GNU transactional package management, distribution, deployment, and more! http://git.rostovtsev.org/guix/atom?h=master 2025-06-24T14:07:58Z 2025-06-24T14:07:58Z Reepca Russelstein reepca@russelstein.xyz 2025-04-29T13:17:38Z urn:sha1:c659f977bb09de6d5615e6aa9efddedc1d9ff458 The container that slirp4netns runs in should already be quite difficult to do anything malicious in beyond basic denial of service or sending of network traffic. There is, however, one hole remaining in the case in which there is an adversary able to run code locally: abstract unix sockets. Because these are governed by network namespaces, not IPC namespaces, and slirp4netns is in the root network namespace, any process in the root network namespace can cooperate with the slirp4netns process to take over its user. To close this, we use seccomp to block the creation of unix-domain sockets by slirp4netns. This requires some finesse, since slirp4netns absolutely needs to be able to create other types of sockets - at minimum AF_INET and AF_INET6 Seccomp has many, many pitfalls. To name a few: 1. Seccomp provides you with an "arch" field, but this does not uniquely determine the ABI being used; the actual meaning of a system call number depends on both the number (which is often the result of ORing a related system call with a flag for an alternate ABI) and the architecture. 2. Seccomp provides no direct way of knowing what the native value for the arch field should be; the user must do configure/compile-time testing for every architecture+ABI combination they want to support. Amusingly enough, the linux-internal header files have this exact information (SECCOMP_ARCH_NATIVE), but they aren't sharing it. 3. The only system call numbers we naturally have are the native ones in asm/unistd.h. __NR_socket will always refer to the system call number for the target system's ABI. 4. Seccomp can only manipulate 32-bit words, but represents every system call argument as a uint64. 5. New system call numbers with as-yet-unknown semantics can be added to the kernel at any time. 6. Based on this comment in arch/x86/entry/syscalls/syscall_32.tbl: # 251 is available for reuse (was briefly sys_set_zone_reclaim) previously-invalid system call numbers may later be reused for new system calls. 7. Most architecture+ABI combinations have system call tables with many gaps in them. arm-eabi, for example, has 35 such gaps (note: this is just the number of distinct gaps, not the number of system call numbers contained in those gaps). 8. Seccomp's BPF filters require a fully-acyclic control flow graph. Any operation on a data structure must therefore first be fully unrolled before it can be run. 9. Seccomp cannot dereference pointers. Only the raw bits provided to the system calls can be inspected. 10. Some architecture+ABI combos have multiplexer system calls. For example, socketcall can perform any socket-related system call. The arguments to the multiplexed system call are passed indirectly, via a pointer to user memory. They therefore cannot be inspected by seccomp. 11. Some valid system calls are not listed in any table in the kernel source. For example, __ARM_NR_cacheflush is an "ARM private" system call. It does not appear in any *.tbl file. 12. Conditional branches are limited to relative jumps of at most 256 instructions forward. 13. Prior to Linux 4.8, any process able to spawn another process and call ptrace could bypass seccomp restrictions. To address (1), (2), and (3), we include preprocessor checks to identify the native architecture value, and reject all system calls that don't use the native architecture. To address (4), we use the AC_C_BIGENDIAN autoconf check to conditionally define WORDS_BIGENDIAN, and match up the proper portions of any uint64 we test for with the value in the accumulator being tested against. To address (5) and (6), we use system call pinning. That is, we hardcode a snapshot of all the valid system call