lix/tests/nixos/ca-fd-leak/default.nix

# Nix is a sandboxed build system. But Not everything can be handled inside its
# sandbox: Network access is normally blocked off, but to download sources, a
# trapdoor has to exist. Nix handles this by having "Fixed-output derivations".
# The detail here is not important, but in our case it means that the hash of
# the output has to be known beforehand. And if you know that, you get a few
# rights: you no longer run inside a special network namespace!
#
# Now, Linux has a special feature, that not many other unices do: Abstract
# unix domain sockets! Not only that, but those are namespaced using the
# network namespace! That means that we have a way to create sockets that are
# available in every single fixed-output derivation, and also all processes
# running on the host machine! Now, this wouldn't be that much of an issue, as,
# well, the whole idea is that the output is pure, and all processes in the
# sandbox are killed before finalizing the output. What if we didn't need those
# processes at all? Unix domain sockets have a semi-known trick: you can pass
# file descriptors around!
# This makes it possible to exfiltrate a file-descriptor with write access to
# $out outside of the sandbox. And that file-descriptor can be used to modify
# the contents of the store path after it has been registered.

{ config, ... }:

let
  pkgs = config.nodes.machine.nixpkgs.pkgs;

  # Simple C program that sends a a file descriptor to `$out` to a Unix
  # domain socket.
  # Compiled statically so that we can easily send it to the VM and use it
  # inside the build sandbox.
  sender = pkgs.runCommandWith {
    name = "sender";
    stdenv = pkgs.pkgsStatic.stdenv;
  } ''
    $CC -static -o $out ${./sender.c}
  '';

  # Okay, so we have a file descriptor shipped out of the FOD now. But the
  # Nix store is read-only, right? .. Well, yeah. But this file descriptor
  # lives in a mount namespace where it is not! So even when this file exists
  # in the actual Nix store, we're capable of just modifying its contents...
  smuggler = pkgs.writeCBin "smuggler" (builtins.readFile ./smuggler.c);

  # The abstract socket path used to exfiltrate the file descriptor
  socketName = "FODSandboxExfiltrationSocket";
in
{
  name = "ca-fd-leak";

  nodes.machine =
    { config, lib, pkgs, ... }:
    { virtualisation.writableStore = true;
      nix.settings.substituters = lib.mkForce [ ];
      virtualisation.additionalPaths = [ pkgs.busybox-sandbox-shell sender smuggler pkgs.socat ];
    };

  testScript = { nodes }: ''
    start_all()

    machine.succeed("echo hello")
    # Start the smuggler server
    machine.succeed("${smuggler}/bin/smuggler ${socketName} >&2 &")

    # Build the smuggled derivation.
    # This will connect to the smuggler server and send it the file descriptor
    machine.succeed(r"""
      nix-build -E '
        builtins.derivation {
          name = "smuggled";
          system = builtins.currentSystem;
          # look ma, no tricks!
          outputHashMode = "flat";
          outputHashAlgo = "sha256";
          outputHash = builtins.hashString "sha256" "hello, world\n";
          builder = "${pkgs.busybox-sandbox-shell}/bin/sh";
          args = [ "-c" "echo \"hello, world\" > $out; ''${${sender}} ${socketName}" ];
      }'
    """.strip())


    # Tell the smuggler server that we're done
    machine.execute("echo done | ${pkgs.socat}/bin/socat - ABSTRACT-CONNECT:${socketName}")

    # Check that the file was not modified
    machine.succeed(r"""
      cat ./result
      test "$(cat ./result)" = "hello, world"
    """.strip())
  '';

