From c96e8cd097ce0d181467fddd92acad4341ca566a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 31 May 2017 17:23:27 +0200 Subject: OS X sandbox: Improve builtin sandbox profile Also, add rules to allow fixed-output derivations to access the network. These rules are sufficient to build stdenvDarwin without any __sandboxProfile magic. --- src/libstore/build.cc | 13 ++++-- src/libstore/local.mk | 12 ++--- src/libstore/sandbox-defaults.sb | 94 +++++++++++++++++++--------------------- src/libstore/sandbox-network.sb | 16 +++++++ 4 files changed, 76 insertions(+), 59 deletions(-) create mode 100644 src/libstore/sandbox-network.sb (limited to 'src/libstore') diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 7f7d2fdb8bdb..55c8ac588374 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2614,8 +2614,9 @@ void DerivationGoal::runChild() string sandboxProfile; if (drv->isBuiltin()) { ; + } #if __APPLE__ - } else if (useChroot) { + else if (useChroot) { /* Lots and lots and lots of file functions freak out if they can't stat their full ancestry */ PathSet ancestry; @@ -2653,9 +2654,14 @@ void DerivationGoal::runChild() } sandboxProfile += -#include "sandbox-defaults.sb.gen.hh" + #include "sandbox-defaults.sb.gen.hh" ; + if (fixedOutput) + sandboxProfile += + #include "sandbox-network.sb.gen.hh" + ; + /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */ Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true); @@ -2718,8 +2724,9 @@ void DerivationGoal::runChild() args.push_back("-D"); args.push_back("_GLOBAL_TMP_DIR=" + globalTmpDir); args.push_back(drv->builder); + } #endif - } else { + else { builder = drv->builder.c_str(); string builderBasename = baseNameOf(drv->builder); args.push_back(builderBasename); diff --git a/src/libstore/local.mk b/src/libstore/local.mk index 7bc69f65d800..c0cc91c26582 100644 --- a/src/libstore/local.mk +++ b/src/libstore/local.mk @@ -36,14 +36,14 @@ libstore_CXXFLAGS = \ $(d)/local-store.cc: $(d)/schema.sql.gen.hh -$(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh +$(d)/build.cc: $(d)/sandbox-defaults.sb.gen.hh $(d)/sandbox-network.sb.gen.hh %.gen.hh: % - echo 'R"foo(' >> $@.tmp - cat $< >> $@.tmp - echo ')foo"' >> $@.tmp - mv $@.tmp $@ + @echo 'R"foo(' >> $@.tmp + $(trace-gen) cat $< >> $@.tmp + @echo ')foo"' >> $@.tmp + @mv $@.tmp $@ -clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh +clean-files += $(d)/schema.sql.gen.hh $(d)/sandbox-defaults.sb.gen.hh $(d)/sandbox-network.sb.gen.hh $(eval $(call install-file-in, $(d)/nix-store.pc, $(prefix)/lib/pkgconfig, 0644)) diff --git a/src/libstore/sandbox-defaults.sb b/src/libstore/sandbox-defaults.sb index 6bd15603e796..0292f5ee8825 100644 --- a/src/libstore/sandbox-defaults.sb +++ b/src/libstore/sandbox-defaults.sb @@ -1,62 +1,56 @@ -(allow file-read* file-write-data (literal "/dev/null")) -(allow ipc-posix*) -(allow mach-lookup (global-name "com.apple.SecurityServer")) +(define TMPDIR (param "_GLOBAL_TMP_DIR")) -(allow file-read* - (literal "/dev/dtracehelper") - (literal "/dev/tty") - (literal "/dev/autofs_nowait") - (literal "/System/Library/CoreServices/SystemVersion.plist") - (literal "/private/var/run/systemkeychaincheck.done") - (literal "/private/etc/protocols") - (literal "/private/var/tmp") - (literal "/private/var/db") - (subpath "/private/var/db/mds")) +; Disallow creating setuid/setgid binaries, since that +; would allow breaking build user isolation. +(deny file-write-setugid) -(allow file-read* - (subpath "/usr/share/icu") - (subpath "/usr/share/locale") - (subpath "/usr/share/zoneinfo")) +; Allow forking. +(allow process-fork) -(allow file-write* - (literal "/dev/tty") - (literal "/dev/dtracehelper") - (literal "/mds")) +; Allow reading system information like #CPUs, etc. +(allow sysctl-read) -(allow file-ioctl (literal "/dev/dtracehelper")) +; Allow POSIX semaphores and shared memory. +(allow ipc-posix*) -(allow file-read-metadata - (literal "/var") - (literal "/tmp") - (literal "/etc/resolv.conf") - (literal "/private/etc/resolv.conf")) +; Allow socket creation. +(allow system-socket) -(allow file-read* - (literal "/private/var/run/resolv.conf")) +; Allow sending signals within the sandbox. +(allow signal (target same-sandbox)) -; some builders use filehandles other than stdin/stdout -(allow file* - (subpath "/dev/fd") - (literal "/dev/ptmx") - (regex #"^/dev/[pt]ty.*$")) +; Access to /tmp. +(allow file* process-exec (literal "/tmp") (subpath TMPDIR)) -; allow everything inside TMP -(allow file* process-exec - (subpath (param "_GLOBAL_TMP_DIR")) - (subpath "/private/tmp")) +; Some packages like to read the system version. +(allow file-read* (literal "/System/Library/CoreServices/SystemVersion.plist")) -(allow process-fork) -(allow sysctl-read) -(allow signal (target same-sandbox)) +; Without this line clang cannot write to /dev/null, breaking some configure tests. +(allow file-read-metadata (literal "/dev")) -; allow getpwuid (for git and other packages) -(allow mach-lookup - (global-name "com.apple.system.notification_center") - (global-name "com.apple.system.opendirectoryd.libinfo")) +; Standard devices. +(allow file* + (literal "/dev/null") + (literal "/dev/random") + (literal "/dev/stdin") + (literal "/dev/stdout") + (literal "/dev/tty") + (literal "/dev/urandom") + (literal "/dev/zero") + (subpath "/dev/fd")) -; allow local networking -(allow network* (local ip) (remote unix-socket)) +; Does nothing, but reduces build noise. +(allow file* (literal "/dev/dtracehelper")) -; Disallow creating setuid/setgid binaries, since that -; would allow breaking build user isolation. -(deny file-write-setugid) +; Allow access to zoneinfo since libSystem needs it. +(allow file-read* (subpath "/usr/share/zoneinfo")) + +(allow file-read* (subpath "/usr/share/locale")) + +; This is mostly to get more specific log messages when builds try to +; access something in /etc or /var. +(allow file-read-metadata + (literal "/etc") + (literal "/var") + (literal "/private/var/tmp") + ) diff --git a/src/libstore/sandbox-network.sb b/src/libstore/sandbox-network.sb new file mode 100644 index 000000000000..56beec761fa8 --- /dev/null +++ b/src/libstore/sandbox-network.sb @@ -0,0 +1,16 @@ +; Allow local and remote network traffic. +(allow network* (local ip) (remote ip)) + +; Allow access to /etc/resolv.conf (which is a symlink to +; /private/var/run/resolv.conf). +(allow file-read-metadata + (literal "/var") + (literal "/etc") + (literal "/etc/resolv.conf") + (literal "/private/etc/resolv.conf")) + +(allow file-read* + (literal "/private/var/run/resolv.conf")) + +; Allow DNS lookups. +(allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder"))) -- cgit 1.4.1