numbers at the time of writing, and reject any system call numbers not in the recorded set. A set is recorded for every architecture+ABI combo, and the native one is chosen at compile-time. This ensures that not only are non-native architectures rejected, but so are non-native ABIs. For the sake of conciseness, we represent these sets as sets of disjoint ranges. Due to (7), checking each range in turn could add a lot of overhead to each system call, so we instead binary search through the ranges. Due to (8), this binary search has to be fully unrolled, so we do that too. It can be tedious and error-prone to manually produce the syscall ranges by looking at linux's *.tbl files, since the gaps are often small and uncommented. To address this, a script, build-aux/extract-syscall-ranges.sh, is added that will produce them given a *.tbl filename and an ABI regex (some tables seem to abuse the ABI field with strange values like "memfd_secret"). Note that producing the final values still requires looking at the proper asm/unistd.h file to find any private numbers and to identify any offsets and ABI variants used. (10) used to have no good solution, but in the past decade most architectures have gained dedicated system call alternatives to at least socketcall, so we can (hopefully) just block it entirely. To address (13), we block ptrace also. * build-aux/extract-syscall-ranges.sh: new script. * Makefile.am (EXTRA_DIST): register it. * config-daemon.ac: use AC_C_BIGENDIAN. * nix/libutil/spawn.cc (setNoNewPrivsAction, addSeccompFilterAction): new functions. * nix/libutil/spawn.hh (setNoNewPrivsAction, addSeccompFilterAction): new declarations. (SpawnContext)[setNoNewPrivs, addSeccompFilter]: new fields. * nix/libutil/seccomp.hh: new header file. * nix/libutil/seccomp.cc: new file. * nix/local.mk (libutil_a_SOURCES, libutil_headers): register them. * nix/libstore/build.cc (slirpSeccompFilter, writeSeccompFilterDot): new functions. (spawnSlirp4netns): use them, set seccomp filter for slirp4netns. Change-Id: Ic92c7f564ab12596b87ed0801b22f88fbb543b95 Signed-off-by: John Kehayias <john.kehayias@protonmail.com> 2025-06-24T14:07:57Z Reepca Russelstein reepca@russelstein.xyz 2025-04-18T06:35:31Z urn:sha1:fb42611b8f27960304db5a1c0d33b8371dcde2a8 Previously, the builder of a fixed-output derivation could communicate with an external process via an abstract Unix-domain socket. In particular, it could send an open file descriptor to the store, granting write access to some of its output files in the store provided the derivation build fails—the fix for CVE-2024-27297 did not address this specific case. It could also send an open file descriptor to a setuid program, which could then be executed using execveat to gain the privileges of the build user. With this change, fixed-output derivations other than “builtin:download” and “builtin:git-download” always run in a separate network namespace and have network access provided by a TAP device backed by slirp4netns, thereby closing the abstract Unix-domain socket channel. * nix/libstore/globals.hh (Settings)[useHostLoopback, slirp4netns]: new fields. * config-daemon.ac (SLIRP4NETNS): new C preprocessor definition. * nix/libstore/globals.cc (Settings::Settings): initialize them to defaults. * nix/nix-daemon/guix-daemon.cc (options): add --isolate-host-loopback option. * doc/guix.texi: document it. * nix/libstore/build.cc (DerivationGoal)[slirp]: New field. (setupTap, setupTapAction, waitForSlirpReadyAction, enableRouteLocalnetAction, prepareSlirpChrootAction, spawnSlirp4netns, haveGlobalIPv6Address, remapIdsTo0Action): New functions. (initializeUserNamespace): allow the guest UID and GID to be specified. (DerivationGoal::killChild): When ‘slirp’ is not -1, call ‘kill’. (DerivationGoal::startBuilder): Unconditionally add CLONE_NEWNET to FLAGS. When ‘fixedOutput’ is true, spawn ‘slirp4netns’. When ‘fixedOutput’ and ‘useChroot’ are true, add setupTapAction, waitForSlirpReadyAction, and