From: "Ludovic Courtès" <ludo@gnu.org>
To: Chris Marusich <cmmarusich@gmail.com>
Cc: 41499@debbugs.gnu.org
Subject: bug#41499: /proc/filesystems impurity in build environment
Date: Sat, 30 May 2020 16:12:08 +0200 [thread overview]
Message-ID: <87k10ttsuf.fsf@gnu.org> (raw)
In-Reply-To: <878sh9ygph.fsf@gmail.com> (Chris Marusich's message of "Sat, 30 May 2020 01:23:06 -0700")
Hi,
Chris Marusich <cmmarusich@gmail.com> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> The daemon mounts /proc in the build environment (see
>> libstore/build.cc):
>>
>> /* Bind a new instance of procfs on /proc to reflect our
>> private PID namespace. */
>> createDirs(chrootRootDir + "/proc");
>> if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) == -1)
>> throw SysError("mounting /proc");
>>
>> /proc is needed for many things on GNU/Linux. For example, libc’s
>> loader relies on /proc/self/exe to implement $ORIGIN, ‘getlogin_r’
>> relies on /proc/self/loginuid, ‘ttyname’ uses /proc/self/fd, ‘sysconf’
>> uses /proc/sys/kernel, etc. So we have to have /proc in there.
>>
>> The problem is that /proc appears to be all-or-nothing.
>>
>> What we could do maybe is bind-mount our own statically-defined
>> ‘filesystems’ file on top of the procfs mount above.
>>
>> There would still be many leaks in /proc anyway, so perhaps a better
>> approach is to patch ‘sed’ to not refer to it.
>
> That makes sense. I have submitted an upstream patch to fix sed:
>
> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=36150
>
> It could be fun to investigate how far we can go with respect to
> limiting access in the sandbox to a minimal, uniform set of kernel
> features. However, unless issues like this become more common, it may
> not be that big of an issue.
There’s /proc, but there are also syscalls that leak info, such as
uname(2).
Fortunately these issues are quite rare in practice (it’s mentioned in
<https://guix.gnu.org/blog/2015/reproducible-builds-a-means-to-an-end/>,
which references an earlier NixOS paper that discusses it.)
> Shall we close this bug report, then?
I think so.
Thanks,
Ludo’.
next prev parent reply other threads:[~2020-05-30 14:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-24 8:32 bug#41499: /proc/filesystems impurity in build environment Chris Marusich
2020-05-29 14:56 ` Ludovic Courtès
2020-05-30 8:23 ` Chris Marusich
2020-05-30 14:12 ` Ludovic Courtès [this message]
2020-06-02 1:17 ` Chris Marusich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k10ttsuf.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=41499@debbugs.gnu.org \
--cc=cmmarusich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).