Don't allow writing to /etc

author: Yorick van Pelt <yorick@yorickvanpelt.nl> 2023-02-14 12:03:34 +0100
committer: Yorick van Pelt <yorick@yorickvanpelt.nl> 2023-02-14 12:03:34 +0100
commit: db41f74af39850d0aeb2741304c1eacf90ceea88 (patch)
tree: f83d4dc9c99e0af63a8986c1a4ed082a55a479bb /src
parent: df9a71f6ea66f9ab1e4955d5fef62eacd817f976 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 7c4892c96..de023f336 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -670,7 +670,6 @@ void LocalDerivationGoal::startBuilder()
            nobody account.  The latter is kind of a hack to support
            Samba-in-QEMU. */
         createDirs(chrootRootDir + "/etc");
-        chownToBuilder(chrootRootDir + "/etc");
 
         if (parsedDrv->useUidRange() && (!buildUser || buildUser->getUIDCount() < 65536))
             throw Error("feature 'uid-range' requires the setting '%s' to be enabled", settings.autoAllocateUids.name);
@@ -970,6 +969,9 @@ void LocalDerivationGoal::startBuilder()
                 "nobody:x:65534:65534:Nobody:/:/noshell\n",
                 sandboxUid(), sandboxGid(), settings.sandboxBuildDir));
 
+        /* Make /etc unwritable */
+        chmod_(chrootRootDir + "/etc", 0555);
+
         /* Save the mount- and user namespace of the child. We have to do this
            *before* the child does a chroot. */
         sandboxMountNamespace = open(fmt("/proc/%d/ns/mnt", (pid_t) pid).c_str(), O_RDONLY);
author	Yorick van Pelt <yorick@yorickvanpelt.nl>	2023-02-14 12:03:34 +0100
committer	Yorick van Pelt <yorick@yorickvanpelt.nl>	2023-02-14 12:03:34 +0100
commit	db41f74af39850d0aeb2741304c1eacf90ceea88 (patch)
tree	f83d4dc9c99e0af63a8986c1a4ed082a55a479bb /src
parent	df9a71f6ea66f9ab1e4955d5fef62eacd817f976 (diff)