UR for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=3sOVW5n0d1cSpQd8PLRrsmflCadSWuH5XwPCIe/iTyM=; b=pMxXjbjG/uwSUNXXZV8Xs66CFOBvLNPr+KhDPMTNvOsmvY3F9enJmb7JNoPrlSDv0GGY/0fMsjwftSb4GdpztIqUhpX2nYQLt9RiQlUM9AEd75aeq/QGvQNxOc2T42jhZWngPMmVHaSnrRXrEC8VP77jsGta+OW14zWAjmiB+/9IdnAgQqSPwRf8h8VxNN01Xgw4/1DZxZqFfkbgpFth4jaZJcegm8N0Vp09014NCL5gYz7fPiidnFq5Adgem8ZoHid3Qjmk2iSsSKbJBNMlxGEbrIBd9jCLtMSZVNCYgpqN052pKXzeHc6laTyP/RFufb49ZeBHPGS/Uux39Pzmqw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMHF-0005Y8-P1 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:13 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 06/16] daemon: Remount root directory as read-only. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:26:13 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174273996721226 (code B ref 75810); Sun, 23 Mar 2025 14:26:13 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:26:07 +0000 Received: from localhost ([127.0.0.1]:51870 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMH6-0005Vm-6x for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43756) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGk-0005Qb-5o for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGe-0005SK-Mw; Sun, 23 Mar 2025 10:25:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=3sOVW5n0d1cSpQd8PLRrsmflCadSWuH5XwPCIe/iTyM=; b=BPx7aIctz/dyezCTLv05 gMRoU+eDG4DwhTAvUM9Dilu9mfLDBk6258RpcN2LaLmHidbGkQC0EWOV1HDY8DG8YayYh8v96emCI eyBI7fTdiI7II1AD7mzKbQ6ue3UFXo18P8EyGVW1x/jetOtIUqybNH5lHDTbbq+Ow0SyQgbdzlXQn XGaJQqltF8hUE9QjVFJLH58gSUKz6hpoA43S3Exsp3o4XOyf7I9EjPEDfjg/dsfQ5iOXKO5zhF/Sa 2uNWYfA3c99hGhWpv/O7xRIw3bBrGy+0B0Rr2Q8qzt4TgxJgyOYZFn9aVHOphf8kuFxKR+qUskgAw aPiRPgyy8crEfw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:24:59 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::runChild): Bind-mount the store and /tmp under ‘chrootRootDir’ to themselves as read-write. Remount / as read-only. Change-Id: I79565094c8ec8448401897c720aad75304fd1948 --- nix/libstore/build.cc | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 3861a1ffd9..c8b778362a 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2091,6 +2091,18 @@ void DerivationGoal::runChild() for (auto & i : ss) dirsInChroot[i] = i; + /* Make new mounts for the store and for /tmp. That way, when + 'chrootRootDir' is made read-only below, these two mounts will + remain writable (the store needs to be writable so derivation + outputs can be written to it, and /tmp is writable by + convention). */ + auto chrootStoreDir = chrootRootDir + settings.nixStore; + if (mount(chrootStoreDir.c_str(), chrootStoreDir.c_str(), 0, MS_BIND, 0) == -1) + throw SysError(format("read-write mount of store '%1%' failed") % chrootStoreDir); + auto chrootTmpDir = chrootRootDir + "/tmp"; + if (mount(chrootTmpDir.c_str(), chrootTmpDir.c_str(), 0, MS_BIND, 0) == -1) + throw SysError(format("read-write mount of temporary directory '%1%' failed") % chrootTmpDir); + /* Bind-mount all the directories from the "host" filesystem that we want in the chroot environment. */ @@ -2164,6 +2176,10 @@ void DerivationGoal::runChild() if (rmdir("real-root") == -1) throw SysError("cannot remove real-root directory"); + + /* Remount root as read-only. */ + if (mount("/", "/", 0, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) + throw SysError(format("read-only remount of build root '%1%' failed") % chrootRootDir); } #endif From patchwork Sun Mar 23 14:25:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40736 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 4A9EC27BBE9; Sun, 23 Mar 2025 14:26:47 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C6BC027BBE2 for ; Sun, 23 Mar 2025 14:26:45 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMHR-000344-IY; Sun, 23 Mar 2025 10:26:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMHQ-00033u-LR for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:24 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMHQ-0005WO-C8; Sun, 23 Mar 2025 10:26:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=0Kt8D+10MDGNCXLZxl8AYQypvAcokGyIGcmk6YcdbVc=; b=ph9SYUuTUeg0kuKWZYk9IlMx1ZR2uo/6dxQbUSzwsOZ3RSCFjeCH4TY7Y4LtSU6myV9lmWmnFjWLQ0xTZDAn6FrDtQOWHTefoRneu52RSYVDpgSHo7qtKA4i/SIxjBNtCTSMMaUahkwJxgCxRThDmAB4GkIOWWdbeoeZhFjYuM5WmCd1wdLe3e30/kdGhJB1BGiBfsFCYURnxeDTVKkYSh0KABUzyPgYXan+CyJWf7oSxvwQwArVvYB2K98e4vPWcVfN2QEwpnvpekLvlxxkKuH9fLdVgb2rGHymre0t29JSfyA0u7JHNTSBtnSgcr/k/qEH3O4U+74uW5P6OU1DhA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMHJ-0005ZF-Vq; Sun, 23 Mar 2025 10:26:18 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 07/16] daemon: Allow running as non-root with unprivileged user namespaces. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, maxim.cournoyer@gmail.com, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:26:17 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Maxim Cournoyer , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Maxim Cournoyer , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174273997621386 (code B ref 75810); Sun, 23 Mar 2025 14:26:17 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:26:16 +0000 Received: from localhost ([127.0.0.1]:51894 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMHG-0005YG-0o for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43770) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGm-0005Qz-DZ for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:52 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGf-0005SR-N1; Sun, 23 Mar 2025 10:25:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=0Kt8D+10MDGNCXLZxl8AYQypvAcokGyIGcmk6YcdbVc=; b=GoKfTTjcW44msuLWIZCq npeVnEC0FhBJdhIdU5UkNCV8CblMtnj1561rss6zmUreFh8T7acheiaOnhgbcCtj90If8eqYJ5rS9 eOwwI0KSO+WsVvd+af0eE3pwifsdcoB5FGQgxejRn/UGeOMZjlwbv1zH+RjjzRDkMyhZG23ydGJJA Gf13JNM7kjtEuQ1XFNP0LMF7TkHAV8iz3PMazkd818uSQQXigDEMVSL54MvCf/VTaf65jKbS7cROk 1EWsR0wZYjfJgiYaZGSq7nfgb2ObSuGJLlmk4ey7gWi2rew9pRgDoMjMKldw4/VwuvOyDl8u5RNjY 4rgASvOXs0iQ0g==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:25:00 +0100 Message-ID: <9ad0da0cdfc5b581d74a5afd4078a4317eff71ed.1742739609.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Ludovic Courtès Many thanks to Reepca Russelstein for their review and guidance on these changes. * nix/libstore/build.cc (guestUID, guestGID): New variables. (DerivationGoal)[readiness]: New field. (initializeUserNamespace): New function. (DerivationGoal::runChild): When ‘readiness.readSide’ is positive, read from it. (DerivationGoal::startBuilder): Call ‘chown’ only when ‘buildUser.enabled()’ is true. Pass CLONE_NEWUSER to ‘clone’ when ‘buildUser.enabled()’ is false or not running as root. Retry ‘clone’ without CLONE_NEWUSER upon EPERM. (DerivationGoal::registerOutputs): Make ‘actualPath’ writable before ‘rename’. (DerivationGoal::deleteTmpDir): Catch ‘SysError’ around ‘_chown’ call. * nix/libstore/local-store.cc (LocalStore::createUser): Do nothing if ‘dirs’ already exists. Warn instead of failing when failing to chown ‘dir’. * guix/substitutes.scm (%narinfo-cache-directory): Check for ‘_NIX_OPTIONS’ rather than getuid() == 0 to determine the cache location. * doc/guix.texi (Build Environment Setup): Reorganize a bit. Add section headings “Daemon Running as Root” and “The Isolated Build Environment”. Add “Daemon Running Without Privileges” subsection. Remove paragraph about ‘--disable-chroot’. (Invoking guix-daemon): Warn against ‘--disable-chroot’ and explain why. * tests/derivations.scm ("builder is outside the store"): New test. Reviewed-by: Reepca Russelstein --- doc/guix.texi | 102 +++++++++++++++----- guix/substitutes.scm | 2 +- nix/libstore/build.cc | 183 +++++++++++++++++++++++++++++++----- nix/libstore/local-store.cc | 18 +++- tests/derivations.scm | 14 +++ 5 files changed, 264 insertions(+), 55 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 0adc6f8c65..ec5d41bbf0 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -877,6 +877,7 @@ Setting Up the Daemon @section Setting Up the Daemon @cindex daemon +@cindex build daemon During installation, the @dfn{build daemon} that must be running to use Guix has already been set up and you can run @command{guix} commands in your terminal program, @pxref{Getting Started}: @@ -921,20 +922,38 @@ Build Environment Setup @cindex build environment In a standard multi-user setup, Guix and its daemon---the @command{guix-daemon} program---are installed by the system -administrator; @file{/gnu/store} is owned by @code{root} and -@command{guix-daemon} runs as @code{root}. Unprivileged users may use -Guix tools to build packages or otherwise access the store, and the -daemon will do it on their behalf, ensuring that the store is kept in a -consistent state, and allowing built packages to be shared among users. +administrator. Unprivileged users may use Guix tools to build packages +or otherwise access the store, and the daemon will do it on their +behalf, ensuring that the store is kept in a consistent state, and +allowing built packages to be shared among users. + +There are currently two ways to set up and run the build daemon: + +@enumerate +@item +running @command{guix-daemon} as ``root'', letting it run build +processes as unprivileged users taken from a pool of build users---this +is the historical approach; + +@item +running @command{guix-daemon} as a separate unprivileged user, relying +on Linux's @dfn{unprivileged user namespace} functionality to set up +isolated environments---this is the option chosen when installing Guix +on a systemd-based distribution with the installation script +(@pxref{Binary Installation}). +@end enumerate + +The sections below describe each of these two configurations in more +detail and summarize the kind of build isolation they provide. + +@unnumberedsubsubsec Daemon Running as Root @cindex build users When @command{guix-daemon} runs as @code{root}, you may not want package build processes themselves to run as @code{root} too, for obvious security reasons. To avoid that, a special pool of @dfn{build users} should be created for use by build processes started by the