mirror of
https://github.com/NixOS/nix
synced 2024-09-19 10:50:24 -04:00
libstore: fix sandboxed builds on macOS
The recent fix for CVE-2024-38531 broke the sandbox on macOS completely. As it’s not practical to use `chroot(2)` on macOS, the build takes place in the main filesystem tree, and the world‐unreadable wrapper directory prevents the build from accessing its `$TMPDIR` at all. The macOS sandbox probably shouldn’t be treated as any kind of a security boundary in its current state, but this specific vulnerability wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id` binaries is blocked by sandbox policy. Locking down the build sandbox further may be a good idea in future, but it already has significant compatibility issues. For now, restore the previous status quo on macOS. Thanks to @alois31 for helping me come to a better understanding of the vulnerability. Fixes:1d3696f0fb
Closes: #11002 (cherry picked from commitaf2e1142b1
) (cherry picked from commit9feee13952
)
This commit is contained in:
parent
ff7b9a1fd3
commit
0b97319ed4
|
@ -485,12 +485,22 @@ void LocalDerivationGoal::startBuilder()
|
||||||
/* Create a temporary directory where the build will take
|
/* Create a temporary directory where the build will take
|
||||||
place. */
|
place. */
|
||||||
topTmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
|
topTmpDir = createTempDir("", "nix-build-" + std::string(drvPath.name()), false, false, 0700);
|
||||||
|
#if __APPLE__
|
||||||
|
if (false) {
|
||||||
|
#else
|
||||||
if (useChroot) {
|
if (useChroot) {
|
||||||
|
#endif
|
||||||
/* If sandboxing is enabled, put the actual TMPDIR underneath
|
/* If sandboxing is enabled, put the actual TMPDIR underneath
|
||||||
an inaccessible root-owned directory, to prevent outside
|
an inaccessible root-owned directory, to prevent outside
|
||||||
access. */
|
access.
|
||||||
|
|
||||||
|
On macOS, we don't use an actual chroot, so this isn't
|
||||||
|
possible. Any mitigation along these lines would have to be
|
||||||
|
done directly in the sandbox profile. */
|
||||||
tmpDir = topTmpDir + "/build";
|
tmpDir = topTmpDir + "/build";
|
||||||
createDir(tmpDir, 0700);
|
createDir(tmpDir, 0700);
|
||||||
|
} else {
|
||||||
|
tmpDir = topTmpDir;
|
||||||
}
|
}
|
||||||
chownToBuilder(tmpDir);
|
chownToBuilder(tmpDir);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue