Add a seccomp rule to disallow setxattr()

NixOS · May 30, 2017 · 2ac99a3 · 2ac99a3
1 parent d798349
commit 2ac99a3
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
@@ -2315,8 +2315,8 @@ void setupSeccomp()
         seccomp_arch_add(ctx, SCMP_ARCH_X86) != 0)
         throw SysError("unable to add 32-bit seccomp architecture");
 
+    /* Prevent builders from creating setuid/setgid binaries. */
     for (int perm : { S_ISUID, S_ISGID }) {
-        // TODO: test chmod and fchmod.
         if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(chmod), 1,
                 SCMP_A1(SCMP_CMP_MASKED_EQ, perm, perm)) != 0)
             throw SysError("unable to add seccomp rule");
@@ -2330,6 +2330,14 @@ void setupSeccomp()
             throw SysError("unable to add seccomp rule");
     }
 
+    /* Prevent builders from creating EAs or ACLs. Not all filesystems
+       support these, and they're not allowed in the Nix store because
+       they're not representable in the NAR serialisation. */
+    if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(setxattr), 0) != 0 ||
+        seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(lsetxattr), 0) != 0 ||
+        seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0)
+        throw SysError("unable to add seccomp rule");
+
     if (seccomp_load(ctx) != 0)
         throw SysError("unable to load seccomp BPF program");
 #endif