daemon. -These build users need not have a shell and a home directory: they will -just be used when the daemon drops @code{root} privileges in build -processes. Having several such users allows the daemon to launch +Having several such users allows the daemon to launch distinct build processes under separate UIDs, which guarantees that they do not interfere with each other---an essential feature since builds are regarded as pure functions (@pxref{Introduction}). @@ -977,11 +996,45 @@ Build Environment Setup # guix-daemon --build-users-group=guixbuild @end example +In this setup, @file{/gnu/store} is owned by @code{root}. + +@unnumberedsubsubsec Daemon Running Without Privileges + +@cindex rootless build daemon +@cindex unprivileged build daemon +@cindex build daemon, unprivileged +The second and preferred option is to run @command{guix-daemon} +@emph{as an unprivileged user}. It has the advantage of reducing the +harm that can be done should a build process manage to exploit a +vulnerability in the daemon. This option requires the use of Linux's +unprivileged user namespace mechanism; today it is available and enabled +by most GNU/Linux distributions but can still be disabled. The +installation script automatically determines whether this option is +available on your system (@pxref{Binary Installation}). + +When using this option, you only need to create one user account, and +@command{guix-daemon} will run with the authority of that account: + +@example +# groupadd --system guix-daemon +# useradd -g guix-daemon -G guix-daemon \ + -d /var/empty -s $(which nologin) \ + -c "Guix daemon privilege separation user" \ + --system guix-daemon +@end example + +In this configuration, @file{/gnu/store} is owned by the +@code{guix-daemon} user. + +@unnumberedsubsubsec The Isolated Build Environment + @cindex chroot -@noindent -This way, the daemon starts build processes in a chroot, under one of -the @code{guixbuilder} users. On GNU/Linux, by default, the chroot -environment contains nothing but: +@cindex build environment isolation +@cindex isolated build environment +@cindex hermetic build environment +In both cases, the daemon starts build processes without privileges in +an @emph{isolated} or @emph{hermetic} build environment---a ``chroot''. +On GNU/Linux, by default, the build environment contains nothing but: @c Keep this list in sync with libstore/build.cc! ----------------------- @itemize @@ -1015,7 +1068,7 @@ Build Environment Setup @file{/homeless-shelter}. This helps to highlight inappropriate uses of @env{HOME} in the build scripts of packages. -All this usually enough to ensure details of the environment do not +All this is usually enough to ensure details of the environment do not influence build processes. In some exceptional cases where more control is needed---typically over the date, kernel, or CPU---you can resort to a virtual build machine (@pxref{build-vm, virtual build machines}). @@ -1035,14 +1088,6 @@ Build Environment Setup for fixed-output derivations (@pxref{Derivations}) or for substitutes (@pxref{Substitutes}). -If you are installing Guix as an unprivileged user, it is still possible -to run @command{guix-daemon} provided you pass @option{--disable-chroot}. -However, build processes will not be isolated from one another, and not -from the rest of the system. Thus, build processes may interfere with -each other, and may access programs, libraries, and other files -available on the system---making it much harder to view them as -@emph{pure} functions. - @node Daemon Offload Setup @subsection Using the Offload Facility @@ -1567,10 +1612,17 @@ Invoking guix-daemon @item --disable-chroot Disable chroot builds. -Using this option is not recommended since, again, it would allow build -processes to gain access to undeclared dependencies. It is necessary, -though, when @command{guix-daemon} is running under an unprivileged user -account. +@quotation Warning +Using this option is not recommended since it allows build processes to +gain access to undeclared dependencies, to interfere with one another, +and more generally to do anything that can be done with the authority of +build users or that of the daemon---which includes at least the ability +to tamper with any file in the store! + +You may find it necessary, though, when support for Linux unprivileged +user namespaces is missing (@pxref{Build Environment Setup}). Use at +your own risk! +@end quotation @item --log-compression=@var{type} Compress build logs according to @var{type}, one of @code{gzip}, diff --git a/guix/substitutes.scm b/guix/substitutes.scm index 7ca55788d5..86b9f5472a 100644 --- a/guix/substitutes.scm +++ b/guix/substitutes.scm @@ -79,7 +79,7 @@ (define %narinfo-cache-directory ;; time, 'guix substitute' is called by guix-daemon as root and stores its ;; cached data in /var/guix/…. However, when invoked from 'guix challenge' ;; as a user, it stores its cache in ~/.cache. - (if (zero? (getuid)) + (if (getenv "_NIX_OPTIONS") ;invoked by guix-daemon (or (and=> (getenv "XDG_CACHE_HOME") (cut string-append <> "/guix/substitute")) (string-append %state-directory "/substitute/cache")) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index c8b778362a..2261ef3c2a 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -744,6 +744,10 @@ private: friend int childEntry(void *); + /* Pipe to notify readiness to the child process when using unprivileged + user namespaces. */ + Pipe readiness; + /* Check that the derivation outputs all exist and register them as valid. */ void registerOutputs(); @@ -1619,6 +1623,24 @@ int childEntry(void * arg) } +/* UID and GID of the build user inside its own user namespace. */ +static const uid_t guestUID = 30001; +static const gid_t guestGID = 30000; + +/* Initialize the user namespace of CHILD. */ +static void initializeUserNamespace(pid_t child, + uid_t hostUID = getuid(), + gid_t hostGID = getgid()) +{ + writeFile("/proc/" + std::to_string(child) + "/uid_map", + (format("%d %d 1") % guestUID % hostUID).str()); + + writeFile("/proc/" + std::to_string(child) + "/setgroups", "deny"); + + writeFile("/proc/" + std::to_string(child) + "/gid_map", + (format("%d %d 1") % guestGID % hostGID).str()); +} + void DerivationGoal::startBuilder() { auto f = format( @@ -1682,7 +1704,7 @@ void DerivationGoal::startBuilder() then an attacker could create in it a hardlink to a root-owned file such as /etc/shadow. If 'keepFailed' is true, the daemon would then chown that hardlink to the user, giving them write access to - that file. */ + that file. See CVE-2021-27851. */ tmpDir += "/top"; if (mkdir(tmpDir.c_str(), 0700) == 1) throw SysError("creating top-level build directory"); @@ -1799,7 +1821,7 @@ void DerivationGoal::startBuilder() if (mkdir(chrootRootDir.c_str(), 0750) == -1) throw SysError(format("cannot create ‘%1%’") % chrootRootDir); - if (chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) + if (buildUser.enabled() && chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) throw SysError(format("cannot change ownership of ‘%1%’") % chrootRootDir); /* Create a writable /tmp in the chroot. Many builders need @@ -1818,8 +1840,8 @@ void DerivationGoal::startBuilder() (format( "nixbld:x:%1%:%2%:Nix build user:/:/noshell\n" "nobody:x:65534:65534:Nobody:/:/noshell\n") - % (buildUser.enabled() ? buildUser.getUID() : getuid()) - % (buildUser.enabled() ? buildUser.getGID() : getgid())).str()); + % (buildUser.enabled() ? buildUser.getUID() : guestUID) + % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str()); /* Declare the build user's group so that programs get a consistent view of the system (e.g., "id -gn"). */ @@ -1854,7 +1876,7 @@ void DerivationGoal::startBuilder() createDirs(chrootStoreDir); chmod_(chrootStoreDir, 01775); - if (chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) + if (buildUser.enabled() && chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { @@ -1960,14 +1982,36 @@ void DerivationGoal::startBuilder() if (useChroot) { char stack[32 * 1024]; int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | SIGCHLD; - if (!fixedOutput) flags |= CLONE_NEWNET; + if (!fixedOutput) { + flags |= CLONE_NEWNET; + } + if (!buildUser.enabled() || getuid() != 0) { + flags |= CLONE_NEWUSER; + readiness.create(); + } + /* Ensure proper alignment on the stack. On aarch64, it has to be 16 bytes. */ - pid = clone(childEntry, + pid = clone(childEntry, (char *)(((uintptr_t)stack + sizeof(stack) - 8) & ~(uintptr_t)0xf), flags, this); - if (pid == -1) - throw SysError("cloning builder process"); + if (pid == -1) { + if ((flags & CLONE_NEWUSER) != 0 && getuid() != 0) + /* 'clone' fails with EPERM on distros where unprivileged user + namespaces are disabled. Error out instead of giving up on + isolation. */ + throw SysError("cannot create process in unprivileged user namespace"); + else + throw SysError("cloning builder process"); + } + + readiness.readSide.close(); + if ((flags & CLONE_NEWUSER) != 0) { + /* Initialize the UID/GID mapping of the child process. */ + initializeUserNamespace(pid); + writeFull(readiness.writeSide, (unsigned char*)"go\n", 3); + } + readiness.writeSide.close(); } else #endif { @@ -2013,23 +2057,37 @@ void DerivationGoal::runChild() _writeToStderr = 0; + if (readiness.writeSide >= 0) readiness.writeSide.close(); + + if (readiness.readSide >= 0) { + /* Wait for the parent process to initialize the UID/GID mapping + of our user namespace. */ + char str[20] = { '\0' }; + readFull(readiness.readSide, (unsigned char*)str, 3); + readiness.readSide.close(); + if (strcmp(str, "go\n") != 0) + throw Error("failed to initialize process in unprivileged user namespace"); + } + restoreAffinity(); commonChildInit(builderOut); #if CHROOT_ENABLED if (useChroot) { - /* Initialise the loopback interface. */ - AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); - if (fd == -1) throw SysError("cannot open IP socket"); + if (!fixedOutput) { + /* Initialise the loopback interface. */ + AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); + if (fd == -1) throw SysError("cannot