Merge pull request from GHSA-q82p-44mg-mgh5

Fix sandbox escape 2.20
2025-11-14 14:32:42 +01:00 · 2024-06-26 18:49:22 -04:00 · 2024-06-26 18:49:22 -04:00 · 2b15b0b9b0
commit 2b15b0b9b0
parent d3ca72cfd5 caf4082dce
8 changed files with 257 additions and 6 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -499,7 +499,13 @@ void LocalDerivationGoal::startBuilder()
    /* Create a temporary directory where the build will take
       place. */
    tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
-
+    if (useChroot) {
+        /* If sandboxing is enabled, put the actual TMPDIR underneath
+           an inaccessible root-owned directory, to prevent outside
+           access. */
+        tmpDir = tmpDir + "/build";
+        createDir(tmpDir, 0700);
+    }
    chownToBuilder(tmpDir);

    for (auto & [outputName, status] : initialOutputs) {
@ -667,15 +673,19 @@ void LocalDerivationGoal::startBuilder()
           environment using bind-mounts.  We put it in the Nix store
           so that the build outputs can be moved efficiently from the
           chroot to their final location. */
-        chrootRootDir = worker.store.Store::toRealPath(drvPath) + ".chroot";
-        deletePath(chrootRootDir);
+        chrootParentDir = worker.store.Store::toRealPath(drvPath) + ".chroot";
+        deletePath(chrootParentDir);

        /* Clean up the chroot directory automatically. */
-        autoDelChroot = std::make_shared<AutoDelete>(chrootRootDir);
+        autoDelChroot = std::make_shared<AutoDelete>(chrootParentDir);

-        printMsg(lvlChatty, "setting up chroot environment in '%1%'", chrootRootDir);
+        printMsg(lvlChatty, "setting up chroot environment in '%1%'", chrootParentDir);
+
+        if (mkdir(chrootParentDir.c_str(), 0700) == -1)
+            throw SysError("cannot create '%s'", chrootRootDir);
+
+        chrootRootDir = chrootParentDir + "/root";

-        // FIXME: make this 0700
        if (mkdir(chrootRootDir.c_str(), buildUser && buildUser->getUIDCount() != 1 ? 0755 : 0750) == -1)
            throw SysError("cannot create '%1%'", chrootRootDir);

--- a/src/libstore/build/local-derivation-goal.hh
+++ b/src/libstore/build/local-derivation-goal.hh
@ -65,6 +65,16 @@ struct LocalDerivationGoal : public DerivationGoal
     */
    bool useChroot = false;

+    /**
+     * The parent directory of `chrootRootDir`. It has permission 700
+     * and is owned by root to ensure other users cannot mess with
+     * `chrootRootDir`.
+     */
+    Path chrootParentDir;
+
+    /**
+     * The root of the chroot environment.
+     */
    Path chrootRootDir;

    /**
--- a/src/libutil/file-system.cc
+++ b/src/libutil/file-system.cc
@ -432,6 +432,11 @@ void deletePath(const Path & path)
    deletePath(path, dummy);
 }

+void createDir(const Path & path, mode_t mode)
+{
+    if (mkdir(path.c_str(), mode) == -1)
+        throw SysError("creating directory '%1%'", path);
+}

 Paths createDirs(const Path & path)
 {
--- a/src/libutil/file-system.hh
+++ b/src/libutil/file-system.hh
@ -165,6 +165,11 @@ inline Paths createDirs(PathView path)
    return createDirs(Path(path));
 }

+/**
+ * Create a single directory.
+ */
+void createDir(const Path & path, mode_t mode = 0755);
+
 /**
 * Create a symlink.
 */