Darwin sandbox: Disallow creating setuid/setgid binaries

Suggested by Daiderd Jordan.
author: Eelco Dolstra <edolstra@gmail.com> 2017-05-30 17:16:49 +0200
committer: Eelco Dolstra <edolstra@gmail.com> 2017-05-30 17:17:17 +0200
commit: 53a16441878ebd4a5ac6ef8a95a649bfd521da3d (patch)
tree: 81b2a901795a8c0b99545772ba0b9224612b535f /src/libstore
parent: 83eec5a997cd121158b7adb32a688dc5a63d6c9c (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 86cab9f35..46ce562f7 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2656,6 +2656,10 @@ void DerivationGoal::runChild()
                 sandboxProfile += "(deny default (with no-log))\n";
             }
 
+            /* Disallow creating setuid/setgid binaries, since that
+               would allow breaking build user isolation. */
+            sandboxProfile += "(deny file-write-setugid)\n";
+
             /* The tmpDir in scope points at the temporary build directory for our derivation. Some packages try different mechanisms
                to find temporary directories, so we want to open up a broader place for them to dump their files, if needed. */
             Path globalTmpDir = canonPath(getEnv("TMPDIR", "/tmp"), true);
author	Eelco Dolstra <edolstra@gmail.com>	2017-05-30 17:16:49 +0200
committer	Eelco Dolstra <edolstra@gmail.com>	2017-05-30 17:17:17 +0200
commit	53a16441878ebd4a5ac6ef8a95a649bfd521da3d (patch)
tree	81b2a901795a8c0b99545772ba0b9224612b535f /src/libstore
parent	83eec5a997cd121158b7adb32a688dc5a63d6c9c (diff)