enableRouteLocalnetAction to builder setup phases. Create a /etc/resolv.conf for fixed-output derivations that directs them to slirp4netns's dns address. When settings.useHostLoopback is true, supply fixed-output derivations with a /etc/hosts that resolves "localhost" to slirp4netns's address for accessing the host loopback. * nix/libutil/util.cc (keepOnExec, decodeOctalEscaped, sendFD, receiveFD, findProgram): New functions. * nix/libutil/util.hh (keepOnExec, decodeOctalEscaped, sendFD, receiveFD, findProgram): New declarations. * gnu/packages/package-management.scm (guix): add slirp4netns input for linux targets. * tests/derivations.scm (builder-network-isolated?): new variable. ("fixed-output derivation, network access, localhost", "fixed-output derivation, network access, external host"): skip test case if fixed output derivations are isolated from the network. Change-Id: Ia3fea2ab7add56df66800071cf15cdafe7bfab96 Signed-off-by: John Kehayias <john.kehayias@protonmail.com> 2025-03-26T16:57:44Z Ludovic Courtès ludo@gnu.org 2025-01-23T21:43:54Z urn:sha1:0163c732a17f6358a6b0d8004b27d27650a7d5be * config-daemon.ac: Check for <sys/prctl.h>. * nix/libstore/build.cc (DerivationGoal::runChild): When ‘useChroot’ is true, call ‘prctl’ to drop all ambient capabilities. Change-Id: If34637fc508e5fb6d278167f5df7802fc595284f 2025-03-26T16:57:42Z Ludovic Courtès ludo@gnu.org 2025-02-11T16:42:37Z urn:sha1:f03e6eff2f491fbf1a38b36d46c0fe2fdd3e6886 * nix/libutil/util.cc (closeMostFDs) [HAVE_CLOSE_RANGE]: Use ‘close_range’ when ‘exceptions’ is empty. * config-daemon.ac: Check for <linux/close_range.h> and the ‘close_range’ symbol. Change-Id: I12fa3bde58b003fcce5ea5a1fee1dcf9a92c0359 2024-12-09T22:15:45Z Doğan Çeçen sepeth@fastmail.com 2024-12-04T10:10:11Z urn:sha1:dcaccc8b722cee279c00bb321baa48ae73563931 This is a followup to 8a7bd211d21f06c1234fbb82bb905d202d58f598. As it is mentioned in autoconf manual that library names should be specified in LIBS, not LDFLAGS. See: https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.72/html_node/Preset-Output-Variables.html#index-LDFLAGS-2 This change also brings back the save_* vars trick that was there before. I missed in my earlier change that nix/local.mk was referring LIBGCRYPT_* vars directly. And, instead of CXXFLAGS, CPPFLAGS is used since the latter is probably more correct as this is used for include dirs, therefore using preprocessor flags. Tested with ./configure LDFLAGS="-Wl,--as-needed" --with-libgcrypt-prefix=... combinations. * config-daemon.ac: Set ‘LIBGCRYPT_CPPFLAGS’ instead of ‘LIBGCRYPT_CXXFLAGS’. Set ‘LIBGCRYPT_LIBS’ in addition to ‘LIBGCRYPT_LDFLAGS’. Save and restore ‘CPPFLAGS’, ‘LDFLAGS’, and ‘LIBS’ around test. * nix/local.mk (libutil_a_CPPFLAGS): Add $(LIBGCRYPT_CPPFLAGS). (libstore_a_CXXFLAGS): Remove $(LIBGCRYPT_CFLAGS). (guix_daemon_LDFLAGS): New variable. Change-Id: Iadb10e1994c9a78e2927847af2cfe5e096fbb2a8 Signed-off-by: Ludovic Courtès <ludo@gnu.org> 2024-11-22T19:12:00Z Doğan Çeçen sepeth@fastmail.com 2024-10-30T20:41:06Z urn:sha1:8a7bd211d21f06c1234fbb82bb905d202d58f598 Since the daemon is written in C++, we need to modify CXXFLAGS instead of CFLAGS to find include files. Use LIBGCRYPT_LDFLAGS instead of LIBGCRYPT_LIBS, since only the former is added to LDFLAGS. * config-daemon.ac: Change LDFLAGS and CXXFLAGS when --with-libgcrypt-* arguments are passed to the configure script. Change-Id: I0f3867491e46608e71b1ea0b3214674bca64b31d Signed-off-by: Andreas Enge <andreas@enge.fr> 2024-06-26T20:59:55Z Ludovic Courtès ludo@gnu.org 2024-05-31T08:54:18Z urn:sha1:d11b96eb5493231a5a35045505ff8ae8aa746b8e Having substitute URLs explicitly listed in the service startup file makes it clearer what should be modified to permanently change the list of substitute URLs. * config-daemon.ac: Rename ‘guix_substitute_urls’ to ‘GUIX_SUBSTITUTE_URLS’ and substitute it. * nix/local.mk (etc/guix-%.service, etc/init.d/guix-daemon) (etc/guix-%.conf): Substitute