about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-05-30T11·55+0200
committerEelco Dolstra <edolstra@gmail.com>2017-05-30T11·59+0200
commit2ac99a32dab0d2ea59cb9e926f6d6d5b7ef638c6 (patch)
tree44acf2a20f958ab8d1fe465aa392b2984ae95b3e
parentd798349ede3d6eb6e92a2e4f95f6b2179407ceb9 (diff)
Add a seccomp rule to disallow setxattr()
-rw-r--r--src/libstore/build.cc10
1 files changed, 9 insertions, 1 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 09cc2709ab79..0a10efaed1d6 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2315,8 +2315,8 @@ void setupSeccomp()
         seccomp_arch_add(ctx, SCMP_ARCH_X86) != 0)
         throw SysError("unable to add 32-bit seccomp architecture");
 
+    /* Prevent builders from creating setuid/setgid binaries. */
     for (int perm : { S_ISUID, S_ISGID }) {
-        // TODO: test chmod and fchmod.
         if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(chmod), 1,
                 SCMP_A1(SCMP_CMP_MASKED_EQ, perm, perm)) != 0)
             throw SysError("unable to add seccomp rule");
@@ -2330,6 +2330,14 @@ void setupSeccomp()
             throw SysError("unable to add seccomp rule");
     }
 
+    /* Prevent builders from creating EAs or ACLs. Not all filesystems
+       support these, and they're not allowed in the Nix store because
+       they're not representable in the NAR serialisation. */
+    if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(setxattr), 0) != 0 ||
+        seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(lsetxattr), 0) != 0 ||
+        seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0)
+        throw SysError("unable to add seccomp rule");
+
     if (seccomp_load(ctx) != 0)
         throw SysError("unable to load seccomp BPF program");
 #endif