open IP socket"); - struct ifreq ifr; - strcpy(ifr.ifr_name, "lo"); - ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING; - if (ioctl(fd, SIOCSIFFLAGS, &ifr) == -1) - throw SysError("cannot set loopback interface flags"); + struct ifreq ifr; + strcpy(ifr.ifr_name, "lo"); + ifr.ifr_flags = IFF_UP | IFF_LOOPBACK | IFF_RUNNING; + if (ioctl(fd, SIOCSIFFLAGS, &ifr) == -1) + throw SysError("cannot set loopback interface flags"); - fd.close(); + fd.close(); + } /* Set the hostname etc. to fixed values. */ char hostname[] = "localhost"; @@ -2180,6 +2238,27 @@ void DerivationGoal::runChild() /* Remount root as read-only. */ if (mount("/", "/", 0, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1) throw SysError(format("read-only remount of build root '%1%' failed") % chrootRootDir); + + if (getuid() != 0) { + /* Create a new mount namespace to "lock" previous mounts. + See mount_namespaces(7). */ + auto uid = getuid(); + auto gid = getgid(); + + if (unshare(CLONE_NEWNS | CLONE_NEWUSER) == -1) + throw SysError(format("creating new user and mount namespaces")); + + initializeUserNamespace(getpid(), uid, gid); + + /* Check that mounts within the build environment are "locked" + together and cannot be separated from within the build + environment namespace. Since + umount(2) is documented to fail with EINVAL when attempting + to unmount one of the mounts that are locked together, + check that this is what we get. */ + int ret = umount(tmpDirInSandbox.c_str()); + assert(ret == -1 && errno == EINVAL); + } } #endif @@ -2262,6 +2341,7 @@ void DerivationGoal::runChild() writeFull(STDERR_FILENO, "\n"); /* Execute the program. This should not return. */ + string builderBasename; if (isBuiltin(drv)) { try { logType = ltFlat; @@ -2285,11 +2365,28 @@ void DerivationGoal::runChild() writeFull(STDERR_FILENO, "error: " + string(e.what()) + "\n"); _exit(1); } - } + } else { + /* Ensure that the builder is within the store. This prevents + users from using /proc/self/exe (or a symlink to it) as their + builder, which could allow them to overwrite the guix-daemon + binary (CVE-2019-5736). + + This attack is possible even if the target of /proc/self/exe is + outside the chroot (it's as if it were a hard link), though it + requires that its ELF interpreter and dependencies be in the + chroot. + + Note: 'canonPath' throws if 'drv.builder' cannot be resolved + within the chroot. */ + builderBasename = baseNameOf(drv.builder); + drv.builder = canonPath(drv.builder, true); + + if (!isInStore(drv.builder)) + throw Error(format("derivation builder '%1%' is outside the store") % drv.builder); + } /* Fill in the arguments. */ Strings args; - string builderBasename = baseNameOf(drv.builder); args.push_back(builderBasename); foreach (Strings::iterator, i, drv.args) args.push_back(rewriteHashes(*i, rewritesToTmp)); @@ -2476,8 +2573,16 @@ void DerivationGoal::registerOutputs() if (buildMode == bmRepair) replaceValidPath(path, actualPath); else - if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) - throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + if (buildMode != bmCheck) { + if (S_ISDIR(st.st_mode)) + /* Change mode on the directory to allow for + rename(2). */ + chmod(actualPath.c_str(), st.st_mode | 0700); + if (rename(actualPath.c_str(), path.c_str()) == -1) + throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + if (S_ISDIR(st.st_mode) && chmod(path.c_str(), st.st_mode) == -1) + throw SysError(format("restoring permissions on directory `%1%'") % actualPath); + } } if (buildMode != bmCheck) actualPath = path; } @@ -2736,16 +2841,46 @@ void DerivationGoal::deleteTmpDir(bool force) // Change the ownership if clientUid is set. Never change the // ownership or the group to "root" for security reasons. if (settings.clientUid != (uid_t) -1 && settings.clientUid != 0) { - _chown(tmpDir, settings.clientUid, - settings.clientGid != 0 ? settings.clientGid : -1); + uid_t uid = settings.clientUid; + gid_t gid = settings.clientGid != 0 ? settings.clientGid : -1; + bool reown = false; + + /* First remove setuid/setgid bits. */ + secureFilePerms(tmpDir); + + try { + _chown(tmpDir, uid, gid); + + if (getuid() != 0) { + /* If, without being root, the '_chown' call above + succeeded, then it means we have CAP_CHOWN. Retake + ownership of tmpDir itself so it can be renamed + below. */ + reown = true; + } + + } catch (SysError & e) { + /* When running as an unprivileged user and without + CAP_CHOWN, we cannot chown the build tree. Print a + message and keep going. */ + printMsg(lvlInfo, format("cannot change ownership of build directory '%1%': %2%") + % tmpDir % strerror(e.errNo)); + } if (top != tmpDir) { + if (reown) chown(tmpDir.c_str(), getuid(), getgid()); + // Rename tmpDir to its parent, with an intermediate step. string pivot = top + ".pivot"; if (rename(top.c_str(), pivot.c_str()) == -1) throw SysError("pivoting failed build tree"); if (rename((pivot + "/top").c_str(), top.c_str()) == -1) throw SysError("renaming failed build tree"); + + if (reown) + /* Running unprivileged but with CAP_CHOWN. */ + chown(top.c_str(), uid, gid); + rmdir(pivot.c_str()); } } diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 0883a4bbce..83e6c3e16e 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -1614,11 +1614,19 @@ void LocalStore::createUser(const std::string & userName, uid_t userId) { auto dir = settings.nixStateDir + "/profiles/per-user/" + userName; - createDirs(dir); - if (chmod(dir.c_str(), 0755) == -1) - throw SysError(format("changing permissions of directory '%s'") % dir); - if (chown(dir.c_str(), userId, -1) == -1) - throw SysError(format("changing owner of directory '%s'") % dir); + auto created = createDirs(dir); + if (!created.empty()) { + if (chmod(dir.c_str(), 0755) == -1) + throw SysError(format("changing permissions of directory '%s'") % dir); + + /* The following operation requires CAP_CHOWN or can be handled + manually by a user with CAP_CHOWN. */ + if (chown(dir.c_str(), userId, -1) == -1) { + rmdir(dir.c_str()); + string message = strerror(errno); + printMsg(lvlInfo, format("failed to change owner of directory '%1%' to %2%: %3%") % dir % userId % message); + } + } } diff --git a/tests/derivations.scm b/tests/derivations.scm index 72ea9aa9cc..b0b151dd33 100644 --- a/tests/derivations.scm +++ b/tests/derivations.scm @@ -858,6 +858,20 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (call-with-input-file (derivation->output-path drv) get-string-all)))) +(test-assert "builder is outside the store" + ;; Ensure that attempts to build derivations whose builder is outside the + ;; store are rejected. This is a protection against attacks similar to + ;; CVE-2019-5736, which abuse the fact that /proc/self/exe can be opened + ;; even when it presents itself as a symlink to a file not in the chroot. + (let* ((builder (add-file-tree-to-store %store + `("builder" symlink "/proc/self/exe"))) + (drv (derivation %store "attempt-to-run-guix-daemon" builder '() + #:env-vars + '(("LD_PRELOAD" . "attacker-controlled.so"))))) + (guard (c ((store-protocol-error? c) c)) + (build-derivations %store (list drv)) + #f))) + (define %coreutils (false-if-exception From patchwork Sun Mar 23 14:25:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40735 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9059F27BBEA; Sun, 23 Mar 2025 14:26:44 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 6657827BBE2 for ; Sun, 23 Mar 2025 14:26:44 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMHK-00032R-U9; Sun, 23 Mar 2025 10:26:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMHI-00031Q-UF for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:17 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMHI-0005Vl-L9 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=wZDaJpSBiec4HWURn73Fvz7bhdz1AmvaDkV9vu9Mxas=; b=shCv6bNb/ZzKdPKMNUAFsLvf5hqGG4Npx2ZrNTbA+AUHp2z+8FT/Ce5knpmfxMlLcT6eW0PRtpLSQmVf/BI/XOn3TlyVtL5T/pa6HQRyO2m9FRn8taD4C7LVrmNVPV7ZCJ6qJ8mOi08Zs67ZZlYIkARKPeHZ7a6zhuy4QdCMRpx9mM8T1d/b+Mow1flozR9Gc+l9gxWUy+7ZcfD06hIq+1VqdFhh3+OpoSXOkC1131OeRZ3HSsYEIRSMcdUIKqyHFhG6PO4i7RS3penXR71ex/mSQr2UFNAXo7t8lf12/KHjqZTVqTjolg1X0lm5ixpKAU0zJrBa751WnSTh6kpPCA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMHI-0005Ym-FT for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:16 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 08/16] daemon: Create /var/guix/profiles/per-user unconditionally. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:26:16 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174273997221316 (code B ref 75810); Sun, 23 Mar 2025 14:26:16 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:26:12 +0000 Received: from localhost ([127.0.0.1]:51885 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMHD-0005XS-NV for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43758) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGm-0005Qy-Ds for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:47 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGg-0005Sa-Oq; Sun, 23 Mar 2025 10:25:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=wZDaJpSBiec4HWURn73Fvz7bhdz1AmvaDkV9vu9Mxas=; b=jYLCfniuJCpvrDoUzkAG pRd3U8YKuIK9mKyJFfefwjCywQ5dLkq/RZ8NIRm4IEMEmBLAMDsIbgB+RakeqrrxqfkP1zZ5a2WI7 b8xLT8ONUYBTpUPitilTUnyEGmM4tE2wkmMx/mmqx+sd3ZFzGacD1WJNoS9QZs8ooT9rhmzwUD898 wiUhGOaOrQB6YXszuQxp22/hUT8WGQ4ptLreM8C64IWMalaIBCilVkNopwzfl9lTHJxfwsTgzGEyx dGP6wYxt/IYXSYm10Q/YjEZi9qiWbmMTJ38V2G+lkG5l0ZpYtRX4zbGkxoAriQHztcc8ZnYECWpbU oMVDElBdw5TCdw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:25:01 +0100 Message-ID: <873abbe1f3ccd790863ffd5687fe2cf7a7ce2ddb.1742739609.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/local-store.cc (LocalStore::LocalStore): Create ‘perUserDir’ unconditionally. Change-Id: I5188320f9630a81d16f79212d0fffabd55d94abe --- nix/libstore/local-store.