From 2ac99a32dab0d2ea59cb9e926f6d6d5b7ef638c6 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 30 May 2017 13:55:17 +0200 Subject: Add a seccomp rule to disallow setxattr() --- src/libstore/build.cc | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 09cc2709ab79..0a10efaed1d6 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2315,8 +2315,8 @@ void setupSeccomp() seccomp_arch_add(ctx, SCMP_ARCH_X86) != 0) throw SysError("unable to add 32-bit seccomp architecture"); + /* Prevent builders from creating setuid/setgid binaries. */ for (int perm : { S_ISUID, S_ISGID }) { - // TODO: test chmod and fchmod. if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(chmod), 1, SCMP_A1(SCMP_CMP_MASKED_EQ, perm, perm)) != 0) throw SysError("unable to add seccomp rule"); @@ -2330,6 +2330,14 @@ void setupSeccomp() throw SysError("unable to add seccomp rule"); } + /* Prevent builders from creating EAs or ACLs. Not all filesystems + support these, and they're not allowed in the Nix store because + they're not representable in the NAR serialisation. */ + if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(setxattr), 0) != 0 || + seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(lsetxattr), 0) != 0 || + seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0) + throw SysError("unable to add seccomp rule"); + if (seccomp_load(ctx) != 0) throw SysError("unable to load seccomp BPF program"); #endif -- cgit 1.4.1