New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/wrappers: fix applying capabilities #109342
Conversation
cc @Izorkin |
With libcap 2.41 the output of cap_to_text changed, also the original author of code hoped that this would never happen. To counter this now the security-wrapper only relies on the syscall ABI, which is more stable and robust than string parsing. If new breakages occur this will be more obvious because version numbers will be incremented. Furthermore all errors no make execution explicitly fail instead of hiding errors behind debug environment variables and the code style was more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/)
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
Thanks, worked! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Diff LGTM. Tested locally and all my wrappers function as expected.
I'm sorry; I most likely won't have time soon to review these nontrivial changes. |
Can someone at least test if it still works on aarch64 because of big endian? |
I believe that (normal) aarch64 is little endian.
EDIT: or more concretely that we don't have any big endian among hydra.nixos.org platforms. |
With libcap 2.41 the output of cap_to_text changed, also the original
author of code hoped that this would never happen.
To counter this now the security-wrapper only relies on the syscall
ABI, which is more stable and robust than string parsing. If new
breakages occur this will be more obvious because version numbers will
be incremented.
Furthermore all errors now make execution explicitly fail instead of
hiding errors behind debug environment variables. The code style was made
more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/)
Motivation for this change
fixes #108228
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)