From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id mLXDJfZp0l7jGQAA0tVLHw (envelope-from ) for ; Sat, 30 May 2020 14:13:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id cNCnIfZp0l67bgAA1q6Kng (envelope-from ) for ; Sat, 30 May 2020 14:13:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3EE349404CE for ; Sat, 30 May 2020 14:13:10 +0000 (UTC) Received: from localhost ([::1]:33520 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jf2EX-0005YC-74 for larch@yhetil.org; Sat, 30 May 2020 10:13:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57012) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jf2EQ-0005Y2-M6 for bug-guix@gnu.org; Sat, 30 May 2020 10:13:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:47282) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jf2EQ-000359-DJ for bug-guix@gnu.org; Sat, 30 May 2020 10:13:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jf2EQ-0002qx-99 for bug-guix@gnu.org; Sat, 30 May 2020 10:13:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#41499: /proc/filesystems impurity in build environment Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 30 May 2020 14:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41499 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Chris Marusich Received: via spool by 41499-submit@debbugs.gnu.org id=B41499.159084793910916 (code B ref 41499); Sat, 30 May 2020 14:13:02 +0000 Received: (at 41499) by debbugs.gnu.org; 30 May 2020 14:12:19 +0000 Received: from localhost ([127.0.0.1]:58827 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jf2Dj-0002q0-FR for submit@debbugs.gnu.org; Sat, 30 May 2020 10:12:19 -0400 Received: from eggs.gnu.org ([209.51.188.92]:49510) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jf2Dh-0002pk-AC for 41499@debbugs.gnu.org; Sat, 30 May 2020 10:12:17 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:35548) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jf2Dc-0002qL-3z; Sat, 30 May 2020 10:12:12 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=46694 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jf2Da-0003JJ-Gw; Sat, 30 May 2020 10:12:11 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87v9klravp.fsf@gmail.com> <87imge3i34.fsf@gnu.org> <878sh9ygph.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 12 Prairial an 228 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sat, 30 May 2020 16:12:08 +0200 In-Reply-To: <878sh9ygph.fsf@gmail.com> (Chris Marusich's message of "Sat, 30 May 2020 01:23:06 -0700") Message-ID: <87k10ttsuf.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 41499@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: -1.01 X-TUID: Q2fPGnV6/dYi Hi, Chris Marusich skribis: > Ludovic Court=C3=A8s writes: > >> The daemon mounts /proc in the build environment (see >> libstore/build.cc): >> >> /* Bind a new instance of procfs on /proc to reflect our >> private PID namespace. */ >> createDirs(chrootRootDir + "/proc"); >> if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) = =3D=3D -1) >> throw SysError("mounting /proc"); >> >> /proc is needed for many things on GNU/Linux. For example, libc=E2=80= =99s >> loader relies on /proc/self/exe to implement $ORIGIN, =E2=80=98getlogin_= r=E2=80=99 >> relies on /proc/self/loginuid, =E2=80=98ttyname=E2=80=99 uses /proc/self= /fd, =E2=80=98sysconf=E2=80=99 >> uses /proc/sys/kernel, etc. So we have to have /proc in there. >> >> The problem is that /proc appears to be all-or-nothing. >> >> What we could do maybe is bind-mount our own statically-defined >> =E2=80=98filesystems=E2=80=99 file on top of the procfs mount above. >> >> There would still be many leaks in /proc anyway, so perhaps a better >> approach is to patch =E2=80=98sed=E2=80=99 to not refer to it. > > That makes sense. I have submitted an upstream patch to fix sed: > > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D36150 > > It could be fun to investigate how far we can go with respect to > limiting access in the sandbox to a minimal, uniform set of kernel > features. However, unless issues like this become more common, it may > not be that big of an issue. There=E2=80=99s /proc, but there are also syscalls that leak info, such as uname(2). Fortunately these issues are quite rare in practice (it=E2=80=99s mentioned= in , which references an earlier NixOS paper that discusses it.) > Shall we close this bug report, then? I think so. Thanks, Ludo=E2=80=99.