it. * etc/guix-daemon.conf.in, etc/guix-daemon.service.in, etc/init.d/guix-daemon.in: Add an explicit ‘--substitute-urls’ option. Change-Id: Ie491b7fab5c42e54dca582801c03805a85de2bf9 2024-04-03T16:18:38Z Christopher Baines mail@cbaines.net 2024-03-27T13:43:43Z urn:sha1:ac19e038b457d0585812091200005befd9b29259 The aim here is to improve the user experience. There's anecdotal evidence that the network performance for bordeaux is better compared to ci at least for some users, and I don't know of any issues with rate limiting or access restriction for bordeaux compared to ci. It also has IPv6 support. Additionally, bordeaux generally had more substitutes than ci, particularly for aarch64-linux and armhf-linux. This change will offer a very slight speedup for those substitutes that only bordeaux has. Bordeaux has been a default substitute server for nearly 3 years now and I think this change is overdue. I'm also hopeful that we'll be able to build on the testing regarding mirrors for bordeaux, and that'll allow potentially improving the hosting setup (through providing more redundancy) and further improving substitute fetching for users who currently have issues with substitute access. * config-daemon.ac: Switch substitute urls order. * doc/guix.texi: Ditto. * etc/guix-install.sh: Ditto. * gnu/installer/newt/network.scm (wait-service-online): Ditto. * guix/store.scm (%default-substitute-urls): Ditto. Change-Id: I4f6d93ae1fc8b03d80b47b18b5749a51f1fde17b Signed-off-by: Christopher Baines <mail@cbaines.net> 2021-11-16T13:34:28Z Ludovic Courtès ludo@gnu.org 2021-11-13T20:47:15Z urn:sha1:472a0e82a52a3d5d841e1dfad6b13e26082a5750 Files smaller than 8 KiB typically represent ~70% of the entries in /gnu/store/.links but only contribute to ~4% of the space savings afforded by deduplication. Not considering these files for deduplication speeds up file insertion in the store and, more importantly, leaves 'removeUnusedLinks' with fewer entries to traverse, thereby speeding it up proportionally. Partly fixes <https://issues.guix.gnu.org/24937>. * config-daemon.ac: Remove symlink hard link check and CAN_LINK_SYMLINK definition. * guix/store/deduplication.scm (%deduplication-minimum-size): New variable. (deduplicate)[loop]: Do not recurse when FILE's size is below %DEDUPLICATION-MINIMUM-SIZE. (dump-port): New procedure. (dump-file/deduplicate)[hash]: Turn into... [dump-and-compute-hash]: ... this thunk. Call 'deduplicate' only when SIZE is greater than %DEDUPLICATION-MINIMUM-SIZE; otherwise call 'dump-port'. * nix/libstore/gc.cc (LocalStore::removeUnusedLinks): Drop files where st.st_size < deduplicationMinSize. * nix/libstore/local-store.hh (deduplicationMinSize): New declaration. * nix/libstore/optimise-store.cc (deduplicationMinSize): New variable. (LocalStore::optimisePath_): Return when PATH is a symlink or smaller than 'deduplicationMinSize'. * tests/derivations.scm ("identical files are deduplicated"): Produce files bigger than %DEDUPLICATION-MINIMUM-SIZE. * tests/nar.scm ("restore-file-set with directories (signed, valid)"): Likewise. * tests/store-deduplication.scm ("deduplicate, below %deduplication-minimum-size"): New test. ("deduplicate", "deduplicate, ENOSPC"): Produce files bigger than %DEDUPLICATION-MINIMUM-SIZE. * tests/store.scm ("substitute, deduplication"): Likewise. 2021-06-18T10:25:41Z Christopher Baines mail@cbaines.net 2021-05-15T10:02:36Z urn:sha1:4985a4272497bf9ba87a2190353d915da9b55906 In addition to substitutes from ci.guix.gnu.org. There are more changes that can be made in the future, but these changes seem like a good start. * config-daemon.ac (guix_substitute_urls): Add https://bordeaux.guix.gnu.org. * guix/scripts/substitute.scm (%default-substitute-urls): Add http://bordeaux.guix.gnu.org. * guix/store.scm (%default-substitute-urls): Add bordeaux.guix.gnu.org. * doc/guix.texi: Adjust accordingly. * doc/contributing.texi: Adjust accordingly.