libstore/build: always enable seccomp filtering and no-new-privileges

Seccomp filtering and the no-new-privileges functionality improve the security of the sandbox, and have been enabled by default for a long time. In https://git.lix.systems/lix-project/lix/issues/265 it was decided that they should be enabled unconditionally. Accordingly, remove the allow-new-privileges (which had weird behavior anyway) and filter-syscall settings, and force the security features on. Syscall filtering can still be enabled at build time to support building on architectures libseccomp doesn't support. Change-Id: Iedbfa18d720ae557dee07a24f69b2520f30119cb
author: Alois Wohlschlager <alois1@gmx-topmail.de> 2024-05-08 19:15:00 +0200
committer: alois31 <alois1@gmx-topmail.de> 2024-05-24 21:19:29 +0000
commit: f047e4357b4f7ad66c2e476506bf35cab82e441e (patch)
tree: fcfc0bd4776ca73e19f5125aa9d7f778fc8b3fc7 /src/libstore
parent: 19ea351642d48a49a2b41248cbbc4569aa16c0a9 (diff)
4 files changed, 21 insertions, 49 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 5c36a3ac2..2a64d7b5c 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -34,7 +34,6 @@
 /* Includes required for chroot support. */
 #if __linux__
 #include <sys/ioctl.h>
-#include "linux/fchmodat2-compat.hh"
 #include <net/if.h>
 #include <netinet/ip.h>
 #include <sys/mman.h>
@@ -44,6 +43,7 @@
 #include <sys/prctl.h>
 #include <sys/syscall.h>
 #if HAVE_SECCOMP
+#include "linux/fchmodat2-compat.hh"
 #include <seccomp.h>
 #endif
 #define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
@@ -1612,7 +1612,6 @@ void LocalDerivationGoal::chownToBuilder(const Path & path)
 void setupSeccomp()
 {
 #if __linux__
-    if (!settings.filterSyscalls) return;
 #if HAVE_SECCOMP
     scmp_filter_ctx ctx;
 
@@ -1678,15 +1677,18 @@ void setupSeccomp()
         seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0)
         throw SysError("unable to add seccomp rule");
 
-    if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, settings.allowNewPrivileges ? 0 : 1) != 0)
+    // Set the NO_NEW_PRIVS prctl flag.
+    // This both makes loading seccomp filters work for unprivileged users,
+    // and is an additional security measure in its own right.
+    if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 1) != 0)
         throw SysError("unable to set 'no new privileges' seccomp attribute");
 
     if (seccomp_load(ctx) != 0)
         throw SysError("unable to load seccomp BPF program");
 #else
-    throw Error(
-        "seccomp is not supported on this platform; "
-        "you can bypass this error by setting the option 'filter-syscalls' to false, but note that untrusted builds can then create setuid binaries!");
+    // Still set the no-new-privileges flag if libseccomp is not available.
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
+        throw SysError("PR_SET_NO_NEW_PRIVS failed");
 #endif
 #endif
 }
@@ -1954,10 +1956,6 @@ void LocalDerivationGoal::runChild()
                 throw SysError("setuid failed");
 
             setUser = false;
-
-            // Make sure we can't possibly gain new privileges in the sandbox
-            if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
-                throw SysError("PR_SET_NO_NEW_PRIVS failed");
         }
 #endif
 
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 8856d8fae..85789f6b5 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -912,29 +912,6 @@ public:
         )"};
 
 #if __linux__
-    Setting<bool> filterSyscalls{
-        this, true, "filter-syscalls",
-        R"(
-          Whether to prevent certain dangerous system calls, such as
-          creation of setuid/setgid files or adding ACLs or extended
-          attributes. Only disable this if you're aware of the
-          security implications.
-        )"};
-
-    Setting<bool> allowNewPrivileges{
-        this, false, "allow-new-privileges",
-        R"(
-          (Linux-specific.) By default, builders on Linux cannot acquire new
-          privileges by calling setuid/setgid programs or programs that have
-          file capabilities. For example, programs such as `sudo` or `ping`
-          will fail. (Note that in sandbox builds, no such programs are
-          available unless you bind-mount them into the sandbox via the
-          `sandbox-paths` option.) You can allow the use of such programs by
-          enabling this option. This is impure and usually undesirable, but
-          may be useful in certain scenarios (e.g. to spin up containers or
-          set up userspace network interfaces in tests).
-        )"};
-
     Setting<StringSet> ignoredAcls{
         this, {"security.selinux", "system.nfs4_acl", "security.csm"}, "ignored-acls",
         R"(
diff --git a/src/libstore/linux/fchmodat2-compat.hh b/src/libstore/linux/fchmodat2-compat.hh
index b05da6786..6ad8a5578 100644
--- a/src/libstore/linux/fchmodat2-compat.hh
+++ b/src/libstore/linux/fchmodat2-compat.hh
@@ -20,18 +20,16 @@
 #pragma once
 ///@file
 
-#if HAVE_SECCOMP
-#  if defined(__alpha__)
-#    define NIX_SYSCALL_FCHMODAT2 562
-#  elif defined(__x86_64__) && SIZE_MAX == 0xFFFFFFFF // x32
-#    define NIX_SYSCALL_FCHMODAT2 1073742276
-#  elif defined(__mips__) && defined(__mips64) && defined(_ABIN64) // mips64/n64
-#    define NIX_SYSCALL_FCHMODAT2 5452
-#  elif defined(__mips__) && defined(__mips64) && defined(_ABIN32) // mips64/n32
-#    define NIX_SYSCALL_FCHMODAT2 6452
-#  elif defined(__mips__) && defined(_ABIO32) // mips32
-#    define NIX_SYSCALL_FCHMODAT2 4452
-#  else
-#    define NIX_SYSCALL_FCHMODAT2 452
-#  endif
-#endif // HAVE_SECCOMP
+#if defined(__alpha__)
+#  define NIX_SYSCALL_FCHMODAT2 562
+#elif defined(__x86_64__) && SIZE_MAX == 0xFFFFFFFF // x32
+#  define NIX_SYSCALL_FCHMODAT2 1073742276
+#elif defined(__mips__) && defined(__mips64) && defined(_ABIN64) // mips64/n64
+#  define NIX_SYSCALL_FCHMODAT2 5452
+#elif defined(__mips__) && defined(__mips64) && defined(_ABIN32) // mips64/n32
+#  define NIX_SYSCALL_FCHMODAT2 6452
+#elif defined(__mips__) && defined(_ABIO32) // mips32
+#  define NIX_SYSCALL_FCHMODAT2 4452
+#else
+#  define NIX_SYSCALL_FCHMODAT2 452
+#endif
diff --git a/src/libstore/meson.build b/src/libstore/meson.build
index 4ccb03df7..98549f6d9 100644
--- a/src/libstore/meson.build
+++ b/src/libstore/meson.build
@@ -210,7 +210,6 @@ libstore = library(
     seccomp,
     sqlite,
     sodium,
-    seccomp,
     curl,
     openssl,
     aws_sdk,
author	Alois Wohlschlager <alois1@gmx-topmail.de>	2024-05-08 19:15:00 +0200
committer	alois31 <alois1@gmx-topmail.de>	2024-05-24 21:19:29 +0000
commit	f047e4357b4f7ad66c2e476506bf35cab82e441e (patch)
tree	fcfc0bd4776ca73e19f5125aa9d7f778fc8b3fc7 /src/libstore
parent	19ea351642d48a49a2b41248cbbc4569aa16c0a9 (diff)