Merge "libstore/local-derivation-goal: prohibit creating setuid/setgid binaries" into main

3 files changed, 49 insertions, 2 deletions

diff --git a/tests/nixos/default.nix b/tests/nixos/default.nix
index fc3a757d3..3d0a1f0c6 100644
--- a/tests/nixos/default.nix
+++ b/tests/nixos/default.nix
@@ -155,7 +155,7 @@ in
 
   setuid = lib.genAttrs
     ["i686-linux" "x86_64-linux"]
-    (system: runNixOSTestFor system ./setuid.nix);
+    (system: runNixOSTestFor system ./setuid/setuid.nix);
 
   ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak;
 
diff --git a/tests/nixos/setuid/fchmodat2-suid.c b/tests/nixos/setuid/fchmodat2-suid.c
new file mode 100644
index 000000000..931489ad7
--- /dev/null
+++ b/tests/nixos/setuid/fchmodat2-suid.c
@@ -0,0 +1,21 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <errno.h>
+#include <unistd.h>
+#include <assert.h>
+
+int main(void) {
+    char *name = getenv("out");
+    FILE *fd = fopen(name, "w");
+    fprintf(fd, "henlo :3");
+    fclose(fd);
+
+    // FIXME use something nicer here that's less
+    // platform-dependent as soon as we go to 24.05
+    // and the glibc is new enough to support fchmodat2
+    long rs = syscall(452, NULL, name, S_ISUID, 0);
+    assert(rs == -1);
+    assert(errno == EPERM);
+}
diff --git a/tests/nixos/setuid.nix b/tests/nixos/setuid/setuid.nix
index 2b66320dd..c4dc8dccb 100644
--- a/tests/nixos/setuid.nix
+++ b/tests/nixos/setuid/setuid.nix
@@ -5,6 +5,16 @@
 let
   pkgs = config.nodes.machine.nixpkgs.pkgs;
 
+  fchmodat2-builder = pkgs.runCommandCC "fchmodat2-suid" {
+    passAsFile = [ "code" ];
+    code = builtins.readFile ./fchmodat2-suid.c;
+    # Doesn't work with -O0, shuts up the warning about that.
+    hardeningDisable = [ "fortify" ];
+  } ''
+    mkdir -p $out/bin/
+    $CC -x c "$codePath" -O0 -g -o $out/bin/fchmodat2-suid
+  '';
+
 in
 {
   name = "setuid";
@@ -14,13 +24,29 @@ in
     { virtualisation.writableStore = true;
       nix.settings.substituters = lib.mkForce [ ];
       nix.nixPath = [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
-      virtualisation.additionalPaths = [ pkgs.stdenvNoCC pkgs.pkgsi686Linux.stdenvNoCC ];
+      virtualisation.additionalPaths = [
+        pkgs.stdenvNoCC
+        pkgs.pkgsi686Linux.stdenvNoCC
+        fchmodat2-builder
+      ];
+      # need at least 6.6 to test for fchmodat2
+      boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_6;
+
     };
 
   testScript = { nodes }: ''
     # fmt: off
     start_all()
 
+    with subtest("fchmodat2 suid regression test"):
+      machine.succeed("""
+      nix-build -E '(with import <nixpkgs> {}; runCommand "fchmodat2-suid" {
+        BUILDER = builtins.storePath ${fchmodat2-builder};
+      } "
+        exec \\"$BUILDER\\"/bin/fchmodat2-suid
+      ")'
+      """)
+
     # Copying to /tmp should succeed.
     machine.succeed(r"""
     nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" {} "