Merge pull request from GHSA-q82p-44mg-mgh5

Fix sandbox escape 2.18
2025-11-28 05:00:58 +01:00 · 2024-06-26 18:49:22 -04:00 · 2024-06-26 18:49:22 -04:00 · 1ee7a9b84f
commit 1ee7a9b84f
parent 5d7d7d8648 2778076699
8 changed files with 259 additions and 8 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -485,7 +485,13 @@ void LocalDerivationGoal::startBuilder()
    /* Create a temporary directory where the build will take
       place. */
    tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
-
+    if (useChroot) {
+        /* If sandboxing is enabled, put the actual TMPDIR underneath
+           an inaccessible root-owned directory, to prevent outside
+           access. */
+        tmpDir = tmpDir + "/build";
+        createDir(tmpDir, 0700);
+    }
    chownToBuilder(tmpDir);

    for (auto & [outputName, status] : initialOutputs) {
@ -651,17 +657,21 @@ void LocalDerivationGoal::startBuilder()
 #if __linux__
        /* Create a temporary directory in which we set up the chroot
           environment using bind-mounts.  We put it in the Nix store
-           to ensure that we can create hard-links to non-directory
-           inputs in the fake Nix store in the chroot (see below). */
-        chrootRootDir = worker.store.Store::toRealPath(drvPath) + ".chroot";
-        deletePath(chrootRootDir);
+           so that the build outputs can be moved efficiently from the
+           chroot to their final location. */
+        chrootParentDir = worker.store.Store::toRealPath(drvPath) + ".chroot";
+        deletePath(chrootParentDir);

        /* Clean up the chroot directory automatically. */
-        autoDelChroot = std::make_shared<AutoDelete>(chrootRootDir);
+        autoDelChroot = std::make_shared<AutoDelete>(chrootParentDir);

-        printMsg(lvlChatty, "setting up chroot environment in '%1%'", chrootRootDir);
+        printMsg(lvlChatty, "setting up chroot environment in '%1%'", chrootParentDir);
+
+        if (mkdir(chrootParentDir.c_str(), 0700) == -1)
+            throw SysError("cannot create '%s'", chrootRootDir);
+
+        chrootRootDir = chrootParentDir + "/root";

-        // FIXME: make this 0700
        if (mkdir(chrootRootDir.c_str(), buildUser && buildUser->getUIDCount() != 1 ? 0755 : 0750) == -1)
            throw SysError("cannot create '%1%'", chrootRootDir);

--- a/src/libstore/build/local-derivation-goal.hh
+++ b/src/libstore/build/local-derivation-goal.hh
@ -64,6 +64,16 @@ struct LocalDerivationGoal : public DerivationGoal
     */
    bool useChroot = false;

+    /**
+     * The parent directory of `chrootRootDir`. It has permission 700
+     * and is owned by root to ensure other users cannot mess with
+     * `chrootRootDir`.
+     */
+    Path chrootParentDir;
+
+    /**
+     * The root of the chroot environment.
+     */
    Path chrootRootDir;

    /**
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@ -679,6 +679,11 @@ std::optional<Path> getSelfExe()
    return cached;
 }

+void createDir(const Path &path, mode_t mode)
+{
+    if (mkdir(path.c_str(), mode) == -1)
+        throw SysError("creating directory '%1%'", path);
+}

 Paths createDirs(const Path & path)
 {
--- a/src/libutil/util.hh
+++ b/src/libutil/util.hh
@ -253,6 +253,11 @@ inline Paths createDirs(PathView path)
    return createDirs(Path(path));
 }

+/**
+ * Create a single directory.
+ */
+void createDir(const Path & path, mode_t mode = 0755);
+
 /**
 * Create a symlink.
 */