}
Copy the output of fixed-output derivations before registering them It is possible to exfiltrate a file descriptor out of the build sandbox of FODs, and use it to modify the store path after it has been registered. To avoid that issue, don't register the output of the build, but a copy of it (that will be free of any leaked file descriptor). Test that we can't leverage abstract unix domain sockets to leak file descriptors out of the sandbox and modify the path after it has been registered. (cherry picked from commit 2dadfeb690e7f4b8f97298e29791d202fdba5ca6) (tests cherry picked from commit c854ae5b3078ac5d99fa75fe148005044809e18c) Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io> Co-authored-by: Tom Bereknyei <tomberek@gmail.com> Change-Id: I87cd58f1c0a4f7b7a610d354206b33301e47b1a4 2024-03-06 23:26:40 +00:00			`# Nix is a sandboxed build system. But Not everything can be handled inside its`
			`# sandbox: Network access is normally blocked off, but to download sources, a`
			`# trapdoor has to exist. Nix handles this by having "Fixed-output derivations".`
			`# The detail here is not important, but in our case it means that the hash of`
			`# the output has to be known beforehand. And if you know that, you get a few`
			`# rights: you no longer run inside a special network namespace!`
			`#`
			`# Now, Linux has a special feature, that not many other unices do: Abstract`
			`# unix domain sockets! Not only that, but those are namespaced using the`
			`# network namespace! That means that we have a way to create sockets that are`
			`# available in every single fixed-output derivation, and also all processes`
			`# running on the host machine! Now, this wouldn't be that much of an issue, as,`
			`# well, the whole idea is that the output is pure, and all processes in the`
			`# sandbox are killed before finalizing the output. What if we didn't need those`
			`# processes at all? Unix domain sockets have a semi-known trick: you can pass`
			`# file descriptors around!`
			`# This makes it possible to exfiltrate a file-descriptor with write access to`
			`# $out outside of the sandbox. And that file-descriptor can be used to modify`
			`# the contents of the store path after it has been registered.`

			`{ config, ... }:`

			`let`
			`pkgs = config.nodes.machine.nixpkgs.pkgs;`

			# Simple C program that sends a a file descriptor to `$out` to a Unix
			`# domain socket.`
			`# Compiled statically so that we can easily send it to the VM and use it`
			`# inside the build sandbox.`
			`sender = pkgs.runCommandWith {`
			`name = "sender";`
			`stdenv = pkgs.pkgsStatic.stdenv;`
			`} ''`
			`$CC -static -o $out ${./sender.c}`
			`'';`

			`# Okay, so we have a file descriptor shipped out of the FOD now. But the`
			`# Nix store is read-only, right? .. Well, yeah. But this file descriptor`
			`# lives in a mount namespace where it is not! So even when this file exists`
			`# in the actual Nix store, we're capable of just modifying its contents...`
			`smuggler = pkgs.writeCBin "smuggler" (builtins.readFile ./smuggler.c);`

			`# The abstract socket path used to exfiltrate the file descriptor`
			`socketName = "FODSandboxExfiltrationSocket";`
			`in`
			`{`
			`name = "ca-fd-leak";`

			`nodes.machine =`
			`{ config, lib, pkgs, ... }:`
			`{ virtualisation.writableStore = true;`
			`nix.settings.substituters = lib.mkForce [ ];`
			`virtualisation.additionalPaths = [ pkgs.busybox-sandbox-shell sender smuggler pkgs.socat ];`
			`};`

			`testScript = { nodes }: ''`
			`start_all()`

			`machine.succeed("echo hello")`
			`# Start the smuggler server`
			`machine.succeed("${smuggler}/bin/smuggler ${socketName} >&2 &")`

			`# Build the smuggled derivation.`
			`# This will connect to the smuggler server and send it the file descriptor`
			`machine.succeed(r"""`
			`nix-build -E '`
			`builtins.derivation {`
			`name = "smuggled";`
			`system = builtins.currentSystem;`
			`# look ma, no tricks!`
			`outputHashMode = "flat";`
			`outputHashAlgo = "sha256";`
			`outputHash = builtins.hashString "sha256" "hello, world\n";`
			`builder = "${pkgs.busybox-sandbox-shell}/bin/sh";`
			`args = [ "-c" "echo \"hello, world\" > $out; ''${${sender}} ${socketName}" ];`
			`}'`
			`""".strip())`


			`# Tell the smuggler server that we're done`
			`machine.execute("echo done \| ${pkgs.socat}/bin/socat - ABSTRACT-CONNECT:${socketName}")`

			`# Check that the file was not modified`
			`machine.succeed(r"""`
			`cat ./result`
			`test "$(cat ./result)" = "hello, world"`
			`""".strip())`
			`'';`

			`}`