1
Fork 0
mirror of https://https.git.savannah.gnu.org/git/guix.git/ synced 2025-07-13 18:40:57 +02:00
guix/tests
Reepca Russelstein fb42611b8f
daemon: Use slirp4netns to provide networking to fixed-output derivations.
Previously, the builder of a fixed-output derivation could communicate with an
external process via an abstract Unix-domain socket.  In particular, it could
send an open file descriptor to the store, granting write access to some of
its output files in the store provided the derivation build fails—the fix for
CVE-2024-27297 did not address this specific case.  It could also send an open
file descriptor to a setuid program, which could then be executed using
execveat to gain the privileges of the build user.

With this change, fixed-output derivations other than “builtin:download”
and “builtin:git-download” always run in a separate network namespace
and have network access provided by a TAP device backed by slirp4netns,
thereby closing the abstract Unix-domain socket channel.

* nix/libstore/globals.hh (Settings)[useHostLoopback, slirp4netns]: new
fields.
* config-daemon.ac (SLIRP4NETNS): new C preprocessor definition.
* nix/libstore/globals.cc (Settings::Settings): initialize them to defaults.
* nix/nix-daemon/guix-daemon.cc (options): add --isolate-host-loopback option.
* doc/guix.texi: document it.
* nix/libstore/build.cc (DerivationGoal)[slirp]: New field.
(setupTap, setupTapAction, waitForSlirpReadyAction, enableRouteLocalnetAction,
 prepareSlirpChrootAction, spawnSlirp4netns, haveGlobalIPv6Address,
 remapIdsTo0Action): New functions.
(initializeUserNamespace): allow the guest UID and GID to be specified.
(DerivationGoal::killChild): When ‘slirp’ is not -1, call ‘kill’.
(DerivationGoal::startBuilder): Unconditionally add CLONE_NEWNET to FLAGS.
When ‘fixedOutput’ is true, spawn ‘slirp4netns’.
When ‘fixedOutput’ and ‘useChroot’ are true, add setupTapAction,
waitForSlirpReadyAction, and enableRouteLocalnetAction to builder setup
phases.
Create a /etc/resolv.conf for fixed-output derivations that directs them to
slirp4netns's dns address.
When settings.useHostLoopback is true, supply fixed-output derivations with a
/etc/hosts that resolves "localhost" to slirp4netns's address for accessing
the host loopback.
* nix/libutil/util.cc (keepOnExec, decodeOctalEscaped, sendFD, receiveFD,
  findProgram): New functions.
* nix/libutil/util.hh (keepOnExec, decodeOctalEscaped, sendFD, receiveFD,
  findProgram): New declarations.
* gnu/packages/package-management.scm (guix): add slirp4netns input for linux
  targets.
* tests/derivations.scm (builder-network-isolated?): new variable.
  ("fixed-output derivation, network access, localhost", "fixed-output
  derivation, network access, external host"):
  skip test case if fixed output derivations are isolated from the network.

Change-Id: Ia3fea2ab7add56df66800071cf15cdafe7bfab96
Signed-off-by: John Kehayias <john.kehayias@protonmail.com>
2025-06-24 10:07:57 -04:00
..
