Stricter Network Sandbox on macOS

[grahamc]

Is your feature request related to a problem? Please describe.

Today, one of hydra.nixos.org's Macs on Hetzner got an abuse report threatening to shut down the server. What happened is the mac built an IPFS related package, started and IPFS server, and spammed the network with traffic. This was not a fixed output derivation.

As I understand it, enabling the full sandbox on macOS breaks building a lot of applications. Therefore, the macOS instances run with sandbox = false.

Describe the solution you'd like
I'd like there to be a minimal sandbox which disables non-localhost network access when building non-FODs.

Describe alternatives you've considered

• Setting sandbox = true and seeing if we can figure it out (but this sounds bad and not likely.)
• Adding a hodge-podge of route blackholes on the host.
• Disabling tests on packages that cause problems. This is my least favorite.

Additional context

n/a

[mweinelt]

Prefixes to block should be taken from a well maintained list like https://bgpfilterguide.nlnog.net/guides/bogon_prefixes/

[edolstra]

Hm, why does enabling the sandbox break a lot of applications?

[grahamc]

My understanding is a lot of macOS applications have to find executables on the libraries on the host to successfully build, and that they cannot be provided purely. I've asked @abathur to weigh in.

[abathur]

I don't have the best sense of scale (how many break), but I can give a concrete example: I just ran into an instance of NixOS/nixpkgs#82815 (review) the other day in qtpass while running nixpkgs-review.

[cole-h]

I've done a little bit of playing around with the current sandbox profiles we use in a VM running Big Sur 11.6.3.

Even allowing local networking (by locally patching out the param check at

nix/src/libstore/sandbox-defaults.sb

Line 44 in 7c64a9d

(if (param "_ALLOW_LOCAL_NETWORKING")

; I understand that this is guarded for a reason, but it doesn't appear to do what its name implies) appears to also allow global networking:

# test.nix
let
  pkgs = import <nixpkgs> { };
in
pkgs.runCommand "test"
{
  buildInputs = with pkgs; [
    curl
  ];
}
''
  curl google.com
  touch $out
''

nixos@nixoss-iMac-Pro nix % ./outputs/out/bin/nix-build test.nix                  
this derivation will be built:
  /nix/store/lgwli1ks5n22s6snxvrjafmppx32bj6m-test.drv
building '/nix/store/lgwli1ks5n22s6snxvrjafmppx32bj6m-test.drv'...
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
/nix/store/sns084dvj9rh4yy3g0fspmi46ayizi5r-test

(This is with sandbox = true.)

One part of this ticket would probably be to investigate how to lock that down even further.

(For any interested parties, I was able to find "some" reverse-engineered documentation on the .sb file syntax at https://github.com/0xbf00/simbple/blob/master/src/scm/sbpl_v1.scm and https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf.)

[szlend]

This can be fixed with:

diff --git a/src/libstore/build/sandbox-defaults.sb b/src/libstore/build/sandbox-defaults.sb
index 25ec11285..2ad5fb616 100644
--- a/src/libstore/build/sandbox-defaults.sb
+++ b/src/libstore/build/sandbox-defaults.sb
@@ -45,7 +45,7 @@ R""(
 ; allow it if the package explicitly asks for it.
 (if (param "_ALLOW_LOCAL_NETWORKING")
     (begin
-      (allow network* (local ip) (local tcp) (local udp))
+      (allow network* (remote ip "localhost:*"))
 
       ; Allow access to /etc/resolv.conf (which is a symlink to
       ; /private/var/run/resolv.conf).

I tested these scenarios with netcat on MacOS 14.3.1 (23D60):

• tcp/udp
• local/remote IPs
• with and without _ALLOW_LOCAL_NETWORKING=1

They had a similar issue in Bazel: bazelbuild/bazel#10068

I'll draft an MR when I find some time. Ideally the sandbox would have some sort of standalone integration tests without having to go through nix (daemon).