[Nix#8802] Nix exposes dmesg to the linux build sandbox by default #126
Labels
No labels
Area/build-packaging
Area/cli
Area/evaluator
Area/flakes
Area/language
Area/profiles
Area/protocol
Area/releng
Area/remote-builds
Area/repl
Area/store
bug
Cross Compilation
devx
docs
Downstream Dependents
E/easy
E/hard
E/help wanted
E/reproducible
E/requires rearchitecture
imported
Needs Langver
OS/Linux
OS/macOS
performance
regression
release-blocker
RFD
stability
Status
blocked
Status
invalid
Status
postponed
Status
wontfix
testing
testing/flakey
ux
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: lix-project/lix#126
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Upstream-Issue: NixOS/nix#8802
Describe the bug
The kernel log is available within the linux build sandbox.
Steps To Reproduce
nix-build --expr 'with import <nixpkgs> {}; runCommand "d" {buildInputs=[util-linux];} "dmesg -w"'
or
nix run --refresh --option extra-experimental-features 'nix-command flakes ca-derivations impure-derivations' github:tomberek/f/sockfault# SOME_SECRET_TO_INJECT
We can see that writing to and reading from dmesg allows for building a communication channel and a synchronization primitive. There are other more interesting things one might be able to do.
Expected behavior
Not sure if this is critical or if syslog/dmesg behavior is required anywhere else.
Additional context
Note that other ecosystems have dealt with this: https://github.com/containerd/containerd/pull/4491 and https://github.com/moby/moby/pull/37929
Ref: https://github.com/tomberek/f/tree/sockfault
Priorities
Add 👍 to issues you find important.