mirror of
https://github.com/NixOS/nix
synced 2025-06-25 06:31:14 +02:00
88b7db1ba4
If a build directory is accessible to other users it is possible to smuggle data in and out of build directories. Usually this is only a build purity problem, but in combination with other issues it can be used to break out of a build sandbox. to prevent this we default to using a subdirectory of nixStateDir (which is more restrictive). (cherry picked from pennae Lix commit 55b416f6897fb0d8a9315a530a9b7f0914458ded) (store setting done by roberth)
38 lines
1 KiB
Bash
Executable file
38 lines
1 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
|
|
source common.sh
|
|
|
|
requireSandboxSupport
|
|
[[ $busybox =~ busybox ]] || skipTest "no busybox"
|
|
if ! command -p -v unshare; then skipTest "Need unshare"; fi
|
|
needLocalStore "The test uses --store always so we would just be bypassing the daemon"
|
|
|
|
TODO_NixOS
|
|
|
|
execUnshare <<EOF
|
|
source common.sh
|
|
|
|
# Avoid store dir being inside sandbox build-dir
|
|
unset NIX_STORE_DIR
|
|
|
|
setLocalStore () {
|
|
export NIX_REMOTE=\$TEST_ROOT/\$1
|
|
mkdir -p \$NIX_REMOTE
|
|
}
|
|
|
|
cmd=(nix-build ./hermetic.nix --arg busybox "$busybox" --arg seed 1 --no-out-link)
|
|
|
|
# Fails with default setting
|
|
setLocalStore store1
|
|
expectStderr 1 "\${cmd[@]}" | grepQuiet "setgroups failed"
|
|
|
|
# Fails with `require-drop-supplementary-groups`
|
|
setLocalStore store2
|
|
NIX_CONFIG='require-drop-supplementary-groups = true' \
|
|
expectStderr 1 "\${cmd[@]}" | grepQuiet "setgroups failed"
|
|
|
|
# Works without `require-drop-supplementary-groups`
|
|
setLocalStore store3
|
|
NIX_CONFIG='require-drop-supplementary-groups = false' \
|
|
"\${cmd[@]}"
|
|
EOF
|