| Age | Commit message (Expand) | Author |
|---|
| 2024-10-21 | daemon: Sanitize successful build outputs prior to exposing them....There is currently a window of time between when the build outputs are exposed
and when their metadata is canonicalized.
* nix/libstore/build.cc (DerivationGoal::registerOutputs): wait until after
metadata canonicalization to move successful build outputs to the store.
Change-Id: Ia995136f3f965eaf7b0e1d92af964b816f3fb276
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
| Reepca Russelstein |
| 2024-10-21 | daemon: Sanitize failed build outputs prior to exposing them....The only thing keeping a rogue builder and a local user from collaborating to
usurp control over the builder's user during the build is the fact that
whatever files the builder may produce are not accessible to any other users
yet. If we're going to make them accessible, we should probably do some
sanity checking to ensure that sort of collaborating can't happen.
Currently this isn't happening when failed build outputs are moved from the
chroot as an aid to debugging.
* nix/libstore/build.cc (secureFilePerms): new function.
(DerivationGoal::buildDone): use it.
Change-Id: I9dce1e3d8813b31cabd87a0e3219bf9830d8be96
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
| Reepca Russelstein |
| 2024-03-12 | daemon: Address shortcoming in previous security fix for CVE-2024-27297....This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.
Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two
ways: (1) it didn’t have any effet for fixed-output derivations
performed in a chroot, which is the case for all of them except those
using “builtin:download” and “builtin:git-download”, and (2) it did not
preserve ownership when copying, leading to “suspicious ownership or
permission […] rejecting this build output” errors.
* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
‘chrootRootDir’ when copying ‘drv.outputs’.
* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
calls to preserve file ownership; this is necessary for chrooted
fixed-output derivation builds.
* nix/libutil/util.hh: Update comment.
Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
| Ludovic Courtès |
| 2024-03-11 | daemon: Protect against FD escape when building fixed-output derivations (CVE......This fixes a security issue (CVE-2024-27297) whereby a fixed-output
derivation build process could open a writable file descriptor to its
output, send it to some outside process for instance over an abstract
AF_UNIX socket, which would then allow said process to modify the file
in the store after it has been marked as “valid”.
Vulnerability discovered by puck <https://github.com/puckipedia>.
Nix security advisory:
https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
Nix fix:
https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9
* nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
a file descriptor. Rewrite the ‘Path’ variant accordingly.
(copyFile, copyFileRecursively): New functions.
* nix/libutil/util.hh (copyFileRecursively): New declaration.
* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.
Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4
Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
| Ludovic Courtès |
| 2023-12-17 | daemon: Fix my own whitespace errors....This follows up on commit d993ed43b2bae8717437aa27d9d33fd223a6411f and
was entirely predictable. The noise, sorry for it.
Change-Id: I8ddb8cfe33db3864949f6589cc091616a90ebc5b
| Tobias Geerinckx-Rice |
| 2023-12-10 | daemon: Sacrifice builders on OOM....* nix/libstore/build.cc (DerivationGoal::runChild):
Maximise our OOM score adjustment.
Change-Id: I418c763b499ca16e1ffe3c6033319112b9744f51
| Tobias Geerinckx-Rice |
| 2023-12-04 | daemon: Simplify “empty status” substitute error message....* nix/libstore/build.cc (SubstitutionGoal::finished): Don’t show what
the empty status looks like.
Change-Id: Ie898432aeb047aff3d59024de6ed6d18f68903c4
| Ludovic Courtès |
| 2022-12-18 | daemon: Make "opening file" error messages distinguishable....* nix/libstore/build.cc (DerivationGoal::openLogFile): Customize
"opening file" error message.
* nix/libutil/hash.cc (hashFile): Likewise.
* nix/libutil/util.cc (readFile, writeFile): Likewise.
| Ludovic Courtès |
| 2022-06-05 | daemon: Quote consistently within a string....* nix/libstore/build.cc (DerivationGoal::registerOutput): ‘’ → `'.
| Tobias Geerinckx-Rice |
| 2022-05-29 | daemon: Clarify ‘--check’ error when outputs are missing....Drop the confusing ‘invalid’ jargon and display a hint like we do
for ‘--fallback’.
* nix/libstore/build.cc (DerivationGoal::outputsSubstituted): Rewrite error message.
| Tobias Geerinckx-Rice |
| 2022-05-18 | daemon: runChild() is forbidden to talk during environment set up...DerivationGoal::startBuilder() is waiting for an empty line as a check that
the environment set up is fine.
Fixes <https://issues.guix.gnu.org/55324>.
* nix/libstore/build.cc (DerivationGoal::runChild): Remove 'debug'
statement corresponding to bind mounts.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
| yarl-baudig@mailoo.org |
| 2021-11-25 | daemon: Read substitute nar size as 'unsigned long long'....Fixes <https://issues.guix.gnu.org/46212>.
Reported by Christopher Baines <mail@cbaines.net>.
Previously, the nar size returned by 'guix substitute' would be read as
an 'int'; thus, values above 2^31 - 1 would be read and then stored as
negative integers in the database.
Regression introduced in 9dfa20a22ae0be3d3b01a7b3d422af97428c627e.
* nix/libstore/build.cc (SubstitutionGoal::finished): Use templatized
'string2Int' instead of 'std::atoi' to get an 'unsigned long long',
which is the type of 'hash.second'.
* tests/store.scm ("substitute and large size"): New test.
| Ludovic Courtès |