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 83e6c3e16e..f6540c2117 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -79,12 +79,12 @@ LocalStore::LocalStore(bool reserveSpace) createSymlink(profilesDir, gcRootsDir + "/profiles"); } - /* Optionally, create directories and set permissions for a - multi-user install. */ + Path perUserDir = profilesDir + "/per-user"; + createDirs(perUserDir); + + /* Optionally, set permissions for a multi-user install. */ if (getuid() == 0 && settings.buildUsersGroup != "") { - Path perUserDir = profilesDir + "/per-user"; - createDirs(perUserDir); if (chmod(perUserDir.c_str(), 0755) == -1) throw SysError(format("could not set permissions on '%1%' to 755") % perUserDir); From patchwork Sun Mar 23 14:25:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40742 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 3043427BBEA; Sun, 23 Mar 2025 14:27:07 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id DF92127BBE2 for ; Sun, 23 Mar 2025 14:27:06 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMHL-00032Y-5j; Sun, 23 Mar 2025 10:26:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMHJ-00031b-Fo for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:17 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMHJ-0005Vs-7G for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=U3v3fYAuoQqLs93JmUwgaxkOX0JVF6jrRPGFH1U/hX0=; b=qtfra8ZVefcQSjGMavxAX2T85VvhC0M5UlU30jzmoQSRgZ6MelkMbIamQaFvWiVFmM3c02XS2F8vJ2UOf8gaMS3wDcHstlumBqsLsiakw184XEaH67oVUH+37CO4vM5fhDfl/dy5YQtPTxtClKoc7n0f0E53No8+rzmnlMprKv2XevV0cY3VwSkYgJJPc1lyQcm0GrbyMQMA6ReWiUqsMn8twleP8wuhDvtVkyfCWaCGBcQ+nhpxW3h3+3uBaY75SwegZQbNa+2IANi8BS76214guwD8+Z5gfsV+fbVnNvZO/CboMVQCM9PSQY4QqI4WSpBsdF5QtvnIkwA/FUFZ6g==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMHJ-0005Z0-2t for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:17 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 09/16] daemon: Drop Linux ambient capabilities before executing builder. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:26:17 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174273997321332 (code B ref 75810); Sun, 23 Mar 2025 14:26:17 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:26:13 +0000 Received: from localhost ([127.0.0.1]:51888 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMHE-0005Xl-Jz for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41142) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGr-0005S1-9R for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGl-0005St-U4; Sun, 23 Mar 2025 10:25:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=U3v3fYAuoQqLs93JmUwgaxkOX0JVF6jrRPGFH1U/hX0=; b=saG3XjlQT7VxKHjxNkLN xUW7yO3lAkMcP8e8NgrgWfXVNYJVukyuT1OmnGXyWd/gL535zXflkajS2RWu270KXB7did8L1vbfD 9nZiG8lWpY5lO4ikI/fGV2EMhUVVDk0ErCEWG4Jy6rkOWOeXt/YPDBpH8hTbwjx1YkjBJMA7Rxvi1 gp8IYb0rBigAGPxbZqgQBFZWc/jSL4MVkX8jCoNHVqgEnxRr0DwL08xxcL87nkao7d0ftBv5h/TDK VqR3oh63KS3pIOF0/eM9NdnxQS93eJl7sDpesz5kOJrdlu1qflyzmnuvQ6aJFHuYg9v5vNFGJbhVs je7uC2BQU1GoxA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:25:02 +0100 Message-ID: <1f78a4e32f35bed8822b512187e9f4bf8507130c.1742739609.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * config-daemon.ac: Check for . * nix/libstore/build.cc (DerivationGoal::runChild): When ‘useChroot’ is true, call ‘prctl’ to drop all ambient capabilities. Change-Id: If34637fc508e5fb6d278167f5df7802fc595284f --- config-daemon.ac | 2 +- nix/libstore/build.cc | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/config-daemon.ac b/config-daemon.ac index 4e949bc88a..35d9c8cd56 100644 --- a/config-daemon.ac +++ b/config-daemon.ac @@ -79,7 +79,7 @@ if test "x$guix_build_daemon" = "xyes"; then dnl Chroot support. AC_CHECK_FUNCS([chroot unshare]) AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \ - linux/close_range.h]) + linux/close_range.h sys/prctl.h]) if test "x$ac_cv_func_chroot" != "xyes"; then AC_MSG_ERROR(['chroot' function missing, bailing out]) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 2261ef3c2a..e6a139eb0d 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -50,6 +50,9 @@ #if HAVE_SCHED_H #include #endif +#if HAVE_SYS_PRCTL_H +#include +#endif #define CHROOT_ENABLED HAVE_CHROOT && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE) @@ -2075,6 +2078,12 @@ void DerivationGoal::runChild() #if CHROOT_ENABLED if (useChroot) { +# if HAVE_SYS_PRCTL_H + /* Drop ambient capabilities such as CAP_CHOWN that might have + been granted when starting guix-daemon. */ + prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); +# endif + if (!fixedOutput) { /* Initialise the loopback interface. */ AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP)); From patchwork Sun Mar 23 14:25:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40741 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9E26027BBEA; Sun, 23 Mar 2025 14:27:02 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4559727BBE2 for ; Sun, 23 Mar 2025 14:27:02 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMHN-00033f-HG; Sun, 23 Mar 2025 10:26:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMHK-00032D-0N for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:18 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMHJ-0005W1-Np for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=ebgNbSiSau1G/26jNpSDxHX+Q5HhMImSR1l/nH8CqFI=; b=sTJRD/qw+VMiVq7kuCqwSKxbmQDzbAuH+veMzWw8dI+h31W322e6Ab/+i/P1mkTOwnT1PmuHGViSwOn/oq1LGyjBITc+rNpR9pmmodsBwpGILD6WgT+RE+PYVmtnkvvzW6YMW2BLi8T/l0HvFUXxxxmGQI8rD+XwYKe6krts3xvTpZO1os/XMpGvCNWE3TeA5+Om9LaG03NEShW5ouKvW0BAmTnV+nOMxT1t4YFH3PZG22+Kmta0/B5rFqRTpTTAzjP9kFm6JbF8YGNIy6gPsligWSlT/vcf4K7GOHveq2kwTR683nMsRkJyAinN8dbjoStcYZ/mfmYGFW5xUIRtNQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMHJ-0005Z7-H8 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:26:17 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 10/16] daemon: Move comments where they belong. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:26:17 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174273997421346 (code B ref 75810); Sun, 23 Mar 2025 14:26:17 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:26:14 +0000 Received: from localhost ([127.0.0.1]:51891 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMHF-0005Y1-Aj for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41150) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGs-0005ST-8W for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:51 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGm-0005T7-Ss; Sun, 23 Mar 2025 10:25:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=ebgNbSiSau1G/26jNpSDxHX+Q5HhMImSR1l/nH8CqFI=; b=lh3YUwIA3A7sMrLqqaAo KYdhu1mMFJRo3m/nEnnHkCun4sAK7G8RMGaG072xgKQ0feWPE1gJi7DLZcmDsT0hXze2Dp3+bppGN JSs6++jE1IhdjNxKIoGPDomA5QrM0KY4YENrl+3jTcl20/o3AREpYTKuTFqMYbIgMCJ2oD35XfSSM PhrloEAy0dZDXM7Jh0GGgtNWW2M4ciKLqJ1SeStzyCODu7qL7GgcrQoxWbjQi5N+RgJDdR0axTK// X4Us9G+/VVBv0JhETcP9JGaikijhYyE7jWwqWyo1vaurZs7ejNWBUMQcjx+PaP+PMuulslKlKrzZ8 4nPiTfsKrpf/eA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:25:03 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * nix/libstore/build.cc (DerivationGoal::startBuilder): Shuffle comments for clarity. Change-Id: I6557c103ade4a3ab046354548ea193c68f8c9c05 --- nix/libstore/build.cc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index e6a139eb0d..d0fcc99854 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -1870,18 +1870,19 @@ void DerivationGoal::startBuilder() } dirsInChroot[tmpDirInSandbox] = tmpDir; - /* Make the closure of the inputs available in the chroot, - rather than the whole store. This prevents any access - to undeclared dependencies. !!! As an extra security - precaution, make the fake store only writable by the - build user. */ + /* Create the fake store. */ Path chrootStoreDir = chrootRootDir + settings.nixStore; createDirs(chrootStoreDir); chmod_(chrootStoreDir, 01775); if (buildUser.enabled() && chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) - throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); + /* As an extra security precaution, make the fake store only + writable by the build user. */ + throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); + /* Make the closure of the inputs available in the chroot, rather than + the whole store. This prevents any access to undeclared + dependencies. */ foreach (PathSet::iterator, i, inputPaths) { struct stat st; if (lstat(i->c_str(), &st)) From patchwork Sun Mar 23 14:25:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40746 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 828CB27BBEA; Sun, 23 Mar 2025 14:29:06 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4868927BBE2 for ; Sun, 23 Mar 2025 14:29:06 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMJ4-0003qA-UJ; Sun, 23 Mar 2025 10:28:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMJ1-0003pb-Lr for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMJ1-0005jN-D9 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=VxUd1aOcvzD/pYxOxBWjge8/c0+rM0LNoWab4Huyg4s=; b=OAmoG1igK46sAlvBYupjHMsdhMTohIEzRTqAIww8bq3xKqRhrwdFOWqjmyfQnvmo6Q8A6jstkwC8u9cLeIFo+j+XPI8sQ+AWU4YO+Bh31Aub4JK0H/Lg9ZoIo/piif+wR5E2r9no6QY7lxbjrz2GmGyrJ8aONxMwSxMHT715fBdVYoDI7QGjCC/8vOt9gxPJLUcD/ebOV43VtItUAnPo79GwJS3ZXss76d8/Ep9T6rsG+rY8zbhNT30IGLf4uhTxfy5blpvCdsZIWlmEfsh/SWQLspnBUyzD1ucn7Ugz8D3PVGKd7PMENcnvvcichU3AOIx3aZCFltBvAMZU+k0DMA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMJ1-0005qE-85 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 11/16] linux-container: =?utf-8?q?=E2=80=98un?= =?utf-8?q?privileged-user-namespace-supported=3F=E2=80=99?= returns #f on non-Linux. