diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2017-07-04T13·43+0200 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2017-07-04T13·48+0200 |
commit | 6cf23c3e8fa12e6bf297ca87d1b47889bf115d52 (patch) | |
tree | ee3a793b215fc0d1cca59034a61171b19c1aa77b /src/libstore | |
parent | ad8b96f1f2c80bf3f91ceab4d955aa368b7c85d4 (diff) |
Add allow-new-privileges option
This allows builds to call setuid binaries. This was previously possible until we started using seccomp. Turns out that seccomp by default disallows processes from acquiring new privileges. Generally, any use of setuid binaries (except those created by the builder itself) is by definition impure, but some people were relying on this ability for certain tests. Example: $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --no-allow-new-privileges builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 2 log lines: cannot raise the capability into the Ambient set : Operation not permitted $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --allow-new-privileges builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 6 log lines: PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=15.2 ms Fixes #1429.
Diffstat (limited to 'src/libstore')
-rw-r--r-- | src/libstore/build.cc | 3 | ||||
-rw-r--r-- | src/libstore/globals.hh | 6 |
2 files changed, 9 insertions, 0 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index f40a8c5498ee..355fb3b7dfe5 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2340,6 +2340,9 @@ void setupSeccomp() seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0) throw SysError("unable to add seccomp rule"); + if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, settings.allowNewPrivileges ? 0 : 1) != 0) + throw SysError("unable to set 'no new privileges' seccomp attribute"); + if (seccomp_load(ctx) != 0) throw SysError("unable to load seccomp BPF program"); #endif diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index af37ec61d7a1..c8d67b07110b 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -321,6 +321,12 @@ public: Setting<std::string> userAgentSuffix{this, "", "user-agent-suffix", "String appended to the user agent in HTTP requests."}; + +#if __linux__ + Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges", + "Whether builders can acquire new privileges by calling programs with " + "setuid/setgid bits or with file capabilities."}; +#endif }; |