Skip to content

Read-only sandbox paths mounts (Linux) #13315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Read-only sandbox paths mounts (Linux) #13315

wants to merge 5 commits into from
+272 −51

Conversation

SimSaladin
Copy link
Contributor

@SimSaladin SimSaladin commented Jun 2, 2025
edited
Loading

Motivation

This extends the sandbox-paths syntax to allow the extra optional suffix :ro extended JSON syntax for marking that path so as to be mounted read-only in the sandbox. The suffix is excluded from the mounted source or target path. It will only cause the mount MS_RDONLY flag to be set. The new "readOnly" option enables MS_RDONLY and a few other mount-point flags for the affected bind-mount.

Context

...well, technically we make then another mount(2) call on the target path right after mounting the path for the first time, in order to do a second mount (or rather remount, MS_REMOUNT) with MS_RDONLY. For some reason single mount syscall can't both create a new bind-mount and assign the read-only flag to it (its mount-point really) ... or propagation properties for that matter.

The mount(8) cli from util-linux abstracts over this with a second syscall as necessary as well (more even sometimes, it seems).

There's a better, modern API since about linux 5.12 with open_tree(), mount_setattr() and move_mount(). Probably doesn't really make a difference until there's some need or want for those features though.

One of the commits (2eaca52) is not related to to the bulk of the changes in this. it's a small change to fix a certain edge-case (think user launching nix or running tests with a PATH that still works, for all intents and purposes, but looks like it fell through a slipstream portal sideways).

add 👍 to pull requests you find important.

the nix maintainer team uses a github project board to schedule and track reviews

@SimSaladin SimSaladin requested a review from Ericson2314 as a code owner June 2, 2025 22:52
@tomberek tomberek added the idea approved The given proposal has been discussed and approved by the Nix team. An implementation is welcome. label Jun 4, 2025
edolstra
edolstra reviewed Jun 11, 2025
View reviewed changes
@edolstra edolstra mentioned this pull request Jun 11, 2025
Open
@SimSaladin SimSaladin force-pushed the sim/readonly-sandbox-paths branch from 2eaca52 to 97c779b Compare June 13, 2025 16:34
@SimSaladin SimSaladin mentioned this pull request Jun 13, 2025
Open
@SimSaladin
make sandbox path bind mount read-only on request
8f56724 
Signed-off-by: Samuli Thomasson <samuli.thomasson@pm.me>
@SimSaladin
throw BadStorePath for empty string
6041531 
some of the functional tests that run config check wouldn't tolerate some
oddities in `PATH`, something like a null string entry (e.g. `::` in the
middle or a trailing `:`) I think. This allows the test pass.

Signed-off-by: Samuli Thomasson <samuli.thomasson@pm.me>
@SimSaladin
sandbox-paths: rewrite read-only paths to use json config format
c9651a0 
Signed-off-by: Samuli Thomasson <samuli.thomasson@pm.me>
@SimSaladin
improve linux chroot-related error message
b01dcf8 
Signed-off-by: Samuli Thomasson <samuli.thomasson@pm.me>
@SimSaladin
clean up
1b2c828 
Signed-off-by: Samuli Thomasson <samuli.thomasson@pm.me>
@SimSaladin SimSaladin force-pushed the sim/readonly-sandbox-paths branch from 97c779b to 1b2c828 Compare June 14, 2025 09:58
edolstra
edolstra reviewed Jul 3, 2025
View reviewed changes
src/libstore/include/nix/store/globals.hh

#ifdef __linux__
/* Options to set when readOnly=true */
constexpr static MountOpt readOnlyDefaults[] = { ro, nodev, noexec, nosuid, noatime };
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, seems odd to have "readOnly" imply noexec, noatime etc. I would expect a readonly mount to still be executable by default.

src/libstore/include/nix/store/globals.hh
strictatime = MS_STRICTATIME, /* overrides any atime/relatime */
private_ = MS_PRIVATE,
slave = MS_SLAVE,
unbindable = MS_UNBINDABLE
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if all of these mount options make sense to expose. In particular, the mount propagation flags seem a bit scary. We don't want the builder to be able to have mounts propagate out of the sandbox...

We should probably set MS_NOSUID unconditionally since it's nice for security. Though unfortunately it doesn't prevent the creation of suid binaries.

@edolstra edolstra mentioned this pull request Jul 7, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edolstra edolstra edolstra left review comments

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314 Ericson2314 is a code owner

Assignees
No one assigned
Labels
idea approved The given proposal has been discussed and approved by the Nix team. An implementation is welcome.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@SimSaladin @edolstra @tomberek