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:28:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Reepca Russelstein Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174274007722389 (code B ref 75810); Sun, 23 Mar 2025 14:28:03 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:27:57 +0000 Received: from localhost ([127.0.0.1]:51909 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMIt-0005ol-Bz for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:27:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41158) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGt-0005Sd-Lv for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:53 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGn-0005TK-U5; Sun, 23 Mar 2025 10:25:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=VxUd1aOcvzD/pYxOxBWjge8/c0+rM0LNoWab4Huyg4s=; b=Su3HxvVMAZK5ljEaMViv L1ta/0FhfUhd3lGUGrXNcw1yqQ83DAeK2j0w0yPjif+zVXpGxmnUvMRBUEFNJIvB2xmC69r/XkXvp iA+GEMrgdNYxiQ3gY6kgP5WjVmr7/jZYjaEPS6zpRKsNk1F2f41cb6whOypsf83SCXx5UjrNhhbxx Zzhz0icIsFVre3WvLgcfgYM3JKcTkc2HOa2BEJdIg3EX1iGS2YL4XLwxNofD1dMIr8GlNA3aGGNH+ gF/aEMbERBD887adXM46ircWbzpp+c7MYZK4AI+JAsRXFdFwwqr9iFxe7FLB34Skqs7/ous4AuoD/ yqe+bA9eMNjvWA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:25:04 +0100 Message-ID: <12613de1aa1c0a772ce26b7dc4e484b80a17ffa8.1742739609.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Previously this procedure would return #t on non-Linux systems. * gnu/build/linux-container.scm (unprivileged-user-namespace-supported?): When USERNS-FILE doesn’t exist, return (user-namespace-supported?). Reported-by: Reepca Russelstein Change-Id: I92050338b8b68bc3bd87100317eba69fcdf14a0a --- gnu/build/linux-container.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 5c303da8c8..a5c5d8962e 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015 David Thompson -;;; Copyright © 2017-2019, 2022, 2023 Ludovic Courtès +;;; Copyright © 2017-2019, 2022-2023, 2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -44,7 +44,7 @@ (define (unprivileged-user-namespace-supported?) (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone")) (if (file-exists? userns-file) (eqv? #\1 (call-with-input-file userns-file read-char)) - #t))) + (user-namespace-supported?)))) (define (setgroups-supported?) "Return #t if the setgroups proc file, introduced in Linux-libre 3.19, From patchwork Sun Mar 23 14:25:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40749 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 0458A27BBEA; Sun, 23 Mar 2025 14:29:22 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 50A8A27BBE2 for ; Sun, 23 Mar 2025 14:29:21 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMJ5-0003qe-IT; Sun, 23 Mar 2025 10:28:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMJ2-0003po-SQ for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMJ2-0005jW-Il for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=YBRvQWXjylsgVtbBVxW3XKx9pa+GzHkhVRIq4Nj/yGU=; b=DudSP4aFf01ub2qCpa1J+ITh19Nbsn64CbbgYZd2ZlpEFyKylQbunKKF4OiXgTgIU25fJ5grSV8zyljKy+4HiU9YK6tdPVTv5f3HwS16xS8yPedULwEQsl1o/mU80cGjfo/rQHADLfGsFkKfqEVR4bxdMTIr+mRGkxO8sm1BXvZ3N2q81/s+uix4X8iNaZ/X/2t431nLWg5z64H2VhK1agdqDj0DZdYB5F6aKNNWDDtk/H1JEqaFh7O4Lb3XegaGs+J3R9TJDrZrmIa3+9oakqIVYtphBlbDm0lTyzoabZsLR3nTbhIKjmAi+mrKUy6vhYTvXf5tZQkPwMqKZ2RP1g==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMJ2-0005qY-A6 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 12/16] tests: Add missing derivation inputs. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:28:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174274008022428 (code B ref 75810); Sun, 23 Mar 2025 14:28:04 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:28:00 +0000 Received: from localhost ([127.0.0.1]:51911 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMIu-0005p4-Ms for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:27:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57384) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMGz-0005Te-Lw for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:25:59 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGs-0005Te-K7; Sun, 23 Mar 2025 10:25:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=YBRvQWXjylsgVtbBVxW3XKx9pa+GzHkhVRIq4Nj/yGU=; b=ePHc6sF6iHY4ajfDhqB/ H+N20GQZVdBf0/evbtHmbi7t8W1YWuU1WkzBm8AKdnxQlwRyY+G3u0RzE8cMd/qHg/Er80rLn0uzq cZVeZyzFsouMGiHfE9yyMch7iVSy3HHADpObbMYMrWQLhjlL1aL/BdZsoOjeLvSUqqHFIoZPyRzo9 d26VpcIYvsznmnR3b9a9Uo3qOJq7pbBLXQHR9XrcCDuSlFR8JBZfxex1ygS2R5ce8OWsXknyuIV2G AN8S5STvZWQPU2iieSqI3kpX8xKiQnwL6Wp/GDIE5k62lWH7JH2kGIZ9mKxGvVPrtkN68Wjkysp1a KkTXIJUVzpdWog==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:25:05 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches These missing inputs go unnoticed when running ‘guix-daemon --disable-chroot’ but are immediately visible otherwise. * tests/derivations.scm ("fixed-output derivation"): Add %BASH to #:sources. ("fixed-output derivation: output paths are equal"): ("fixed-output derivation, recursive"): ("derivation with a fixed-output input"): ("derivation with duplicate fixed-output inputs"): ("derivation with equivalent fixed-output inputs"): ("build derivation with coreutils"): Likewise. * tests/packages.scm (bootstrap-binary): New procedure. ("package-source-derivation, origin, sha512"): Use it instead of ‘search-bootstrap-binary’ and add BASH to #:sources. ("package-source-derivation, origin, sha3-512"): Likewise. Change-Id: I4c9087df23c47729a3aff15e9e1435b7266e36e2 --- tests/derivations.scm | 24 +++++++++++++++--------- tests/packages.scm | 13 +++++++++---- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/tests/derivations.scm b/tests/derivations.scm index b0b151dd33..4dc7bcf1c5 100644 --- a/tests/derivations.scm +++ b/tests/derivations.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012-2024 Ludovic Courtès +;;; Copyright © 2012-2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -443,7 +443,7 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (string-append "fixed-" (symbol->string hash-algorithm)) %bash `(,builder) - #:sources `(,builder) ;optional + #:sources (list %bash builder) #:hash hash #:hash-algo hash-algorithm))) (build-derivations %store (list drv)) @@ -462,9 +462,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (drv2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (succeeded? (build-derivations %store (list drv1 drv2)))) (and succeeded? @@ -477,7 +479,7 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv (derivation %store "fixed-rec" %bash `(,builder) - #:sources (list builder) + #:sources (list %bash builder) #:hash (base32 "0sg9f58l1jj88w6pdrfdpj5x9b1zrwszk84j81zvby36q9whhhqa") #:hash-algo 'sha256 #:recursive? #t)) @@ -511,9 +513,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (fixed1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (fixed2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (fixed-out (derivation->output-path fixed1)) (builder3 (add-text-to-store @@ -548,9 +552,11 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) (hash (gcrypt:sha256 (string->utf8 "hello"))) (fixed1 (derivation %store "fixed" %bash `(,builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (fixed2 (derivation %store "fixed" %bash `(,builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (builder3 (add-text-to-store %store "builder.sh" "echo fake builder")) @@ -580,21 +586,21 @@ (define* (directory-contents dir #:optional (slurp get-bytevector-all)) '())) (hash (gcrypt:sha256 (string->utf8 "hello"))) (drv1 (derivation %store "fixed" %bash (list builder1) - #:sources (list builder1) + #:sources (list %bash builder1) #:hash hash #:hash-algo 'sha256)) (drv2 (derivation %store "fixed" %bash (list builder2) - #:sources (list builder2) + #:sources (list %bash builder2) #:hash hash #:hash-algo 'sha256)) (drv3a (derivation %store "fixed-user" %bash (list builder3) #:outputs '("one" "two") - #:sources (list builder3) + #:sources (list %bash builder3) #:inputs (list (derivation-input drv1)))) (drv3b (derivation %store "fixed-user" %bash (list builder3) #:outputs '("one" "two") - #:sources (list builder3) + #:sources (list %bash builder3) #:inputs (list (derivation-input drv2)))) (drv4 (derivation %store "fixed-user-user" %bash (list builder1) - #:sources (list builder1) + #:sources (list %bash builder1) #:inputs (list (derivation-input drv3a '("one")) (derivation-input drv3b '("two")))))) (match (derivation-inputs drv4) @@ -892,7 +898,7 @@ (define %coreutils ,(string-append (derivation->output-path %coreutils) "/bin"))) - #:sources (list builder) + #:sources (list %bash builder) #:inputs (list (derivation-input %coreutils)))) (succeeded? (build-derivations %store (list drv)))) diff --git a/tests/packages.scm b/tests/packages.scm index 50c1cab915..f56c63128d 100644 --- a/tests/packages.scm +++ b/tests/packages.scm @@ -80,6 +80,11 @@ (define %store ;; When grafting, do not add dependency on 'glibc-utf8-locales'. (%graft-with-utf8-locale? #f) +(define (bootstrap-binary name) + (let ((bin (search-bootstrap-binary name (%current-system)))) + (and %store + (add-to-store %store name #t "sha256" bin)))) + (test-begin "packages") @@ -609,14 +614,14 @@ (define %store (test-equal "package-source-derivation, origin, sha512" "hello" - (let* ((bash (search-bootstrap-binary "bash" (%current-system))) + (let* ((bash (bootstrap-binary "bash")) (builder (add-text-to-store %store "my-fixed-builder.sh" "echo -n hello > $out" '())) (method (lambda* (url hash-algo hash #:optional name #:rest rest) (and (eq? hash-algo 'sha512) (raw-derivation name bash (list builder) - #:sources (list builder) + #:sources (list bash builder) #:hash hash #:hash-algo hash-algo)))) (source (origin @@ -635,14 +640,14 @@ (define %store (test-equal "package-source-derivation, origin, sha3-512" "hello, sha3" - (let* ((bash (search-bootstrap-binary "bash" (%current-system))) + (let* ((bash (bootstrap-binary "bash")) (builder (add-text-to-store %store "my-fixed-builder.sh" "echo -n hello, sha3 > $out" '())) (method (lambda* (url hash-algo hash #:optional name #:rest rest) (and (eq? hash-algo 'sha3-512) (raw-derivation name bash (list builder) - #:sources (list builder) + #:sources (list bash builder) #:hash hash #:hash-algo hash-algo)))) (source (origin From patchwork Sun Mar 23 14:25:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40744 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 02B9827BBEA; Sun, 23 Mar 2025 14:28:34 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id E54B227BBE2 for ; Sun, 23 Mar 2025 14:28:32 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMJ7-0003rR-KF; Sun, 23 Mar 2025 10:28:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMJ4-0003q9-SP for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMJ4-0005jh-IX for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=46sXtSC4BF2MFB1vCWkw8ErjEqxl/gPSRof2zzVtuu0=; b=ey7P05E/oeoS9FaRKoI2VB398fm28+0ZPcbIHSBQnYIzKMkwXSlj16e7HnGABBHxYy9i4H6qJjn5wh8A6HvUBPPRz3AnmRXV+AB/EUGtR8pox9AHAWkEkVdOhoGqBwul3OP1n1c13hg193swSC0lNOuc7FzPATwzX7BHqHcBZcFXKGheLHx9gCnhxRgyAtotERyBg590Ee0zYck+U2HaU5w7hus2WqqCBFilhlqb1P1rd0ogQuxPjhK0prbLv9vwgNLndbhSnmuJO4HGmccKu2aheiktzwQN8BHq8aOZMTrERmefZFVWixGs5lJ3Pnqpz28ArBZ+Q/aAmwtIO5kNfA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMJ4-0005r9-6Z for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:06 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 13/16] tests: Run in a chroot and unprivileged user namespaces. