Lix has broken seccomp rules blocking creating setuid files in the builder #207

New issue

Open

opened 2024-04-02 05:15:35 +00:00 by jade · 2 comments

jade commented 2024-04-02 05:15:35 +00:00

Owner

Copy link

These rules caused this issue: https://github.com/NixOS/nixpkgs/issues/300635

Amusingly, this issue is caused by the policy being so broken that it kept getting bypassed by accident until it accidentally got properly hit. The rules block chmod, fchmod, and fchmodat from creating files with setuid mode. However, it blatantly misses, at least open(2), openat(2), fchmodat2(2), and is thus at best useless.

Its purported purpose per 6cc6c15a2d50d0021d7242e9806ed6d54538de17:

This prevents builders from setting the S_ISUID or S_ISGID bits,
preventing users from using a nixbld* user to create a setuid/setgid
binary to interfere with subsequent builds under the same nixbld* uid.

As far as I can tell, there is zero security purpose to stopping setuid files being created from within the builder, at least assuming that they are not visible from outside, unless perhaps for build-users-group = while running as root (an insecure configuration that should not be used). The permissions will be stripped when the daemon finishes the build and puts it in its proper place.

(normal users can make setuid files on Linux and let other users become them)

It does smell like this region of the code is likely to be susceptible to actual security bugs and really needs an audit and some serious cleanup though...

Proposed and hopefully more reasonable fix: bind mount the nix store nosuid and delete the seccomp rule. Though this would still potentially be susceptible to other sandbox paths leaking setuid binaries. But erm. the rules simply do not work as it is today.

These rules caused this issue: https://github.com/NixOS/nixpkgs/issues/300635 Amusingly, this issue is caused by the policy being *so broken* that it kept getting bypassed by accident until it accidentally got properly hit. The rules block chmod, fchmod, and fchmodat from creating files with setuid mode. However, it blatantly misses, *at least* open(2), openat(2), fchmodat2(2), and is thus at best useless. Its purported purpose per 6cc6c15a2d50d0021d7242e9806ed6d54538de17: > This prevents builders from setting the S_ISUID or S_ISGID bits, > preventing users from using a nixbld* user to create a setuid/setgid > binary to interfere with subsequent builds under the same nixbld* uid. As far as I can tell, there is zero security purpose to stopping setuid files being created from within the builder, *at least assuming that they are not visible from outside*, unless perhaps for `build-users-group =` while running as root (an insecure configuration that should not be used). The permissions will be stripped when the daemon finishes the build and puts it in its proper place. (normal users can make setuid files on Linux and let other users become them) It does smell like this region of the code is likely to be susceptible to *actual* security bugs and really needs an audit and some serious cleanup though... Proposed and hopefully more reasonable fix: bind mount the nix store nosuid and delete the seccomp rule. Though this would still potentially be susceptible to other sandbox paths leaking setuid binaries. But erm. the rules simply do not work as it is today.

jade added the

stability

bug

labels 2024-04-02 05:15:35 +00:00

artemist commented 2024-05-01 01:23:53 +00:00

Member

Copy link

Unfortunately nosuid doesn't prevent creating setuid files, only treating them as setuid during execution.

If we actually want to prevent creating setuid files we either need to have an allow-list seccomp rule or create a BPF LSM. Allow-list seccomp is kind of a pain because of differences in syscall support between architectures, and BPF LSM is a pain because it uses BPF and it's an LSM.

Unfortunately nosuid doesn't prevent creating setuid files, only treating them as setuid during execution. If we actually want to prevent creating setuid files we either need to have an allow-list seccomp rule or create a BPF LSM. Allow-list seccomp is kind of a pain because of differences in syscall support between architectures, and BPF LSM is a pain because it uses BPF and it's an LSM.

jade commented 2024-05-03 22:59:07 +00:00

Author

Owner

Copy link

related: https://gerrit.lix.systems/c/lix/+/919

related: https://gerrit.lix.systems/c/lix/+/919

jade added the

Area/store

label 2024-05-10 18:12:01 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

git-series/activity-cleanup

release-2.90

sb/tom-hubrecht/primops.cc-v2

sb/bacchanalia/cache-strlen%topic=substr-perf

sb/arcuru/commit-msg

sb/qyriad/beta-1

sb/qyriad/2.90-beta.0

rbt/pre-commit-update

sb/rbt/test-branch

sb/rbt/justfile

sb/rbt/repl-overlays

sb/fuck/what

sb/rbt/pre-commit

sb/rbt/makeflags

sb/pennae/io-rewrite

sb/qyriad/maint-meson

sb/qyriad/maint/meson

sb/puck/meson-c-api

sb/pennae/parser-rewrite

sb/jade/burn-it-all

dependabot/github_actions/zeebe-io/backport-action-2.4.1

dependabot/github_actions/cachix/install-nix-action-25

dependabot/github_actions/actions/labeler-5

dependabot/github_actions/cachix/cachix-action-14

2.90.0-rc1

2.90-beta.1

2.90-beta.0

Labels

Clear labels   

Area/build-packaging

regarding the building or packaging of Lix itself

  

Area/evaluator

libexpr and anything else related to the evaluation of Nix expressions

  

Area/flakes

  

Area/profiles

profiles: nix-env, nix profile, and installer flavors all alike

  

Area/remote-builds

remote builds

  

Area/repl

nix repl

  

Area/store

libstore and anything else relating to the Nix store

  

bug

it's a bug

  

Cross Compilation

  

devx

development experience issues

  

docs

  

Downstream Dependents

regarding an external tool's usage with Lix (e.g. nix-eval-jobs)

  

E/easy

bug is relatively simple and could simply be fixed with some minor effort

  

E/hard

this issue should probably be solved with close involvement of an expert

  

E/help wanted

maintainers may not get to this soon, but we want it fixed

  

E/reproducible

This bug is reproducible and obvious.

  

E/requires rearchitecture

this bug cannot be fixed properly without fixing a known architectural flaw

  

imported

Issue imported from upstream nix (please do not remove this label, it will cause dupes if import is rerun)

  

Needs Langver

We can't get to this until we implement language versioning

  

OS/Linux

Affects specifically Lix on Linux

  

OS/macOS

Affects specifically Lix on macOS

  

performance

make lix go faster

  

regression

This is a regression since some previous version of Lix

  

release-blocker

Blocks public release

  

RFD

Request for discussion

  

stability

Fixing this makes the software more stable

  

Status

blocked

Blocked on something

  

Status

invalid

not our bug, duplicate, similar

  

Status

postponed

closed but should maybe look at later (generally with S-wontfix)

  

Status

wontfix

We chose not to change this (see issue comments for more detail).

  

testing

Tests that should be added

  

ux

makes the user experience better :)

No labels

Area/build-packaging

Area/evaluator

Area/flakes

Area/profiles

Area/remote-builds

Area/repl

Area/store

bug

Cross Compilation

devx

docs

Downstream Dependents

E/easy

E/hard

E/help wanted

E/reproducible

E/requires rearchitecture

imported

Needs Langver

OS/Linux

OS/macOS

performance

regression

release-blocker

RFD

stability

Status

blocked

Status

invalid

Status

postponed

Status

wontfix

testing

ux

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-project/lix#207

No description provided.