Don't allow writing to /etc

NixOS · Feb 14, 2023 · db41f74 · db41f74
1 parent df9a71f
commit db41f74
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
@@ -670,7 +670,6 @@ void LocalDerivationGoal::startBuilder()
  nobody account. The latter is kind of a hack to support
  Samba-in-QEMU. */
  createDirs(chrootRootDir + "/etc");
- chownToBuilder(chrootRootDir + "/etc");
 
  if (parsedDrv->useUidRange() && (!buildUser || buildUser->getUIDCount() < 65536))
  throw Error("feature 'uid-range' requires the setting '%s' to be enabled", settings.autoAllocateUids.name);
@@ -970,6 +969,9 @@ void LocalDerivationGoal::startBuilder()
  "nobody:x:65534:65534:Nobody:/:/noshell\n",
  sandboxUid(), sandboxGid(), settings.sandboxBuildDir));
 
+ /* Make /etc unwritable */
+ chmod_(chrootRootDir + "/etc", 0555);
+
  /* Save the mount- and user namespace of the child. We have to do this
  *before* the child does a chroot. */
  sandboxMountNamespace = open(fmt("/proc/%d/ns/mnt", (pid_t) pid).c_str(), O_RDONLY);

diff --git a/tests/linux-sandbox.sh b/tests/linux-sandbox.sh
@@ -37,3 +37,6 @@ nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link
 (! nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link --check -K 2> $TEST_ROOT/log)
 if grep -q 'error: renaming' $TEST_ROOT/log; then false; fi
 grep -q 'may not be deterministic' $TEST_ROOT/log
+
+# Test that sandboxed builds cannot write to /etc easily
+(! nix-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' --no-out-link --sandbox-paths /nix/store)