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:28:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174274008322470 (code B ref 75810); Sun, 23 Mar 2025 14:28:05 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:28:03 +0000 Received: from localhost ([127.0.0.1]:51913 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMIy-0005pf-25 for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:28:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57396) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMH1-0005Tw-JE for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:06 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMGu-0005Tl-Ds; Sun, 23 Mar 2025 10:25:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=46sXtSC4BF2MFB1vCWkw8ErjEqxl/gPSRof2zzVtuu0=; b=Y3ioKBm7XaQA0jhaeh/2 IRm4cNs5w6B0B8ZqM36c9vlB7G7QkQKm9bBRUmEAPyKZu4c7g0/V6zTOSEivTgCVhjVGnzUgkIAIq TYgAncz41Z4MfaFvBj7dbl2melFlqEGyY6SOjImhAfbnJOmV1TEqhhDGua7SgxcH3ByZ49m397eu/ bqgfGbqOGN7eFTLt9n8PA0yPEl/h00eEjVFCLe9DU5bk6AaT4UnQPdh41YYK9M70Hep9hbss1M/AV XYSVjGRCkgVCp96GHkhoNRAp/B+LTTQeIe27bcf25CmpPIBQKvoUEDE3vfSU36b+ML46vvCWqwpAa jUan0ocE9qXuJg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:25:06 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * build-aux/test-env.in: Pass ‘--disable-chroot’ only when unprivileged user namespace support is lacking and warn in that case. * tests/store.scm ("build-things, check mode"): Use ‘gettimeofday’ rather than a shared file as a source of entropy. ("symlink is symlink") ("isolated environment", "inputs are read-only") ("inputs cannot be remounted read-write") ("build root cannot be made world-readable") ("/tmp, store, and /dev/{null,full} are writable") ("network is unreachable"): New tests. * tests/processes.scm ("client + lock"): Skip when ‘unprivileged-user-namespace-supported?’ returns true. Change-Id: I3b3c3ebdf6db5fd36ee70251d07b893c17ca1b84 --- build-aux/test-env.in | 18 ++- tests/processes.scm | 9 +- tests/store.scm | 247 ++++++++++++++++++++++++++++++++++++------ 3 files changed, 236 insertions(+), 38 deletions(-) diff --git a/build-aux/test-env.in b/build-aux/test-env.in index 9caa29da58..86c2e585d7 100644 --- a/build-aux/test-env.in +++ b/build-aux/test-env.in @@ -1,7 +1,7 @@ #!/bin/sh # GNU Guix --- Functional package management for GNU -# Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2021 Ludovic Courtès +# Copyright © 2012-2019, 2021, 2025 Ludovic Courtès # # This file is part of GNU Guix. # @@ -102,10 +102,24 @@ then rm -rf "$GUIX_STATE_DIRECTORY/daemon-socket" mkdir -m 0700 "$GUIX_STATE_DIRECTORY/daemon-socket" + # If unprivileged user namespaces are not supported, pass + # '--disable-chroot'. + if [ -f /proc/self/ns/user ] \ + && { [ ! -f /proc/sys/kernel/unprivileged_userns_clone ] \ + || [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -eq 1 ]; } + then + extra_options="" + else + extra_options="--disable-chroot" + echo "unprivileged user namespaces not supported; \ +running 'guix-daemon $extra_options'" >&2 + fi + # Launch the daemon without chroot support because is may be # unavailable, for instance if we're not running as root. "@abs_top_builddir@/pre-inst-env" \ - "@abs_top_builddir@/guix-daemon" --disable-chroot \ + "@abs_top_builddir@/guix-daemon" \ + $extra_options \ --substitute-urls="$GUIX_BINARY_SUBSTITUTE_URL" & daemon_pid=$! diff --git a/tests/processes.scm b/tests/processes.scm index ba518f2d9e..a72ba16f58 100644 --- a/tests/processes.scm +++ b/tests/processes.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2018 Ludovic Courtès +;;; Copyright © 2018, 2025 Ludovic Courtès ;;; Copyright © 2019 Mathieu Othacehe ;;; ;;; This file is part of GNU Guix. @@ -25,6 +25,8 @@ (define-module (test-processes) #:use-module (guix gexp) #:use-module ((guix utils) #:select (call-with-temporary-directory)) #:use-module (gnu packages bootstrap) + #:use-module ((gnu build linux-container) + #:select (unprivileged-user-namespace-supported?)) #:use-module (guix tests) #:use-module (srfi srfi-1) #:use-module (srfi srfi-64) @@ -84,6 +86,11 @@ (define-syntax-rule (test-assert* description exp) (and (kill (process-id daemon) 0) (string-suffix? "guix-daemon" (first (process-command daemon))))))) +(when (unprivileged-user-namespace-supported?) + ;; The test below assumes the build process can communicate with the outside + ;; world via the TOKEN1 and TOKEN2 files, which is impossible when + ;; guix-daemon is set up to build in separate namespaces. + (test-skip 1)) (test-assert* "client + lock" (with-store store (call-with-temporary-directory diff --git a/tests/store.scm b/tests/store.scm index 45948f4f43..b1ddff2082 100644 --- a/tests/store.scm +++ b/tests/store.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012-2021, 2023 Ludovic Courtès +;;; Copyright © 2012-2021, 2023, 2025 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,8 +28,12 @@ (define-module (test-store) #:use-module (guix base32) #:use-module (guix packages) #:use-module (guix derivations) + #:use-module ((guix modules) + #:select (source-module-closure)) #:use-module (guix serialization) #:use-module (guix build utils) + #:use-module ((gnu build linux-container) + #:select (unprivileged-user-namespace-supported?)) #:use-module (guix gexp) #:use-module (gnu packages) #:use-module (gnu packages bootstrap) @@ -391,6 +395,188 @@ (define %shell (equal? (valid-derivers %store o) (list (derivation-file-name d)))))) +(test-assert "symlink is symlink" + (let* ((a (add-text-to-store %store "hello.txt" (random-text))) + (b (build-expression->derivation + %store "symlink" + '(symlink (assoc-ref %build-inputs "a") %output) + #:inputs `(("a" ,a)))) + (c (build-expression->derivation + %store "symlink-reference" + `(call-with-output-file %output + (lambda (port) + ;; Check that B is indeed visible as a symlink. This should + ;; always be the case, both in the '--disable-chroot' and in + ;; the user namespace setups. + (pk 'stat (lstat (assoc-ref %build-inputs "b"))) + (display (readlink (assoc-ref %build-inputs "b")) + port))) + #:inputs `(("b" ,b))))) + (and (build-derivations %store (list c)) + (string=? (call-with-input-file (derivation->output-path c) + get-string-all) + a)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-equal "isolated environment" + (string-join (append + '("PID: 1" "UID: 30001") + (delete-duplicates + (sort (list "/dev" "/tmp" "/proc" "/etc" + (match (string-tokenize (%store-prefix) + (char-set-complement + (char-set #\/))) + ((top _ ...) (string-append "/" top)))) + string $out")) + (s (add-to-store %store "bash" #t "sha256" + (search-bootstrap-binary "bash" + (%current-system)))) + (d (derivation %store "the-thing" + s `("-e" ,b) + #:env-vars `(("foo" . ,(random-text))) + #:sources (list b s))) + (o (derivation->output-path d))) + (and (build-derivations %store (list d)) + (call-with-input-file o get-string-all)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-equal "inputs are read-only" + "All good!" + (let* ((input (plain-file (string-append "might-be-tampered-with-" + (number->string + (car (gettimeofday)) + 16)) + "All good!")) + (drv + (run-with-store %store + (gexp->derivation + "attempt-to-write-to-input" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((input #$input)) + (chmod input #o666) + (call-with-output-file input + (lambda (port) + (display "BAD!" port))) + (mkdir #$output)))))))) + (and (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv))) + (call-with-input-file (run-with-store %store + (lower-object input)) + get-string-all)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "inputs cannot be remounted read-write" + (let ((drv + (run-with-store %store + (gexp->derivation + "attempt-to-remount-input-read-write" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (let ((input #$(plain-file "input-that-might-be-tampered-with" + "All good!"))) + (mount "none" input "none" (logior MS_BIND MS_REMOUNT)) + (call-with-output-file input + (lambda (port) + (display "BAD!" port))) + (mkdir #$output)))))))) + (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv)) + #f))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "build root cannot be made world-readable" + (let ((drv + (run-with-store %store + (gexp->derivation + "attempt-to-make-root-world-readable" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls)) + + (catch 'system-error + (lambda () + (chmod "/" #o777)) + (lambda args + (format #t "failed to make root writable: ~a~%" + (strerror (system-error-errno args))) + (format #t "attempting read-write remount~%") + (mount "none" "/" "/" (logior MS_BIND MS_REMOUNT)) + (chmod "/" #o777))) + + ;; At this point, the build process could create a + ;; world-readable setuid binary under its root (so in the + ;; store) that would remain visible until the build + ;; completes. + (mkdir #$output))))))) + (guard (c ((store-protocol-error? c) #t)) + (build-derivations %store (list drv)) + #f))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "/tmp, store, and /dev/{null,full} are writable" + ;; All of /tmp and all of the store must be writable (the store is writable + ;; so that derivation outputs can be written to it, but in practice it's + ;; always been wide open). Things like /dev/null must be writable too. + (let ((drv (run-with-store %store + (gexp->derivation + "check-tmp-and-store-are-writable" + #~(begin + (mkdir "/tmp/something") + (mkdir (in-vicinity (getenv "NIX_STORE") + "some-other-thing")) + (call-with-output-file "/dev/null" + (lambda (port) + (display "Welcome to the void." port))) + (catch 'system-error + (lambda () + (call-with-output-file "/dev/full" + (lambda (port) + (display "No space left!" port))) + (error "Should have thrown!")) + (lambda args + (unless (= ENOSPC (system-error-errno args)) + (apply throw args)))) + (mkdir #$output)))))) + (build-derivations %store (list drv)))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) +(test-assert "network is unreachable" + (let ((drv (run-with-store %store + (gexp->derivation + "check-network-unreachable" + #~(let ((check-connection-failure + (lambda (address expected-code) + (let ((s (socket AF_INET SOCK_STREAM 0))) + (catch 'system-error + (lambda () + (connect s AF_INET (inet-pton AF_INET address) 80)) + (lambda args + (let ((errno (system-error-errno args))) + (unless (= expected-code errno) + (error "wrong error code" + errno (strerror errno)))))))))) + (check-connection-failure "127.0.0.1" ECONNREFUSED) + (check-connection-failure "9.9.9.9" ENETUNREACH) + (mkdir #$output)))))) + (build-derivations %store (list drv)))) + (test-equal "with-build-handler" 'success (let* ((b (add-text-to-store %store "build" "echo $foo > $out" '())) @@ -1333,40 +1519,31 @@ (define %shell (test-assert "build-things, check mode" (with-store store - (call-with-temporary-output-file - (lambda (entropy entropy-port) - (write (random-text) entropy-port) - (force-output entropy-port) - (let* ((drv (build-expression->derivation - store "non-deterministic" - `(begin - (use-modules (rnrs io ports)) - (let ((out (assoc-ref %outputs "out"))) - (call-with-output-file out - (lambda (port) - ;; Rely on the fact that tests do not use the - ;; chroot, and thus ENTROPY is readable. - (display (call-with-input-file ,entropy - get-string-all) - port))) - #t)) - #:guile-for-build - (package-derivation store %bootstrap-guile (%current-system)))) - (file (derivation->output-path drv))) - (and (build-things store (list (derivation-file-name drv))) - (begin - (write (random-text) entropy-port) - (force-output entropy-port) - (guard (c ((store-protocol-error? c) - (pk 'determinism-exception c) - (and (not (zero? (store-protocol-error-status c))) - (string-contains (store-protocol-error-message c) - "deterministic")))) - ;; This one will produce a different result. Since we're in - ;; 'check' mode, this must fail. - (build-things store (list (derivation-file-name drv)) - (build-mode check)) - #f)))))))) + (let* ((drv (build-expression->derivation + store "non-deterministic" + `(begin + (use-modules (rnrs io ports)) + (let ((out (assoc-ref %outputs "out"))) + (call-with-output-file out + (lambda (port) + (let ((now (gettimeofday))) + (display (+ (car now) (cdr now)) port)))) + #t)) + #:guile-for-build + (package-derivation store %bootstrap-guile (%current-system)))) + (file (derivation->output-path drv))) + (and (build-things store (list (derivation-file-name drv))) + (begin + (guard (c ((store-protocol-error? c) + (pk 'determinism-exception c) + (and (not (zero? (store-protocol-error-status c))) + (string-contains (store-protocol-error-message c) + "deterministic")))) + ;; This one will produce a different result. Since we're in + ;; 'check' mode, this must fail. + (build-things store (list (derivation-file-name drv)) + (build-mode check)) + #f)))))) (test-assert "build-succeeded trace in check mode" (string-contains From patchwork Sun Mar 23 14:25:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40747 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9FD3327BBEA; Sun, 23 Mar 2025 14:29:09 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 47ADF27BBE2 for ; Sun, 23 Mar 2025 14:29:09 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMJ8-0003rw-QD; Sun, 23 Mar 2025 10:28:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMJ6-0003qu-L5 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:08 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMJ6-0005jr-67 for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=Ngm8ANKAcfFhwlcmZn793WD7YKtaQddq8o8d6i84570=; b=RocW3uUIQqQZ5f2icubPkdyuJQG+r6TPnm9FbcXdoB7Errx5ki/T6dXMAQyl8a2PeDyeQ/q3MIsXu0cAqu5MPU2ilFxFtBB2p4OyVF3rbJFXsbAZiJim4mPvw8dgieTM+BF4tJFcAwombviMifcEGwa8EdI2ZVvRdoeUQF5+Keq1g8+WmmgPID4R8uktmPAisiKqSdKGQRTOH0MSVlqsPWoGSqwKu3UHwqgl5UGIP1eDcTjjIlI1MJYZ1+9Qm9HhcvnV0efukziaWo3+aG63XLsP5LdazjxlX7faOYMnXQMtq5K8pSxa0Kd51rs6v5bhBv6w3WNJSla4XOCmmEdA0Q==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMJ5-0005rS-Tm for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:07 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 14/16] etc: systemd services: Run =?utf-8?b?4oCYZ3VpeC1kYWVtb27igJk=?= as an unprivileged user. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:28:07 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174274008522491 (code B ref 75810); Sun, 23 Mar 2025 14:28:07 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:28:05 +0000 Received: from localhost ([127.0.0.1]:51916 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMJ1-0005qM-GX for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:28:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51914) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMH8-0005VA-MC for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:09 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMH0-0005UB-BN; Sun, 23 Mar 2025 10:26:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=Ngm8ANKAcfFhwlcmZn793WD7YKtaQddq8o8d6i84570=; b=KFFUHXnuvvtJnMREdp9g chBrl5nXmEWkUIif/iZss45jEjSFljNNLx5jvwuKA6jST1Dd8shlHxrCWornV6Yq1TT+x0zP+ow8a gUj34TNgfb3i2LUsMI+AlxIPwKF9YIcgcNnOUfsP41of8/xuMiILgyYBW2p153TwoVED7ZFqDCTex GoCMhQ2eoFrIzvM2/0rhXE7NccLJ2hopCASoWsYP5Vdn2D8UtgHbAHJOGNgZMULTgtskkdx4UH7wN SXfRgGAPyAPho0R/yRUBOJbws6XGuc8lA9DlQzca7YC0HCPOcXhlMzDtdFYrwuk570AysdpgQ2ww7 TbxBKV2NhKwsoA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:25:07 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/guix-daemon.service.in (ExecStart): Remove ‘--build-users-group’. (Environment): Add ‘GUIX_STATE_DIRECTORY’. (Before, User, AmbientCapabilities, PrivateMounts, BindPaths): New fields. * etc/gnu-store.mount.in (Before): Remove. (WantedBy): Change to ‘multi-user.target’. Change-Id: Id826b8ab535844b6024d777f6bd15fd49db6d65e --- etc/gnu-store.mount.in | 3 +-- etc/guix-daemon.service.in | 22 ++++++++++++++++++++-- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in index c94f2db72b..f9918c9e52 100644 --- a/etc/gnu-store.mount.in +++ b/etc/gnu-store.mount.in @@ -2,10 +2,9 @@ Description=Read-only @storedir@ for GNU Guix DefaultDependencies=no ConditionPathExists=@storedir@ -Before=guix-daemon.service [Install] -WantedBy=guix-daemon.service +WantedBy=multi-user.target [Mount] What=@storedir@ diff --git a/etc/guix-daemon.service.in b/etc/guix-daemon.service.in index 5c43d9b7f1..6a5ef97f9b 100644 --- a/etc/guix-daemon.service.in +++ b/etc/guix-daemon.service.in @@ -5,11 +5,29 @@ [Unit] Description=Build daemon for GNU Guix +# Start before 'gnu-store.mount' to get a writable view of the store. +Before=gnu-store.mount + [Service] ExecStart=@localstatedir@/guix/profiles/per-user/root/current-guix/bin/guix-daemon \ - --build-users-group=guixbuild --discover=no \ + --discover=no \ --substitute-urls='@GUIX_SUBSTITUTE_URLS@' -Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8 +Environment='GUIX_STATE_DIRECTORY=@localstatedir@/guix' 'GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8 + +# Run under a dedicated unprivileged user account. +User=guix-daemon + +# Bind-mount the store read-write in a private namespace, to counter the +# effect of 'gnu-store.mount'. +PrivateMounts=true +BindPaths=@storedir@ + +# Provide the CAP_CHOWN capability so that guix-daemon can create and chown +# /var/guix/profiles/per-user/$USER and also chown failed build directories +# when using '--keep-failed'. Note that guix-daemon explicitly drops ambient +# capabilities before executing build processes so they don't inherit them. +AmbientCapabilities=CAP_CHOWN + StandardOutput=journal StandardError=journal From patchwork Sun Mar 23 14:25:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40745 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 5810A27BBEA; Sun, 23 Mar 2025 14:29:00 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id CD17627BBE2 for ; Sun, 23 Mar 2025 14:28:59 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMJB-0003sY-0i; Sun, 23 Mar 2025 10:28:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMJA-0003sO-7Q for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMJ9-0005kH-Tx for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=U9fQ0OTjBRU5j/IE3K+dWpDNxDzyNub8ZawVN/rMOKM=; b=MLXWqUvF1wELX3ib1wSoSFG1WGuObSleWVR7s3nyig+pBnZ9FzTGtWb1FqINan87YHc6hdy8zKMJUS8qzRUXQYj5sX8jEqeLZdOe/KpH2dhtXcEfdiikImtjNuRyjLX3uM8oa3DkEUgvefirJJrFVmvPGlqr3MACpWBOAFhoIktdqx8lbNQK/eazRRoOmEkRU1W3CSeVFy9+f/1jiOLwbqdBcxij7E6RJvJOy9KcRG/VoCDy+RGiRHa47P0hE7Ut8QXAinNRiy1BKkdSo/2rYLwXhBypDC9f4IkBuCMfPeKmYx++hv4ftMT/O/NK5eiZ9XLdYVxIYm4WYeuHHy4Crg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMJ9-0005sV-Lq for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:11 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 15/16] guix-install.sh: Support the unprivileged daemon where possible. