Lix has broken seccomp rules blocking creating setuid files in the builder #207
Labels
No labels
Area/build-packaging
Area/evaluator
Area/flakes
Area/language
Area/profiles
Area/protocol
Area/releng
Area/remote-builds
Area/repl
Area/store
bug
Cross Compilation
devx
docs
Downstream Dependents
E/easy
E/hard
E/help wanted
E/reproducible
E/requires rearchitecture
imported
Needs Langver
OS/Linux
OS/macOS
performance
regression
release-blocker
RFD
stability
Status
blocked
Status
invalid
Status
postponed
Status
wontfix
testing
ux
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: lix-project/lix#207
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
These rules caused this issue: https://github.com/NixOS/nixpkgs/issues/300635
Amusingly, this issue is caused by the policy being so broken that it kept getting bypassed by accident until it accidentally got properly hit. The rules block chmod, fchmod, and fchmodat from creating files with setuid mode. However, it blatantly misses, at least open(2), openat(2), fchmodat2(2), and is thus at best useless.
Its purported purpose per
6cc6c15a2d
:As far as I can tell, there is zero security purpose to stopping setuid files being created from within the builder, at least assuming that they are not visible from outside, unless perhaps for
build-users-group =
while running as root (an insecure configuration that should not be used). The permissions will be stripped when the daemon finishes the build and puts it in its proper place.(normal users can make setuid files on Linux and let other users become them)
It does smell like this region of the code is likely to be susceptible to actual security bugs and really needs an audit and some serious cleanup though...
Proposed and hopefully more reasonable fix: bind mount the nix store nosuid and delete the seccomp rule. Though this would still potentially be susceptible to other sandbox paths leaking setuid binaries. But erm. the rules simply do not work as it is today.
Unfortunately nosuid doesn't prevent creating setuid files, only treating them as setuid during execution.
If we actually want to prevent creating setuid files we either need to have an allow-list seccomp rule or create a BPF LSM. Allow-list seccomp is kind of a pain because of differences in syscall support between architectures, and BPF LSM is a pain because it uses BPF and it's an LSM.
related: https://gerrit.lix.systems/c/lix/+/919