nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-09 20:16:03 +01:00
Code Activity

Add a test for CVE-2022-24765

Browse source 
NixOS VM test since handling different users without that is bound to be
tricky
This commit is contained in:
Théophane Hufschmitt 2023-06-21 17:11:13 +02:00
parent e5a211d77e
commit d4c6722332
2 changed files with 66 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -598,6 +598,8 @@
["i686-linux" "x86_64-linux"] ["i686-linux" "x86_64-linux"]
(system: runNixOSTestFor system ./tests/nixos/setuid.nix); (system: runNixOSTestFor system ./tests/nixos/setuid.nix);
tests.cve-2022-24765 = runNixOSTestFor "x86_64-linux" ./tests/nixos/cve-2022-24765.nix;
# Make sure that nix-env still produces the exact same result # Make sure that nix-env still produces the exact same result
# on a particular version of Nixpkgs. # on a particular version of Nixpkgs.

64
tests/nixos/cve-2022-24765.nix Normal file
View file

@ -0,0 +1,64 @@
{ lib, config, nixpkgs, ... }:
let
pkgs = config.nodes.machine.nixpkgs.pkgs;
flakeDotNix = pkgs.writeTextFile {
name = "flake.nix";
destination = "/flake.nix";
text = ''
{
outputs = { self }: { foo = 1; };
}
'';
};
in
{
name = "cve-2022-24765";
nodes.machine =
{ config, lib, pkgs, ... }:
{
virtualisation.writableStore = true;
virtualisation.additionalPaths = [ flakeDotNix ];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
users.users.user1.isNormalUser = true;
users.users.user2.isNormalUser = true;
};
testScript = { nodes }: ''
# fmt: off
start_all()
# Evaluating a flake in the store. Should just work
machine.succeed('nix eval ${flakeDotNix}#foo')
# Create the following hierarchy:
#
# /flakeRoot (owned by `user1`)
# /flake.nix (owned by `user1`)
# /subdir (owned by `user2`)
#
machine.execute(r"""
mkdir -p /flakeRoot/subdir
chown -R user1 /flakeRoot
cp -r ${flakeDotNix}/flake.nix /flakeRoot
chown -R user2 /flakeRoot/subdir
""".strip())
# Evaluating `/flakeRoot#foo` should work even if we're not `user1` since
# we've specified the exact path
machine.succeed("su user1 -c 'nix eval /flakeRoot\#foo'")
machine.succeed("su user2 -c 'nix eval /flakeRoot\#foo'")
# But when we have to resort to searching upwards in the tree, then Nix
# should error out if we're not `user1` since the `flake.nix` isn't owned
# by us
machine.succeed("su user1 -c 'nix eval /flakeRoot/subdir\#foo'")
inSubdirStdout = machine.fail(
"su user2 -c 'nix eval /flakeRoot/subdir\#foo' 2>&1"
)
print(inSubdirStdout)
assert "owned by us" in inSubdirStdout
'';
}