[Nix-commits] [NixOS/nix] e296b8: Add a seccomp filter to prevent creating setuid/se...

Thu, 01 Jun 2017 07:52:19 -0700 

  Branch: refs/heads/1.11-maintenance
  Home:   https://github.com/NixOS/nix
  Commit: e296b8884eee6d9ab8c89adb4190e1183529f977
      
https://github.com/NixOS/nix/commit/e296b8884eee6d9ab8c89adb4190e1183529f977
  Author: Eelco Dolstra <edols...@gmail.com>
  Date:   2017-06-01 (Thu, 01 Jun 2017)

  Changed paths:
    M configure.ac
    M release.nix
    M src/libstore/build.cc
    M src/libstore/local.mk
    A src/libutil/finally.hh

  Log Message:
  -----------
  Add a seccomp filter to prevent creating setuid/setgid binaries

This prevents builders from setting the S_ISUID or S_ISGID bits,
preventing users from using a nixbld* user to create a setuid/setgid
binary to interfere with subsequent builds under the same nixbld* uid.

This is based on aszlig's seccomp code
(47f587700d646f5b03a42f2fa57c28875a31efbe).

Reported by Linus Heckemann.

(cherry picked from commit 6cc6c15a2d50d0021d7242e9806ed6d54538de17)


  Commit: a2cf0f10182cf1abd86ca2404795dd41a7cd0425
      
https://github.com/NixOS/nix/commit/a2cf0f10182cf1abd86ca2404795dd41a7cd0425
  Author: Eelco Dolstra <edols...@gmail.com>
  Date:   2017-06-01 (Thu, 01 Jun 2017)

  Changed paths:
    M src/libstore/build.cc

  Log Message:
  -----------
  Fix seccomp initialisation on i686-linux

(cherry picked from commit cf93397d3f1d2a8165a100482d07b7f4b7e5bf7f)


  Commit: 17da82e04d531fed06716dba6224d7e9c915e7de
      
https://github.com/NixOS/nix/commit/17da82e04d531fed06716dba6224d7e9c915e7de
  Author: Eelco Dolstra <edols...@gmail.com>
  Date:   2017-06-01 (Thu, 01 Jun 2017)

  Changed paths:
    M release.nix
    A tests/setuid.nix

  Log Message:
  -----------
  Add test for setuid seccomp filter

(cherry picked from commit 1d9ab273bad34b004dfcfd486273d0df5fed1eca)


  Commit: 1e0f1dab1e3055704dea8e942d2c10a42a177198
      
https://github.com/NixOS/nix/commit/1e0f1dab1e3055704dea8e942d2c10a42a177198
  Author: Eelco Dolstra <edols...@gmail.com>
  Date:   2017-06-01 (Thu, 01 Jun 2017)

  Changed paths:
    M src/libstore/build.cc

  Log Message:
  -----------
  Require seccomp only in multi-user setups

(cherry picked from commit ff6becafa8efc2f7e6f2b9b889ba4adf20b8d524)


  Commit: 66618dbad50d191deebafd58a7fe6bf6b1717d27
      
https://github.com/NixOS/nix/commit/66618dbad50d191deebafd58a7fe6bf6b1717d27
  Author: Eelco Dolstra <edols...@gmail.com>
  Date:   2017-06-01 (Thu, 01 Jun 2017)

  Changed paths:
    M src/libstore/local-store.cc

  Log Message:
  -----------
  canonicalisePathMetaData(): Remove extended attributes / ACLs

EAs/ACLs are not part of the NAR canonicalisation. Worse, setting an
ACL allows a builder to create writable files in the Nix store. So get
rid of them.

Closes #185.

(cherry picked from commit d798349ede3d6eb6e92a2e4f95f6b2179407ceb9)


  Commit: 634d117eded90514e0c05e05a5cd36bdfdd62f1d
      
https://github.com/NixOS/nix/commit/634d117eded90514e0c05e05a5cd36bdfdd62f1d
  Author: Eelco Dolstra <edols...@gmail.com>
  Date:   2017-06-01 (Thu, 01 Jun 2017)

  Changed paths:
    M src/libstore/build.cc

  Log Message:
  -----------
  Add a seccomp rule to disallow setxattr()

(cherry picked from commit 2ac99a32dab0d2ea59cb9e926f6d6d5b7ef638c6)


  Commit: 4be5a65b395355239918ee70bdd1e7a995e83fce
      
https://github.com/NixOS/nix/commit/4be5a65b395355239918ee70bdd1e7a995e83fce
  Author: Eelco Dolstra <edols...@gmail.com>
  Date:   2017-06-01 (Thu, 01 Jun 2017)

  Changed paths:
    M src/libstore/build.cc

  Log Message:
  -----------
  Fix seccomp build failure on clang

Fixes

  src/libstore/build.cc:2321:45: error: non-constant-expression cannot be 
narrowed from type 'int' to 'scmp_datum_t' (aka 'unsigned long') in initializer 
list [-Wc++11-narrowing]

(cherry picked from commit fe08d17934e6abe3e8566706f53063166b881f8c)


  Commit: c48697d617c07d280901cf6e1a11ef6fe6d5b6f3
      
https://github.com/NixOS/nix/commit/c48697d617c07d280901cf6e1a11ef6fe6d5b6f3
  Author: Eelco Dolstra <edols...@gmail.com>
  Date:   2017-06-01 (Thu, 01 Jun 2017)

  Changed paths:
    M src/libstore/local-store.cc

  Log Message:
  -----------
  Remove listxattr assertion

It appears that sometimes, listxattr() returns a different value for
the query case (i.e. when the buffer size is 0).

(cherry picked from commit 52fec8dde862264874a4f19be329124ac46adb81)


  Commit: aabe20bf78f4b125d2902c323aa98d80058686d7
      
https://github.com/NixOS/nix/commit/aabe20bf78f4b125d2902c323aa98d80058686d7
  Author: Eelco Dolstra <edols...@gmail.com>
  Date:   2017-06-01 (Thu, 01 Jun 2017)

  Changed paths:
    M nix.spec.in
    M release.nix

  Log Message:
  -----------
  RPM, Deb: Add dependency on libseccomp

(cherry picked from commit ab5834f7a1c2cae9b7071d5a6944ff8b1eeb6e38)


  Commit: 833aae45090ef3505c4ebbf1c63a969968c0b764
      
https://github.com/NixOS/nix/commit/833aae45090ef3505c4ebbf1c63a969968c0b764
  Author: Eelco Dolstra <edols...@gmail.com>
  Date:   2017-06-01 (Thu, 01 Jun 2017)

  Changed paths:
    M release.nix

  Log Message:
  -----------
  Fix coverage job

(cherry picked from commit b4b1f4525f8dc8f320d666c208bff5cb36777580)


Compare: https://github.com/NixOS/nix/compare/a8d13e66ee93...833aae45090e
_______________________________________________
nix-commits mailing list
nix-comm...@lists.science.uu.nl
https://mailman.science.uu.nl/mailman/listinfo/nix-commits

Reply via email to