keys
machine machine: hetzner: Allow attaching existing public IPs. 2025-04-21 23:55:50 +02:00
services services: configuration: Use transducers within serialize-configuration. 2023-10-07 12:41:05 -04:00
accounts.scm accounts: Add /etc/subid and /etc/subgid allocation logic. 2024-12-18 18:32:40 +01:00
base16.scm
base32.scm
base64.scm
boot-parameters.scm
bournish.scm
build-emacs-utils.scm
build-utils.scm build: utils: Raise error in modify-phases upon missing key. 2024-08-31 10:42:06 +02:00
builders.scm git-download: Use “builtin:git-download” when available. 2023-09-26 17:36:58 +02:00
cache.scm cache: Avoid cache cleanup storms from concurrent processes. 2024-08-21 00:52:39 +02:00
challenge.scm
channels.scm channels: Adjust tests for new #:verify-certificate? parameter. 2024-12-30 11:01:54 +01:00
combinators.scm
composer.scm guix: import: Add composer importer. 2023-12-18 23:16:28 +01:00
containers.scm linux-container: Lock mounts by default. 2025-05-05 14:34:00 +02:00
cpan.scm
cpio.scm utils: Don’t re-export ‘call-with-temporary-output-file’. 2024-04-15 22:36:42 +02:00
cran.scm
crate.scm tests: crate: Add build dependency. 2025-02-09 18:20:41 +01:00
cve-sample.json
cve.scm cve: Add cpe-vendor and lint-hidden-cpe-vendors properties. 2025-06-23 12:31:09 +08:00
debug-link.scm
derivations.scm daemon: Use slirp4netns to provide networking to fixed-output derivations. 2025-06-24 10:07:57 -04:00
discovery.scm
egg.scm utils: Don’t re-export ‘call-with-temporary-output-file’. 2024-04-15 22:36:42 +02:00
elm.scm tests: Adjust ‘elm’ importer test to expect inputs without labels. 2024-09-17 17:34:58 +02:00
elpa.scm
file-systems.scm
gem.scm refresh: Add support for partial target versions. 2025-02-28 13:36:44 +09:00
gexp.scm gexp: ‘local-file’ expands its argument only once. 2025-04-06 11:23:07 +02:00
git-authenticate.scm tests: Assume ‘git’ is always available. 2023-09-26 17:36:59 +02:00
git.scm git: Remove untracked files from cached checkouts. 2024-07-18 17:31:19 +02:00
glob.scm
gnu-maintenance.scm refresh: Add support for partial target versions. 2025-02-28 13:36:44 +09:00
go.scm tests: Fix the 'go-module->guix-package' test. 2024-11-17 20:32:50 +09:00
grafts.scm grafts: Fix corner case involving multiple-output derivations. 2023-10-28 00:17:23 +02:00
graph.scm tests: Adjust 'node-back-edges' test for 'bag' to system-dependent glibc. 2023-08-21 16:16:47 +02:00
gremlin.scm tests: Fix gremlin.scm for GCC 14 2024-11-12 23:40:39 +01:00
guix-archive.sh
guix-authenticate.sh
guix-build-branch.sh
guix-build.sh tests: Fix typo. 2025-05-09 23:07:11 +09:00
guix-daemon.sh
guix-describe.sh
guix-download.sh tests: Remove interference from the user’s Git config. 2024-05-13 16:31:35 +02:00
guix-environment-container.sh environment: Provide a writable /run/user/$UID. 2025-05-24 12:48:05 +02:00
guix-environment.sh
guix-gc.sh
guix-git-authenticate.sh git authenticate: Gracefully handle passing an annotated tag to ‘--end’. 2025-06-22 23:45:36 +02:00
guix-graph.sh tests: Adjust ‘guix graph --path’ test to latest Emacs changes. 2023-09-26 17:36:57 +02:00
guix-hash.sh
guix-home.sh home: services: Build "files" union allowing dangling symlinks. 2025-05-21 08:05:27 +09:00
guix-lint.sh
guix-locate.sh locate: Accept ‘--clear’ without additional arguments. 2023-11-15 18:29:37 +01:00
guix-pack-localstatedir.sh
guix-pack-relocatable.sh
guix-pack.sh tests: Adjust to cope with glibc graft. 2023-10-28 01:30:37 +02:00
guix-package-aliases.sh
guix-package-net.sh
guix-package.sh tests: guix-package: Fix guix package --search test. 2024-12-14 00:34:28 +01:00
guix-refresh.sh refresh: Allow specifying a partial version via the version specification. 2025-05-19 10:07:24 +09:00
guix-repl.sh
guix-shell-export-manifest.sh tests: guix-shell-export-manifest: Fix pyproject-build-system python test. 2024-12-14 01:28:49 +01:00
