Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/wrappers: fix applying capabilities #109342

Merged
merged 2 commits into from Jan 27, 2021
Merged

nixos/wrappers: fix applying capabilities #109342

merged 2 commits into from Jan 27, 2021

Conversation

Mic92
Copy link
Member

@Mic92 Mic92 commented Jan 14, 2021
edited

With libcap 2.41 the output of cap_to_text changed, also the original
author of code hoped that this would never happen.
To counter this now the security-wrapper only relies on the syscall
ABI, which is more stable and robust than string parsing. If new
breakages occur this will be more obvious because version numbers will
be incremented.
Furthermore all errors now make execution explicitly fail instead of
hiding errors behind debug environment variables. The code style was made
more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/)

Motivation for this change

fixes #108228

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@Mic92
Copy link
Member Author

Mic92 commented Jan 14, 2021

cc @Izorkin

@Mic92
nixos/wrappers: fix applying capabilities
eadffd9 
With libcap 2.41 the output of cap_to_text changed, also the original
author of code hoped that this would never happen.
To counter this now the security-wrapper only relies on the syscall
ABI, which is more stable and robust than string parsing. If new
breakages occur this will be more obvious because version numbers will
be incremented.
Furthermore all errors no make execution explicitly fail instead of
hiding errors behind debug environment variables and the code style was
more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/)
@Mic92 @cole-h
Update nixos/modules/security/wrappers/wrapper.nix
dbd05a5 
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
@Izorkin
Copy link
Contributor

Izorkin commented Jan 14, 2021

Thanks, worked!

cole-h
cole-h approved these changes Jan 15, 2021
View reviewed changes
Copy link
Member

@cole-h cole-h left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff LGTM. Tested locally and all my wrappers function as expected.

@vcunat vcunat removed their request for review January 25, 2021 12:39
@vcunat
Copy link
Member

vcunat commented Jan 25, 2021

I'm sorry; I most likely won't have time soon to review these nontrivial changes.

@Mic92
Copy link
Member Author

Mic92 commented Jan 25, 2021
edited

Can someone at least test if it still works on aarch64 because of big endian?

@vcunat
Copy link
Member

vcunat commented Jan 25, 2021
edited

I believe that (normal) aarch64 is little endian.

[vcunat@aarch64.nixos.community:~]$ lscpu | grep Endian
Byte Order:          Little Endian

EDIT: or more concretely that we don't have any big endian among hydra.nixos.org platforms.

@Mic92 Mic92 merged commit 0998756 into NixOS:master Jan 27, 2021
@Mic92 Mic92 deleted the wrappers branch January 27, 2021 14:32
@kira-bruneau kira-bruneau mentioned this pull request Feb 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Izorkin Izorkin Izorkin approved these changes

@cole-h cole-h cole-h approved these changes

@dtzWill dtzWill Awaiting requested review from dtzWill

@lheckemann lheckemann Awaiting requested review from lheckemann

@andir andir Awaiting requested review from andir

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

libcap 2.27 -> 2.44: breaks security wrapper for cap_dac_override
4 participants
@Mic92 @Izorkin @vcunat @cole-h