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:28:11 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174274008822546 (code B ref 75810); Sun, 23 Mar 2025 14:28:11 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:28:08 +0000 Received: from localhost ([127.0.0.1]:51921 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMJ3-0005r1-QY for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:28:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51920) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMHB-0005Vk-At for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:12 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMH4-0005UO-P9; Sun, 23 Mar 2025 10:26:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=U9fQ0OTjBRU5j/IE3K+dWpDNxDzyNub8ZawVN/rMOKM=; b=c07AiUCcZSpLLStn4xel +4oJNUybB32AzJAFsESBXDsdJprE+OIdICphHPK8KGYW1AwjEs8fQNEJIogvCXbzzIsiS+Dc0854o exg5PkrH88NWRA4vocjAh7duTDq6F1kEaML5ffRZQtHWjpHdR2L/Xvvd+XwAEUKrCw2bjQ/oeuSQ9 dSdJK5Ct2oAGvBl+VH3UlkR67mdISXCfSHzmf3yHoNkDwfe3mfj0OwQJCqj9kMxp1k7KtHLF07b0T bXNju8gLQEqhRjyISftMmPXYAn/9ccRwDLlRtO/PSBZdGmZfxgxEsr0+g4JZ3tY6GoedwvdP71G87 KNHHgbAV2qbU8Q==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:25:08 +0100 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/guix-install.sh (create_account): New function. (sys_create_build_user): Use it. When ‘guix-daemon.service’ contains “User=guix-daemon” only create the ‘guix-daemon’ user and group. (sys_delete_build_user): Delete the ‘guix-daemon’ user and group. (can_install_unprivileged_daemon): New function. (sys_create_store): When installing the unprivileged daemon, change ownership of /gnu and /var/guix, and create /var/log/guix. (sys_authorize_build_farms): When the ‘guix-daemon’ account exists, change ownership of /etc/guix. Change-Id: I73e573f1cc5c0cb3794aaaa6b576616b66e0c5e9 --- etc/guix-install.sh | 124 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 99 insertions(+), 25 deletions(-) diff --git a/etc/guix-install.sh b/etc/guix-install.sh index 8887204df4..b5d833cd64 100755 --- a/etc/guix-install.sh +++ b/etc/guix-install.sh @@ -414,6 +414,11 @@ sys_create_store() cd "$tmp_path" _msg_info "Installing /var/guix and /gnu..." # Strip (skip) the leading ‘.’ component, which fails on read-only ‘/’. + # + # TODO: Eventually extract with ‘--owner=guix-daemon’ when installing + # and unprivileged guix-daemon service; for now, this script may install + # from both an old release that does not support unprivileged guix-daemon + # and a new release that does, so ‘chown -R’ later if needed. tar --extract --strip-components=1 --file "$pkg" -C / _msg_info "Linking the root user's profile" @@ -441,38 +446,95 @@ sys_delete_store() rm -rf ~root/.config/guix } +create_account() +{ + local user="$1" + local group="$2" + local supplementary_groups="$3" + local comment="$4" + + if id "$user" &>/dev/null; then + _msg_info "user '$user' is already in the system, reset" + usermod -g "$group" -G "$supplementary_groups" \ + -d /var/empty -s "$(which nologin)" \ + -c "$comment" "$user" + else + useradd -g "$group" -G "$supplementary_groups" \ + -d /var/empty -s "$(which nologin)" \ + -c "$comment" --system "$user" + _msg_pass "user added <$user>" + fi +} + +install_unprivileged_daemon() +{ # Return true when installing guix-daemon running without privileges. + [ "$INIT_SYS" = systemd ] && \ + grep -q "User=guix-daemon" \ + ~root/.config/guix/current/lib/systemd/system/guix-daemon.service +} + sys_create_build_user() { # Create the group and user accounts for build users. _debug "--- [ ${FUNCNAME[0]} ] ---" - if getent group guixbuild > /dev/null; then - _msg_info "group guixbuild exists" - else - groupadd --system guixbuild - _msg_pass "group created" - fi - if getent group kvm > /dev/null; then _msg_info "group kvm exists and build users will be added to it" local KVMGROUP=,kvm fi - for i in $(seq -w 1 10); do - if id "guixbuilder${i}" &>/dev/null; then - _msg_info "user is already in the system, reset" - usermod -g guixbuild -G guixbuild"$KVMGROUP" \ - -d /var/empty -s "$(which nologin)" \ - -c "Guix build user $i" \ - "guixbuilder${i}"; - else - useradd -g guixbuild -G guixbuild"$KVMGROUP" \ - -d /var/empty -s "$(which nologin)" \ - -c "Guix build user $i" --system \ - "guixbuilder${i}"; - _msg_pass "user added " - fi - done + if install_unprivileged_daemon + then + _msg_info "installing guix-daemon to run as an unprivileged user" + + # Installing guix-daemon to run as a non-root user requires + # unprivileged user namespaces. + if [ -f /proc/sys/kernel/unprivileged_userns_clone ] \ + && [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" -ne 1 ] + then + echo 1 > /proc/sys/kernel/unprivileged_userns_clone || \ + _err "failed to enable unprivileged user namespaces" + + _msg_warn "Unprivileged user namespaces were disabled and have been enabled now." + _msg_warn "This Linux feature is required by guix-daemon. To enable it permanently, run:" + _msg_warn ' echo 1 > /proc/sys/kernel/unprivileged_userns_clone' + _msg_warn "from the relevant startup script." + fi + + + if getent group guix-daemon > /dev/null; then + _msg_info "group guix-daemon exists" + else + groupadd --system guix-daemon + _msg_pass "group guix-daemon created" + fi + + create_account guix-daemon guix-daemon \ + guix-daemon$KVMGROUP \ + "Unprivileged Guix Daemon User" + + # ‘tar xf’ creates root:root files. Change that. + chown -R guix-daemon:guix-daemon /gnu /var/guix + chown -R root:root /var/guix/profiles/per-user/root + + # The unprivileged daemon cannot create the log directory by itself. + mkdir -p /var/log/guix + chown guix-daemon:guix-daemon /var/log/guix + chmod 755 /var/log/guix + else + if getent group guixbuild > /dev/null; then + _msg_info "group guixbuild exists" + else + groupadd --system guixbuild + _msg_pass "group created" + fi + + for i in $(seq -w 1 10); do + create_account "guixbuilder${i}" "guixbuild" \ + "guixbuild${KVMGROUP}" \ + "Guix build user $i" + done + fi } sys_delete_build_user() @@ -487,6 +549,14 @@ sys_delete_build_user() if getent group guixbuild &>/dev/null; then groupdel -f guixbuild fi + + _msg_info "remove guix-daemon user" + if id guix-daemon &>/dev/null; then + userdel -f guix-daemon + fi + if getent group guix-daemon &>/dev/null; then + groupdel -f guix-daemon + fi } sys_enable_guix_daemon() @@ -529,11 +599,11 @@ sys_enable_guix_daemon() # Install after guix-daemon.service to avoid a harmless warning. # systemd .mount units must be named after the target directory. - # Here we assume a hard-coded name of /gnu/store. - install_unit gnu-store.mount + install_unit gnu-store.mount systemctl daemon-reload && - systemctl start guix-daemon; } && + systemctl start guix-daemon && + systemctl start gnu-store.mount; } && _msg_pass "enabled Guix daemon via systemd" ;; sysv-init) @@ -654,6 +724,10 @@ project's build farms?"; then && guix archive --authorize < "$key" \ && _msg_pass "Authorized public key for $host" done + if id guix-daemon &>/dev/null; then + # /etc/guix/acl must be readable by the unprivileged guix-daemon. + chown -R guix-daemon:guix-daemon /etc/guix + fi else _msg_info "Skipped authorizing build farm public keys" fi From patchwork Sun Mar 23 14:25:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40743 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 6A07027BBEA; Sun, 23 Mar 2025 14:28:15 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D95DA27BBE2 for ; Sun, 23 Mar 2025 14:28:14 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twMJ9-0003s1-1H; Sun, 23 Mar 2025 10:28:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMJ8-0003rT-3D for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:10 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1twMJ7-0005k5-Pa for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=95fteRD36rhp7YkKTPLzRc4VZ+H5LLsxsIm4c2D4ykA=; b=UE5V3qa/6jCMJckC5EgpmQ1hcq/34doaAT0ow5Tt8pNvpbs7FHnvc1JTvQgeVpezYnYA7zQpjTXcWJAuaJZ9DWNTSLBfZ+zv2ybRspN7Var7mtUArsUNGNV16ccRRVizie+olbKe+NiWk5qOmg728a93Ce6MNJbYCJk4eZwBoCh9K+J9QnqgAUHm7mX17Vl9AzaQMyYOwywVQGOSV9DPhd7BgrbiUCOeDLUnWwc4eYcleiDjRG3F1tvz7CGTjn3A7PbQNMcialsRSsUKVNzb+vtB0udSkd4Ajrw76O2haALqByL5uRSpjLnyKOl5A7AxCaiPiecsK9uElT90gMQHbg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1twMJ7-0005rt-Fp for guix-patches@gnu.org; Sun, 23 Mar 2025 10:28:09 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH v8 16/16] DRAFT gnu: guix: Update to c9c7f87. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 14:28:09 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 75810-submit@debbugs.gnu.org id=B75810.174274008622511 (code B ref 75810); Sun, 23 Mar 2025 14:28:09 +0000 Received: (at 75810) by debbugs.gnu.org; 23 Mar 2025 14:28:06 +0000 Received: from localhost ([127.0.0.1]:51919 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1twMJ2-0005qg-Hn for submit@debbugs.gnu.org; Sun, 23 Mar 2025 10:28:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51924) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1twMHB-0005Vs-Kq for 75810@debbugs.gnu.org; Sun, 23 Mar 2025 10:26:11 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twMH6-0005UW-88; Sun, 23 Mar 2025 10:26:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=95fteRD36rhp7YkKTPLzRc4VZ+H5LLsxsIm4c2D4ykA=; b=RcXy+ow29j43dJHfnqZo qjrjUHjB25Cuz2WOVENusPdsPJi5UlNBXOa1Y4tz7+HUc7eBrUdEl/m2sguDFU1to174ce8SGDjjI I25qxM0c08BfhAr48AhVEktDCZTVyiS8m2p8iKkHqB57vu2vgh4ltZbAgeqgDjdDzqh/S7wBLXJwj vZfi5zuEU7+HSjZiD9CyKAKYh+TOq09fzolPanhBbkeZx25L8WbaUgxsHfSqB1wIbBTBqmYIU9wSU uzPtIG3RJgra0OEtKYg6nyoakqsZnqM31J4e7ai9Jr9q2UxpQiI4WmfWDUlBHPw/OXYBnna5ZGt/l 3JMiytAX2gFEPw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 23 Mar 2025 15:25:09 +0100 Message-ID: <15405c40e8b1e93777de94fd9203d4f412ae96a8.1742739609.git.ludo@gnu.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches DRAFT: Temporary commit. * gnu/packages/package-management.scm (guix): Update to c9c7f87. Change-Id: Iec7bdb412f5a2779d90a8c95582d2e59bd178b35 --- gnu/packages/package-management.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index 099c9ea67d..af3673469f 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -179,8 +179,8 @@ (define-public guix ;; Note: the 'update-guix-package.scm' script expects this definition to ;; start precisely like this. (let ((version "1.4.0") - (commit "5058b40aba825ab6e7b9e518dd1147d1e35fd7de") - (revision 34)) + (commit "c9c7f8753008d12bcd71b7f0fbe2132bdbcb4f5a") + (revision 35)) (package (name "guix") @@ -196,7 +196,7 @@ (define-public guix (commit commit))) (sha256 (base32 - "04vk4lslcd6h22yj5pxvb1pdyyxd8421gjfyvyb1bl3xn7c77246")) + "1l03pgc3587cpjqnfqw4l3bqhxlqn26i63jcxvgi43dfans7krgz")) (file-name (string-append "guix-" version "-checkout")))) (build-system gnu-build-system) (arguments