mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2026-04-06 21:20:33 +02:00
fb42611b8f
Previously, the builder of a fixed-output derivation could communicate with an
external process via an abstract Unix-domain socket. In particular, it could
send an open file descriptor to the store, granting write access to some of
its output files in the store provided the derivation build fails—the fix for
CVE-2024-27297 did not address this specific case. It could also send an open
file descriptor to a setuid program, which could then be executed using
execveat to gain the privileges of the build user.
With this change, fixed-output derivations other than “builtin:download”
and “builtin:git-download” always run in a separate network namespace
and have network access provided by a TAP device backed by slirp4netns,
thereby closing the abstract Unix-domain socket channel.
* nix/libstore/globals.hh (Settings)[useHostLoopback, slirp4netns]: new
fields.
* config-daemon.ac (SLIRP4NETNS): new C preprocessor definition.
* nix/libstore/globals.cc (Settings::Settings): initialize them to defaults.
* nix/nix-daemon/guix-daemon.cc (options): add --isolate-host-loopback option.
* doc/guix.texi: document it.
* nix/libstore/build.cc (DerivationGoal)[slirp]: New field.
(setupTap, setupTapAction, waitForSlirpReadyAction, enableRouteLocalnetAction,
prepareSlirpChrootAction, spawnSlirp4netns, haveGlobalIPv6Address,
remapIdsTo0Action): New functions.
(initializeUserNamespace): allow the guest UID and GID to be specified.
(DerivationGoal::killChild): When ‘slirp’ is not -1, call ‘kill’.
(DerivationGoal::startBuilder): Unconditionally add CLONE_NEWNET to FLAGS.
When ‘fixedOutput’ is true, spawn ‘slirp4netns’.
When ‘fixedOutput’ and ‘useChroot’ are true, add setupTapAction,
waitForSlirpReadyAction, and enableRouteLocalnetAction to builder setup
phases.
Create a /etc/resolv.conf for fixed-output derivations that directs them to
slirp4netns's dns address.
When settings.useHostLoopback is true, supply fixed-output derivations with a
/etc/hosts that resolves "localhost" to slirp4netns's address for accessing
the host loopback.
* nix/libutil/util.cc (keepOnExec, decodeOctalEscaped, sendFD, receiveFD,
findProgram): New functions.
* nix/libutil/util.hh (keepOnExec, decodeOctalEscaped, sendFD, receiveFD,
findProgram): New declarations.
* gnu/packages/package-management.scm (guix): add slirp4netns input for linux
targets.
* tests/derivations.scm (builder-network-isolated?): new variable.
("fixed-output derivation, network access, localhost", "fixed-output
derivation, network access, external host"):
skip test case if fixed output derivations are isolated from the network.
Change-Id: Ia3fea2ab7add56df66800071cf15cdafe7bfab96
Signed-off-by: John Kehayias <john.kehayias@protonmail.com>
-*- mode: org -*- [[https://www.gnu.org/software/guix/][GNU Guix]] (IPA: /ɡiːks/) is a purely functional package manager, and associated free software distribution, for the [[https://www.gnu.org/gnu/gnu.html][GNU system]]. In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection. It provides [[https://www.gnu.org/software/guile/][Guile]] Scheme APIs, including a high-level embedded domain-specific languages (EDSLs) to describe how packages are to be built and composed. GNU Guix can be used on top of an already-installed GNU/Linux distribution, or it can be used standalone (we call that “Guix System”). Guix is based on the [[https://nixos.org/nix/][Nix]] package manager. * Requirements If you are building Guix from source, please see the manual for build instructions and requirements, either by running: info -f doc/guix.info "Requirements" or by checking the [[https://guix.gnu.org/manual/en/html_node/Requirements.html][web copy of the manual]]. * Installation See the manual for the installation instructions, either by running info -f doc/guix.info "Installation" or by checking the [[https://guix.gnu.org/manual/en/html_node/Installation.html][web copy of the manual]]. * Building from Git For information on building Guix from a Git checkout, please see the relevant section in the manual, either by running info -f doc/guix.info "Building from Git" or by checking the [[https://guix.gnu.org/manual/en/html_node/Building-from-Git.html][web_copy of the manual]]. * How It Works Guix does the high-level preparation of a /derivation/. A derivation is the promise of a build; it is stored as a text file under =/gnu/store/xxx.drv=. The (guix derivations) module provides the `derivation' primitive, as well as higher-level wrappers such as `build-expression->derivation'. Guix does remote procedure calls (RPCs) to the build daemon (the =guix-daemon= command), which in turn performs builds and accesses to the store on its behalf. The RPCs are implemented in the (guix store) module. * Contact GNU Guix is hosted at https://savannah.gnu.org/projects/guix/. Please email <help-guix@gnu.org> for questions and <bug-guix@gnu.org> for bug reports; email <gnu-system-discuss@gnu.org> for general issues regarding the GNU system. Join #guix on irc.libera.chat. * Guix & Nix GNU Guix is based on [[https://nixos.org/nix/][the Nix package manager]]. It implements the same package deployment paradigm, and in fact it reuses some of its code. Yet, different engineering decisions were made for Guix, as described below. Nix is really two things: a package build tool, implemented by a library and daemon, and a special-purpose programming language. GNU Guix relies on the former, but uses Scheme as a replacement for the latter. Using Scheme instead of a specific language allows us to get all the features and tooling that come with Guile (compiler, debugger, REPL, Unicode, libraries, etc.) And it means that we have a general-purpose language, on top of which we can have embedded domain-specific languages (EDSLs), such as the one used to define packages. This broadens what can be done in package recipes themselves, and what can be done around them. Technically, Guix makes remote procedure calls to the ‘nix-worker’ daemon to perform operations on the store. At the lowest level, Nix “derivations” represent promises of a build, stored in ‘.drv’ files in the store. Guix produces such derivations, which are then interpreted by the daemon to perform the build. Thus, Guix derivations can use derivations produced by Nix (and vice versa). With Nix and the [[https://nixos.org/nixpkgs][Nixpkgs]] distribution, package composition happens at the Nix language level, but builders are usually written in Bash. Conversely, Guix encourages the use of Scheme for both package composition and builders. Likewise, the core functionality of Nix is written in C++ and Perl; Guix relies on some of the original C++ code, but exposes all the API as Scheme. * Related software - [[https://nixos.org][Nix, Nixpkgs, and NixOS]], functional package manager and associated software distribution, are the inspiration of Guix - [[https://www.gnu.org/software/stow/][GNU Stow]] builds around the idea of one directory per prefix, and a symlink tree to create user environments - [[https://www.pvv.ntnu.no/~arnej/store/storedoc_6.html][STORE]] shares the same idea - [[https://live.gnome.org/OSTree/][GNOME's OSTree]] allows bootable system images to be built from a specified set of packages - The [[https://www.gnu.org/s/gsrc/][GNU Source Release Collection]] (GSRC) is a user-land software distribution; unlike Guix, it relies on core tools available on the host system * Copyright Notices GNU Guix is made available under the GNU GPL version 3 or later license, and authors retain their copyright. For copyright notices, we adhere to the guidance documented in (info "(maintain) Copyright Notices"), and explicitly allow ranges instead of individual years. Here's an example of the preferred style used for copyright notices in source file headers: #+begin_comment Copyright © 2019-2023, 2025 Your Name <your@email.com> #+end_comment Meaning there were copyright-able changes made for the years 2019, 2020, 2021, 2022, 2023 and 2025.