GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Fri, 24 Jan 2025 17:24:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #50 received at 75810 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 75810 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH v2 0/9] Rootless daemon
Date: Thu, 13 Feb 2025 13:13:03 +0100

Hello,

Here’s an update with some of the fixes suggested by Reepca:

  • Remounting inputs as read-only since MS_BIND | MS_RDONLY
    doesn’t do what one might think;

  • Bind-mounting everything and not just directories;

  • Adding tests to ensure that inputs cannot be remounted
    as read-write, overwritten, etc.;

  • Fix bogus synchronization for uid_map/gid_map creation;

  • Use ‘clone_range’ (unrelated to the rest of this series
    but nice).

One of the critical open issues that remain is the fact that
the root file system in the build environment is writable, and
thus a build process can (chmod "/" #o777) and expose setuid
binaries etc.

The other one is lack of support for read-only store remount
(‘--backing-store’ option has yet to be added).

Ludo’.

Ludovic Courtès (9):
  daemon: Use ‘close_range’ where available.
  daemon: Bind-mount all the inputs, not just directories.
  daemon: Remount inputs as read-only.
  daemon: Allow running as non-root with unprivileged user namespaces.
  DRAFT tests: Run in a chroot and unprivileged user namespaces.
  daemon: Create /var/guix/profiles/per-user unconditionally.
  daemon: Drop Linux ambient capabilities before executing builder.
  etc: systemd services: Run ‘guix-daemon’ as an unprivileged user.
  guix-install.sh: Support the unprivileged daemon where possible.

 build-aux/test-env.in       |  14 ++-
 config-daemon.ac            |   5 +-
 etc/guix-daemon.service.in  |  12 ++-
 etc/guix-install.sh         | 114 +++++++++++++++++++-----
 guix/substitutes.scm        |   4 +-
 nix/libstore/build.cc       | 171 ++++++++++++++++++++++++++----------
 nix/libstore/local-store.cc |  30 ++++---
 nix/libutil/util.cc         |  23 +++--
 tests/store.scm             | 144 ++++++++++++++++++++++--------
 9 files changed, 388 insertions(+), 129 deletions(-)


base-commit: bc6769f1211104dbc9341c064275cd930f5dfa3a
-- 
2.48.1
This bug report was last modified 56 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.