libstore: fix sandboxed builds on macOS

The recent fix for CVE-2024-38531 broke the sandbox on macOS completely. As it’s not practical to use `chroot(2)` on macOS, the build takes place in the main filesystem tree, and the world‐unreadable wrapper directory prevents the build from accessing its `$TMPDIR` at all. The macOS sandbox probably shouldn’t be treated as any kind of a security boundary in its current state, but this specific vulnerability wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id` binaries is blocked by sandbox policy. Locking down the build sandbox further may be a good idea in future, but it already has significant compatibility issues. For now, restore the previous status quo on macOS. Thanks to @alois31 for helping me come to a better understanding of the vulnerability. Fixes: 1d3696f0fb Closes: #11002
2024-09-19 10:50:24 -04:00 · 2024-07-04 16:24:59 +01:00 · 2024-07-04 16:24:59 +01:00 · af2e1142b1
parent 76e4adfaac
commit af2e1142b1
1 changed files with 11 additions and 1 deletions
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@ -504,12 +504,22 @@ void LocalDerivationGoal::startBuilder()
    /* Create a temporary directory where the build will take
       place. */
    topTmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);
+#if __APPLE__
+    if (false) {
+#else
    if (useChroot) {
+#endif
        /* If sandboxing is enabled, put the actual TMPDIR underneath
           an inaccessible root-owned directory, to prevent outside
-           access. */
+           access.
+
+           On macOS, we don't use an actual chroot, so this isn't
+           possible. Any mitigation along these lines would have to be
+           done directly in the sandbox profile. */
        tmpDir = topTmpDir + "/build";
        createDir(tmpDir, 0700);
+    } else {
+        tmpDir = topTmpDir;
    }
    chownToBuilder(tmpDir);