Merge pull request #11000 from hercules-ci/backport-10992-to-2.23-maintenance

[Backport 2.23-maintenance] Fix #10947; don't cache disallowed IFD
2025-07-03 10:21:47 +02:00 · 2024-07-01 14:14:04 +02:00 · 2024-07-01 14:14:04 +02:00 · f80e0832bc
commit f80e0832bc
parent 53a5266220 11491a2f1f
4 changed files with 81 additions and 68 deletions
--- a/doc/manual/rl-next/harden-user-sandboxing.md
+++ b/doc/manual/rl-next/harden-user-sandboxing.md
@ -1,8 +1,6 @@
 ---
 synopsis: Harden the user sandboxing
 significance: significant
 issues:
 prs: <only provided once merged>
 ---
 The build directory has been hardened against interference with the outside world by nesting it inside another directory owned by (and only readable by) the daemon user.
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@ -79,7 +79,7 @@ StringMap EvalState::realiseContext(const NixStringContext & context, StorePathS
    if (drvs.empty()) return {};
    if (isIFD && !evalSettings.enableImportFromDerivation)
-        error<EvalError>(
+        error<EvalBaseError>(
            "cannot build '%1%' during evaluation because the option 'allow-import-from-derivation' is disabled",
            drvs.begin()->to_string(*store)
        ).debugThrow();
--- a/tests/functional/flakes/eval-cache.sh
+++ b/tests/functional/flakes/eval-cache.sh
@ -7,12 +7,22 @@ requireGit
 flake1Dir="$TEST_ROOT/eval-cache-flake"
 createGitRepo "$flake1Dir" ""
 cp ../simple.nix ../simple.builder.sh ../config.nix "$flake1Dir/"
 git -C "$flake1Dir" add simple.nix simple.builder.sh config.nix
 git -C "$flake1Dir" commit -m "config.nix"
 cat >"$flake1Dir/flake.nix" <<EOF
 {
  description = "Fnord";
-  outputs = { self }: {
+  outputs = { self }: let inherit (import ./config.nix) mkDerivation; in {
    foo.bar = throw "breaks";
    drv = mkDerivation {
      name = "build";
      buildCommand = ''
        echo true > \$out
      '';
    };
    ifd = assert (import self.drv); self.drv;
  };
 }
 EOF
@ -22,3 +32,8 @@ git -C "$flake1Dir" commit -m "Init"
 expect 1 nix build "$flake1Dir#foo.bar" 2>&1 | grepQuiet 'error: breaks'
 expect 1 nix build "$flake1Dir#foo.bar" 2>&1 | grepQuiet 'error: breaks'
 # Conditional error should not be cached
 expect 1 nix build "$flake1Dir#ifd" --option allow-import-from-derivation false 2>&1 \
  | grepQuiet 'error: cannot build .* during evaluation because the option '\''allow-import-from-derivation'\'' is disabled'
 nix build "$flake1Dir#ifd"
--- a/tests/nixos/user-sandboxing/attacker.c
+++ b/tests/nixos/user-sandboxing/attacker.c
@ -9,11 +9,13 @@
 #define SYS_fchmodat2 452
-int fchmodat2(int dirfd, const char *pathname, mode_t mode, int flags) {
+int fchmodat2(int dirfd, const char * pathname, mode_t mode, int flags)
 {
    return syscall(SYS_fchmodat2, dirfd, pathname, mode, flags);
 }
-int main(int argc, char **argv) {
+int main(int argc, char ** argv)
 {
    if (argc <= 1) {
        // stage 1: place the setuid-builder executable
@ -49,8 +51,7 @@ int main(int argc, char **argv) {
            for (;;) {
                ssize_t len = read(fd, buf, sizeof(buf));
                struct inotify_event * ev;
-        for (char *pe = buf; pe < buf + len;
+                for (char * pe = buf; pe < buf + len; pe += sizeof(struct inotify_event) + ev->len) {
            pe += sizeof(struct inotify_event) + ev->len) {
                    ev = (struct inotify_event *) pe;
                    fprintf(stderr, "folder %s created\n", ev->name);
                    // wait a bit to prevent racing against the creation
@ -79,4 +80,3 @@ int main(int argc, char **argv) {
        exit(0);
    }
 }