nixpkgs/nixos/modules/security/wrappers/wrapper.nix

{ stdenv, unsecvars, linuxHeaders, sourceProg, debug ? false }:
# For testing:
# $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { sourceProg = "${pkgs.hello}/bin/hello"; debug = true; }'
stdenv.mkDerivation {
  name = "security-wrapper-${baseNameOf sourceProg}";
  buildInputs = [ linuxHeaders ];
  dontUnpack = true;
  CFLAGS = [
    ''-DSOURCE_PROG="${sourceProg}"''
  ] ++ (if debug then [
    "-Werror" "-Og" "-g"
  ] else [
    "-Wall" "-O2"
  ]);
  dontStrip = debug;
  installPhase = ''
    mkdir -p $out/bin
    $CC $CFLAGS ${./wrapper.c} -I${unsecvars} -o $out/bin/security-wrapper
  '';
}
nixos/security/wrappers: use musl rather than glibc and explicitly unset insecure env vars This mitigates CVE-2023-4911, crucially without a mass-rebuild. We drop insecure environment variables explicitly, including glibc-specific ones, since musl doesn't do this by default. Change-Id: I591a817e6d4575243937d9ccab51c23a96bed6f9 2023-10-04 21:16:06 +02:00			`{ stdenv, unsecvars, linuxHeaders, sourceProg, debug ? false }:`
nixos/wrappers: fix applying capabilities With libcap 2.41 the output of cap_to_text changed, also the original author of code hoped that this would never happen. To counter this now the security-wrapper only relies on the syscall ABI, which is more stable and robust than string parsing. If new breakages occur this will be more obvious because version numbers will be incremented. Furthermore all errors no make execution explicitly fail instead of hiding errors behind debug environment variables and the code style was more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/) 2021-01-14 08:24:27 +01:00			`# For testing:`
nixos/wrapper: add basename of the wrapped program to the wrappers name to easily identify it Also fix the comment with test instructions 2023-09-13 19:16:42 +02:00			`# $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { sourceProg = "${pkgs.hello}/bin/hello"; debug = true; }'`
nixos/wrappers: fix applying capabilities With libcap 2.41 the output of cap_to_text changed, also the original author of code hoped that this would never happen. To counter this now the security-wrapper only relies on the syscall ABI, which is more stable and robust than string parsing. If new breakages occur this will be more obvious because version numbers will be incremented. Furthermore all errors no make execution explicitly fail instead of hiding errors behind debug environment variables and the code style was more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/) 2021-01-14 08:24:27 +01:00			`stdenv.mkDerivation {`
nixos/wrapper: add basename of the wrapped program to the wrappers name to easily identify it Also fix the comment with test instructions 2023-09-13 19:16:42 +02:00			`name = "security-wrapper-${baseNameOf sourceProg}";`
nixos/wrappers: fix applying capabilities With libcap 2.41 the output of cap_to_text changed, also the original author of code hoped that this would never happen. To counter this now the security-wrapper only relies on the syscall ABI, which is more stable and robust than string parsing. If new breakages occur this will be more obvious because version numbers will be incremented. Furthermore all errors no make execution explicitly fail instead of hiding errors behind debug environment variables and the code style was more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/) 2021-01-14 08:24:27 +01:00			`buildInputs = [ linuxHeaders ];`
			`dontUnpack = true;`
			`CFLAGS = [`
nixos/security/wrappers: stop using `.real` files Before this change it was crucial that nonprivileged users are unable to create hardlinks to SUID wrappers, lest they be able to provide a different `.real` file alongside. That was ensured by not providing a location writable to them in the /run/wrappers tmpfs, (unless disabled) by the fs.protected_hardlinks=1 sysctl, and by the explicit own-path check in the wrapper. After this change, ensuring that property is no longer important, and the check is most likely redundant. The simplification of expectations of the wrapper will make it easier to remove some of the assertions in the wrapper (which currently cause the wrapper to fail in no_new_privs environments, instead of executing the target with non-elevated privileges). Note that wrappers had to be copied (not symlinked) into /run/wrappers due to the SUID/capability bits, and they couldn't be hard/softlinks of each other due to those bits potentially differing. Thus, this change doesn't increase the amount of memory used by /run/wrappers. This change removes part of the test that is obsoleted by the removal of `.real` files. 2022-11-05 00:09:32 +01:00			`''-DSOURCE_PROG="${sourceProg}"''`
nixos/wrappers: fix applying capabilities With libcap 2.41 the output of cap_to_text changed, also the original author of code hoped that this would never happen. To counter this now the security-wrapper only relies on the syscall ABI, which is more stable and robust than string parsing. If new breakages occur this will be more obvious because version numbers will be incremented. Furthermore all errors no make execution explicitly fail instead of hiding errors behind debug environment variables and the code style was more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/) 2021-01-14 08:24:27 +01:00			`] ++ (if debug then [`
			`"-Werror" "-Og" "-g"`
			`] else [`
			`"-Wall" "-O2"`
			`]);`
			`dontStrip = debug;`
			`installPhase = ''`
			`mkdir -p $out/bin`
nixos/security/wrappers: use musl rather than glibc and explicitly unset insecure env vars This mitigates CVE-2023-4911, crucially without a mass-rebuild. We drop insecure environment variables explicitly, including glibc-specific ones, since musl doesn't do this by default. Change-Id: I591a817e6d4575243937d9ccab51c23a96bed6f9 2023-10-04 21:16:06 +02:00			`$CC $CFLAGS ${./wrapper.c} -I${unsecvars} -o $out/bin/security-wrapper`
nixos/wrappers: fix applying capabilities With libcap 2.41 the output of cap_to_text changed, also the original author of code hoped that this would never happen. To counter this now the security-wrapper only relies on the syscall ABI, which is more stable and robust than string parsing. If new breakages occur this will be more obvious because version numbers will be incremented. Furthermore all errors no make execution explicitly fail instead of hiding errors behind debug environment variables and the code style was more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/) 2021-01-14 08:24:27 +01:00			`'';`
			`}`