qyriad/lix

Author SHA1 Message Date

Author	SHA1	Message	Date
puck	6f36a8834c	Copy the output of fixed-output derivations before registering them It is possible to exfiltrate a file descriptor out of the build sandbox of FODs, and use it to modify the store path after it has been registered. To avoid that issue, don't register the output of the build, but a copy of it (that will be free of any leaked file descriptor). Test that we can't leverage abstract unix domain sockets to leak file descriptors out of the sandbox and modify the path after it has been registered. (cherry picked from commit 2dadfeb690e7f4b8f97298e29791d202fdba5ca6) (tests cherry picked from commit c854ae5b3078ac5d99fa75fe148005044809e18c) Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io> Co-authored-by: Tom Bereknyei <tomberek@gmail.com> Change-Id: `I87cd58f1c0a4f7b7a610d354206b33301e47b1a4`	2024-03-07 01:44:58 +00:00
eldritch horrors	2e1f5e2666	Merge pull request #9105 from Ericson2314/split-out-nixos-tests Define NixOS tests in `tests/nixos/default.nix` rather than `flake.nix` (cherry picked from commit c29b8ba142a0650d1182ca838ddc1b2d273dcd2a) Change-Id: `Ieae1b6476d95024485df7067e008013bc5542039`	2024-03-05 21:11:59 +01:00

puck

6f36a8834c

Copy the output of fixed-output derivations before registering them

It is possible to exfiltrate a file descriptor out of the build sandbox
of FODs, and use it to modify the store path after it has been
registered. To avoid that issue, don't register the output of the build,
but a copy of it (that will be free of any leaked file descriptor).

Test that we can't leverage abstract unix domain sockets to leak file
descriptors out of the sandbox and modify the path after it has been
registered.

(cherry picked from commit 2dadfeb690e7f4b8f97298e29791d202fdba5ca6)
(tests cherry picked from commit c854ae5b3078ac5d99fa75fe148005044809e18c)

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io>
Co-authored-by: Tom Bereknyei <tomberek@gmail.com>

Change-Id: I87cd58f1c0a4f7b7a610d354206b33301e47b1a4

2024-03-07 01:44:58 +00:00

eldritch horrors

2e1f5e2666

Merge pull request #9105 from Ericson2314/split-out-nixos-tests

Define NixOS tests in `tests/nixos/default.nix` rather than `flake.nix`

(cherry picked from commit c29b8ba142a0650d1182ca838ddc1b2d273dcd2a)
Change-Id: Ieae1b6476d95024485df7067e008013bc5542039

2024-03-05 21:11:59 +01:00

2 commits