Add a test for CVE-2022-24765

NixOS VM test since handling different users without that is bound to be tricky
2025-11-09 20:16:03 +01:00 · 2023-06-21 17:11:13 +02:00 · 2023-06-21 17:11:13 +02:00 · d4c6722332
commit d4c6722332
parent e5a211d77e
2 changed files with 66 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -598,6 +598,8 @@
          ["i686-linux" "x86_64-linux"]
          (system: runNixOSTestFor system ./tests/nixos/setuid.nix);

+        tests.cve-2022-24765 = runNixOSTestFor "x86_64-linux" ./tests/nixos/cve-2022-24765.nix;
+

        # Make sure that nix-env still produces the exact same result
        # on a particular version of Nixpkgs.
--- a/tests/nixos/cve-2022-24765.nix
+++ b/tests/nixos/cve-2022-24765.nix
@ -0,0 +1,64 @@
+{ lib, config, nixpkgs, ... }:
+
+let
+  pkgs = config.nodes.machine.nixpkgs.pkgs;
+
+  flakeDotNix = pkgs.writeTextFile {
+    name = "flake.nix";
+    destination = "/flake.nix";
+    text = ''
+      {
+        outputs = { self }: { foo = 1; };
+      }
+      '';
+    };
+in
+{
+  name = "cve-2022-24765";
+
+  nodes.machine =
+    { config, lib, pkgs, ... }:
+    {
+      virtualisation.writableStore = true;
+      virtualisation.additionalPaths = [ flakeDotNix ];
+      nix.settings.experimental-features = [ "nix-command" "flakes" ];
+      users.users.user1.isNormalUser = true;
+      users.users.user2.isNormalUser = true;
+    };
+
+  testScript = { nodes }: ''
+    # fmt: off
+    start_all()
+
+    # Evaluating a flake in the store. Should just work
+    machine.succeed('nix eval ${flakeDotNix}#foo')
+
+    # Create the following hierarchy:
+    #
+    # /flakeRoot (owned by `user1`)
+    #     /flake.nix (owned by `user1`)
+    #     /subdir (owned by `user2`)
+    #
+    machine.execute(r"""
+    mkdir -p /flakeRoot/subdir
+    chown -R user1 /flakeRoot
+    cp -r ${flakeDotNix}/flake.nix /flakeRoot
+    chown -R user2 /flakeRoot/subdir
+    """.strip())
+
+    # Evaluating `/flakeRoot#foo` should work even if we're not `user1` since
+    # we've specified the exact path
+    machine.succeed("su user1 -c 'nix eval /flakeRoot\#foo'")
+    machine.succeed("su user2 -c 'nix eval /flakeRoot\#foo'")
+    # But when we have to resort to searching upwards in the tree, then Nix
+    # should error out if we're not `user1` since the `flake.nix` isn't owned
+    # by us
+    machine.succeed("su user1 -c 'nix eval /flakeRoot/subdir\#foo'")
+    inSubdirStdout = machine.fail(
+      "su user2 -c 'nix eval /flakeRoot/subdir\#foo' 2>&1"
+    )
+    print(inSubdirStdout)
+    assert "owned by us" in inSubdirStdout
+  '';
+}
+