guix-shell.sh shell: ‘--development’ honors ‘--system’. 2023-12-06 23:50:04 +01:00
guix-style.sh scripts: style: Sort more kinds of package definitions. 2025-02-09 18:20:41 +01:00
guix-system.sh tests: Adjust ‘guix system’ test for EFI bootloader. 2024-06-13 22:34:00 +02:00
guix-time-machine.sh time-machine: Allow time travels to v0.16.0. 2024-03-11 22:12:34 +01:00
hackage.scm guix: import: Fix parsing Cabal files that import many stanzas 2023-12-03 16:15:29 +01:00
hexpm.scm import: utils: End package descriptions with period. 2024-06-03 22:58:53 +02:00
home-import.scm home: Define ‘%base-home-services’. 2025-01-16 22:32:11 +01:00
home-services.scm
http-client.scm
import-git.scm refresh: Add support for partial target versions. 2025-02-28 13:36:44 +09:00
import-github.scm
import-utils.scm import/utils: beautify-description: Validate argument. 2025-04-15 10:21:33 +02:00
inferior.scm
ipfs.scm
lint.scm lint: Adjust ‘check-inputs-should-not-be-an-input-at-all’ tests for Python. 2025-01-24 23:36:04 +01:00
minetest.scm import: utils: End package descriptions with period. 2024-06-03 22:58:53 +02:00
modules.scm build-systems: gnu: Export %default-gnu-imported-modules and %default-gnu-modules. 2024-08-31 10:42:16 +02:00
monads.scm gexp: ‘with-parameters’ properly handles ‘%graft?’. 2025-03-05 00:28:49 +01:00
nar.scm
networking.scm
npm-binary.scm import: npm-binary: Handle vector of licenses. 2025-04-13 14:19:43 +02:00
offload.scm
opam.scm utils: Don’t re-export ‘call-with-temporary-output-file’. 2024-04-15 22:36:42 +02:00
openpgp.scm
pack.scm tests: pack: Improve AppImage tests. 2025-01-24 23:52:49 +01:00
packages.scm tests: Add missing derivation inputs. 2025-03-26 17:57:44 +01:00
pki.scm
print.scm tests: Make ‘tests/print.scm’ deterministic. 2024-09-28 00:20:18 +02:00
processes.scm tests: Run in a chroot and unprivileged user namespaces. 2025-03-26 17:57:44 +01:00
profiles.scm profiles: Use C.UTF-8 instead of ‘glibc-utf8-locales’ where possible. 2024-08-31 10:42:49 +02:00
publish.scm publish: Prevent publication of non-substitutable derivation outputs. 2025-06-06 18:41:19 +02:00
pypi.scm import: pypi: Adjust test to new setuptools and wheel requirements. 2024-12-30 11:01:54 +01:00
read-print.scm read-print: Adjust test for keyword alignment. 2025-02-24 23:33:51 +01:00
records.scm
rpm.scm
scripts.scm
search-paths.scm
services.scm services: ‘shepherd-service-upgrade’ handles canonical name changes. 2025-03-05 00:28:49 +01:00
sets.scm
size.scm
status.scm
store-database.scm utils: Don’t re-export ‘call-with-temporary-output-file’. 2024-04-15 22:36:42 +02:00
store-deadlock.scm daemon: Explicitly unlock output path in the has-become-valid case. 2024-12-30 00:51:57 +01:00
store-deduplication.scm deduplication: Detect holes and create sparse files. 2024-05-25 16:44:42 +02:00
store-roots.scm tests: store-roots: Remove bogus test. 2023-08-18 16:10:08 +02:00
store.scm daemon: Use the guest GID in /etc/group. 2025-04-25 20:25:54 +02:00
style.scm style: Fix conversion of ‘unquote-splicing’ by ‘-S arguments’. 2024-06-03 22:58:52 +02:00
substitute.scm substitute: Do not exit when failing to find a nar. 2023-12-04 22:26:36 +01:00
swh.scm swh: ‘lookup-origin-revision’ handles branches pointing to directories. 2024-03-09 18:55:49 +01:00
syscalls.scm syscalls: Add ‘unshare’. 2025-04-20 18:50:51 +02:00
system.scm
test.drv
texlive.scm guix: texlive importer: Adjust version for meta packages. 2025-05-06 11:25:06 +02:00
toml.scm guix: toml: Fix evaluation of empty inline tables. 2025-01-20 21:37:36 +01:00
transformations.scm transformations: Git source transformations honour RECURSIVE?. 2025-05-05 12:15:47 +02:00
ui.scm
union.scm
upstream.scm upstream: Define ‘preferred-upstream-source’. 2025-01-08 23:03:04 +01:00
utils.scm utils: Don’t re-export ‘call-with-temporary-output-file’. 2024-04-15 22:36:42 +02:00
uuid.scm
workers.scm