From cd8bde1c98543236ec0ceb4375c03eb55aa8e56d Mon Sep 17 00:00:00 2001 From: aszlig Date: Mon, 2 Jul 2018 03:42:45 +0200 Subject: pkgs/sandbox: Add flag to bind-mount read-only While the Nix store should be read-only by default, we can't guarantee this as the Nix store could be mounted read-write (for example on non-NixOS systems). For paths other than store directories, I took a conservative approach here where only /etc is mounted read-only, for all the pseudo- filesystems such as /proc, /sys or /dev write access might still be needed, for example to write to a hardware device exposed via /dev (eg. a gamepad with rumble support). Signed-off-by: aszlig --- pkgs/build-support/build-sandbox/default.nix | 3 ++- pkgs/build-support/build-sandbox/src/setup.c | 23 +++++++++++++---------- pkgs/build-support/build-sandbox/src/setup.h | 2 +- 3 files changed, 16 insertions(+), 12 deletions(-) (limited to 'pkgs/build-support') diff --git a/pkgs/build-support/build-sandbox/default.nix b/pkgs/build-support/build-sandbox/default.nix index ba4f3625..a52be5c9 100644 --- a/pkgs/build-support/build-sandbox/default.nix +++ b/pkgs/build-support/build-sandbox/default.nix @@ -49,7 +49,8 @@ in stdenv.mkDerivation ({ echo 'bool setup_app_paths(void) {' >> params.c for dep in $runtimeDeps; do - echo 'if (!bind_mount("'"$dep"'", true, true)) return false;' >> params.c + echo 'if (!bind_mount("'"$dep"'", true, true, true)) return false;' \ + >> params.c done ${mkExtraMountParams true pathsRequired} diff --git a/pkgs/build-support/build-sandbox/src/setup.c b/pkgs/build-support/build-sandbox/src/setup.c index da6c65c7..ffab2c26 100644 --- a/pkgs/build-support/build-sandbox/src/setup.c +++ b/pkgs/build-support/build-sandbox/src/setup.c @@ -245,11 +245,14 @@ recurse: return result; } -bool bind_mount(const char *path, bool restricted, bool resolve) +bool bind_mount(const char *path, bool rdonly, bool restricted, bool resolve) { int mflags = MS_BIND | MS_REC; char src[PATH_MAX], *target; + if (rdonly) + mflags |= MS_RDONLY; + if (restricted) mflags |= MS_NOSUID | MS_NODEV | MS_NOATIME; @@ -537,7 +540,7 @@ bool extra_mount(const char *path, bool is_required) if (is_required && !makedirs(expanded, false)) return false; - if (!bind_mount(expanded, true, true)) { + if (!bind_mount(expanded, false, true, true)) { free(expanded); return false; } @@ -597,7 +600,7 @@ static bool mount_requisites(struct query_state *qs, const char *path) while ((requisite = next_query_result(qs)) != NULL) { if (is_dir(requisite)) { - if (!bind_mount(requisite, true, false)) + if (!bind_mount(requisite, true, true, false)) return false; } else { if (!bind_file(requisite)) @@ -685,25 +688,25 @@ static bool setup_chroot(void) return false; } - if (!bind_mount("/etc", true, false)) + if (!bind_mount("/etc", true, true, false)) return false; - if (!bind_mount("/dev", false, false)) + if (!bind_mount("/dev", false, false, false)) return false; - if (!bind_mount("/proc", false, false)) + if (!bind_mount("/proc", false, false, false)) return false; - if (!bind_mount("/sys", false, false)) + if (!bind_mount("/sys", false, false, false)) return false; - if (!bind_mount("/run", false, false)) + if (!bind_mount("/run", false, false, false)) return false; - if (!bind_mount("/var/run", false, false)) + if (!bind_mount("/var/run", false, false, false)) return false; - if (!bind_mount("/tmp", true, false)) + if (!bind_mount("/tmp", false, true, false)) return false; if (!setup_runtime_paths()) diff --git a/pkgs/build-support/build-sandbox/src/setup.h b/pkgs/build-support/build-sandbox/src/setup.h index fe882dc5..2ef05482 100644 --- a/pkgs/build-support/build-sandbox/src/setup.h +++ b/pkgs/build-support/build-sandbox/src/setup.h @@ -6,7 +6,7 @@ #include "nix-query.h" bool write_maps(pid_t parent_pid); -bool bind_mount(const char *path, bool restricted, bool resolve); +bool bind_mount(const char *path, bool rdonly, bool restricted, bool resolve); bool extra_mount(const char *path, bool is_required); bool mount_from_path_var(struct query_state *qs, const char *name); bool setup_sandbox(void); -- cgit 1.4.1