Run the builds in a daemon-controled directory

Instead of running the builds under `$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}` where the build directory is only readable and traversable by the daemon user. This achieves two things: 1. It prevents builders from making their build directory world-readable (or even writeable), which would allow the outside world to interact with them. 2. It prevents external processes running as the build user (either because that somehow leaked, maybe as a consequence of 1., or because `build-users` isn't in use) from gaining access to the build directory. fix: do not use unknown setting tests: remove build-dir test
2025-11-28 05:00:58 +01:00 · 2024-04-02 17:06:48 +02:00 · 2024-04-02 17:06:48 +02:00 · 3481a9c41d
commit 3481a9c41d
parent d24431dea2
4 changed files with 28 additions and 13 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -480,10 +480,13 @@ void LocalDerivationGoal::startBuilder()
    additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
 #endif

-    /* Create a temporary directory where the build will take
-       place. */
-    tmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
-
+    /* Create a temporary directory where the build will take place.
+     * That directory is wrapped into a restricted daemon-owned one to make sure
+     * that the builder can't open its build directory to the world.
+     * */
+    auto parentTmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
+    tmpDir = parentTmpDir + "/build";
+    createDir(tmpDir, 0700);
    chownToBuilder(tmpDir);

    for (auto & [outputName, status] : initialOutputs) {
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@ -679,6 +679,11 @@ std::optional<Path> getSelfExe()
    return cached;
 }

+void createDir(const Path &path, mode_t mode)
+{
+    if (mkdir(path.c_str(), mode) == -1)
+        throw SysError("creating directory '%1%'", path);
+}

 Paths createDirs(const Path & path)
 {
--- a/src/libutil/util.hh
+++ b/src/libutil/util.hh
@ -253,6 +253,11 @@ inline Paths createDirs(PathView path)
    return createDirs(Path(path));
 }

+/**
+ * Create a single directory.
+ */
+void createDir(const Path & path, mode_t mode = 0755);
+
 /**
 * Create a symlink.
 */