From 651a18dd2466662e7027e4dc04147e4f38c7bbf8 Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 16 Nov 2016 12:46:43 +0100 Subject: release.nix: Add a test for sandboxing Right now it only tests whether seccomp correctly forges the return value of chown, but the long-term goal is to test the full sandboxing functionality at some point in the future. Signed-off-by: aszlig --- tests/sandbox.nix | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 tests/sandbox.nix (limited to 'tests') diff --git a/tests/sandbox.nix b/tests/sandbox.nix new file mode 100644 index 000000000000..7e2055038c91 --- /dev/null +++ b/tests/sandbox.nix @@ -0,0 +1,53 @@ +# Test Nix builder sandbox. + +{ system, nix }: + +with import { inherit system; }; + +let + mkUtils = pkgs: pkgs.buildEnv { + name = "sandbox-utils"; + paths = [ pkgs.coreutils pkgs.utillinux pkgs.bash ]; + pathsToLink = [ "/bin" "/sbin" ]; + }; + + utils32 = mkUtils pkgs.pkgsi686Linux; + utils64 = mkUtils pkgs; + + sandboxTestScript = pkgs.writeText "sandbox-testscript.sh" '' + [ $(id -u) -eq 0 ] + touch foo + chown 1024:1024 foo + touch "$out" + ''; + + testExpr = arch: pkgs.writeText "sandbox-test.nix" '' + let + utils = builtins.storePath + ${if arch == "i686-linux" then utils32 else utils64}; + in derivation { + name = "sandbox-test"; + system = "${arch}"; + builder = "''${utils}/bin/bash"; + args = ["-e" ${sandboxTestScript}]; + PATH = "''${utils}/bin"; + } + ''; + +in makeTest { + name = "nix-sandbox"; + + machine = { pkgs, ... }: { + nix.package = nix; + nix.useSandbox = true; + nix.binaryCaches = []; + virtualisation.writableStore = true; + virtualisation.pathsInNixDB = [ utils32 utils64 ]; + }; + + testScript = '' + $machine->waitForUnit("multi-user.target"); + $machine->succeed("nix-build ${testExpr "x86_64-linux"}"); + $machine->succeed("nix-build ${testExpr "i686-linux"}"); + ''; +} -- cgit 1.4.1 From ed64976cec43f9f067a40fc6921b5513a19fd757 Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 16 Nov 2016 17:25:00 +0100 Subject: seccomp: Forge return codes for POSIX ACL syscalls Commands such as "cp -p" also use fsetxattr() in addition to fchown(), so we need to make sure these syscalls always return successful as well in order to avoid nasty "Invalid value" errors. Signed-off-by: aszlig --- src/libstore/build.cc | 4 ++++ tests/sandbox.nix | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'tests') diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 6c6d0dee36ff..6fc6220e0524 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1659,6 +1659,10 @@ void setupSeccomp(void) { FORCE_SUCCESS(fchownat); FORCE_SUCCESS(lchown); + FORCE_SUCCESS(setxattr); + FORCE_SUCCESS(lsetxattr); + FORCE_SUCCESS(fsetxattr); + if (seccomp_load(ctx) != 0) { seccomp_release(ctx); throw SysError("unable to load seccomp BPF program"); diff --git a/tests/sandbox.nix b/tests/sandbox.nix index 7e2055038c91..dc72a5985ef7 100644 --- a/tests/sandbox.nix +++ b/tests/sandbox.nix @@ -16,7 +16,7 @@ let sandboxTestScript = pkgs.writeText "sandbox-testscript.sh" '' [ $(id -u) -eq 0 ] - touch foo + cp -p "$testfile" foo chown 1024:1024 foo touch "$out" ''; @@ -31,6 +31,7 @@ let builder = "''${utils}/bin/bash"; args = ["-e" ${sandboxTestScript}]; PATH = "''${utils}/bin"; + testfile = builtins.toFile "test" "i am a test file"; } ''; -- cgit 1.4.1