Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nix
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: c0015e87af70
Choose a base ref
...
head repository: NixOS/nix
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 6cf23c3e8fa1
Choose a head ref
  • 2 commits
  • 4 files changed
  • 1 contributor

Commits on Jul 4, 2017

  1. Fix handling of expression installables with a / in them

    @edolstra
    edolstra committed Jul 4, 2017

    Verified

    This commit was signed with the committer’s verified signature.
    edolstra Eelco Dolstra
    GPG key ID: 8170B4726D7198DE
    Verified
    Learn about vigilant mode
    Copy the full SHA
    ad8b96f View commit details

  2. Add allow-new-privileges option 

    This allows builds to call setuid binaries. This was previously
possible until we started using seccomp. Turns out that seccomp by
default disallows processes from acquiring new privileges. Generally,
any use of setuid binaries (except those created by the builder
itself) is by definition impure, but some people were relying on this
ability for certain tests.

Example:

  $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --no-allow-new-privileges
  builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 2 log lines:
    cannot raise the capability into the Ambient set
    : Operation not permitted

  $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --allow-new-privileges
  builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 6 log lines:
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=15.2 ms

Fixes #1429.
    @edolstra
    edolstra committed Jul 4, 2017

    Verified

    This commit was signed with the committer’s verified signature.
    edolstra Eelco Dolstra
    GPG key ID: 8170B4726D7198DE
    Verified
    Learn about vigilant mode
    Copy the full SHA
    6cf23c3 View commit details
Showing with 30 additions and 4 deletions.
  1. +17 −0 doc/manual/command-ref/conf-file.xml
  2. +3 −0 src/libstore/build.cc
  3. +6 −0 src/libstore/globals.hh
  4. +4 −4 src/nix/installables.cc
17 changes: 17 additions & 0 deletions doc/manual/command-ref/conf-file.xml
View file
Original file line number Diff line number Diff line change
@@ -643,6 +643,23 @@ password <replaceable>my-password</replaceable>
</varlistentry>


<varlistentry xml:id="conf-allow-new-privileges"><term><literal>allow-new-privileges</literal></term>

<listitem><para>(Linux-specific.) By default, builders on Linux
cannot acquire new privileges by calling setuid/setgid programs or
programs that have file capabilities. For example, programs such
as <command>sudo</command> or <command>ping</command> will
fail. (Note that in sandbox builds, no such programs are available
unless you bind-mount them into the sandbox via the
<option>build-sandbox-paths</option> option.) You can allow the
use of such programs by enabling this option. This is impure and
usually undesirable, but may be useful in certain scenarios
(e.g. to spin up containers or set up userspace network interfaces
in tests).</para></listitem>

</varlistentry>


</variablelist>

</para>
3 changes: 3 additions & 0 deletions src/libstore/build.cc
View file
Original file line number Diff line number Diff line change
@@ -2340,6 +2340,9 @@ void setupSeccomp()
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0)
throw SysError("unable to add seccomp rule");

if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, settings.allowNewPrivileges ? 0 : 1) != 0)
throw SysError("unable to set 'no new privileges' seccomp attribute");

if (seccomp_load(ctx) != 0)
throw SysError("unable to load seccomp BPF program");
#endif
6 changes: 6 additions & 0 deletions src/libstore/globals.hh
View file
Original file line number Diff line number Diff line change
@@ -321,6 +321,12 @@ public:

Setting<std::string> userAgentSuffix{this, "", "user-agent-suffix",
"String appended to the user agent in HTTP requests."};

#if __linux__
Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges",
"Whether builders can acquire new privileges by calling programs with "
"setuid/setgid bits or with file capabilities."};
#endif
};


8 changes: 4 additions & 4 deletions src/nix/installables.cc
View file
Original file line number Diff line number Diff line change
@@ -189,7 +189,10 @@ std::vector<std::shared_ptr<Installable>> InstallablesCommand::parseInstallables

for (auto & s : ss) {

if (s.find("/") != std::string::npos) {
if (s.compare(0, 1, "(") == 0)
result.push_back(std::make_shared<InstallableExpr>(*this, s));

else if (s.find("/") != std::string::npos) {

auto path = store->toStorePath(store->followLinksToStore(s));

@@ -201,9 +204,6 @@ std::vector<std::shared_ptr<Installable>> InstallablesCommand::parseInstallables
}
}

else if (s.compare(0, 1, "(") == 0)
result.push_back(std::make_shared<InstallableExpr>(*this, s));

else if (s == "" || std::regex_match(s, attrPathRegex))
result.push_back(std::make_shared<InstallableAttrPath>(*this, s));