talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos/stage2-init: test nosuid and nodev mount options

Browse Source 
We can make some evil files in the store within stage1,
and verify that they don't work.
This commit is contained in:
Morgan Jones 2025-05-16 21:08:50 -07:00 committed by Grimmauld
parent 55f225049e
commit 1b18ff3669
No known key found for this signature in database
1 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
nixos/tests/boot-stage2.nix
View File

@ -10,7 +10,24 @@ import ./make-test-python.nix (
lib, lib,
... ...
}: }:
let
# Prints the user's UID. Can't just do a shell script
# because setuid is ignored for interpreted programs.
uid = pkgs.writeCBin "uid" ''
#include <unistd.h>
#include <stdio.h>
int main(void) {
printf("%d\n", geteuid());
return 0;
}
'';
in
{ {
users.users.alice = {
isNormalUser = true;
uid = 1000;
};
virtualisation = { virtualisation = {
emptyDiskImages = [ 256 ]; emptyDiskImages = [ 256 ];
@ -32,6 +49,10 @@ import ./make-test-python.nix (
}; };
}; };
environment.systemPackages = [ pkgs.xxd ];
system.extraDependencies = [ uid ];
boot = { boot = {
initrd = { initrd = {
# Format the upper Nix store. # Format the upper Nix store.
@ -50,6 +71,19 @@ import ./make-test-python.nix (
mount -t overlay overlay \ mount -t overlay overlay \
-o lowerdir=/mnt-root/nix/store/ro,upperdir=/mnt-root/nix/store/rw,workdir=/mnt-root/nix/store/work \ -o lowerdir=/mnt-root/nix/store/ro,upperdir=/mnt-root/nix/store/rw,workdir=/mnt-root/nix/store/work \
/mnt-root/nix/store /mnt-root/nix/store
# Be very rude and try to put suid files and/or devices into the store.
evil=/mnt-root/nix/store/evil
mkdir -p $evil/bin $evil/dev
echo "making evil suid..." >&2
cp /mnt-root/${builtins.unsafeDiscardStringContext "${uid}"}/bin/uid $evil/bin/suid
chmod 4755 $evil/bin/suid
[ -u $evil/bin/suid ] || exit 1
echo "making evil devzero..." >&2
mknod -m 666 $evil/dev/zero c 1 5
[ -c $evil/dev/zero ] || exit 1
''; '';
kernelModules = [ "overlay" ]; kernelModules = [ "overlay" ];
@ -70,6 +104,28 @@ import ./make-test-python.nix (
for opt in ["ro", "nosuid", "nodev"]: for opt in ["ro", "nosuid", "nodev"]:
with subtest(f"testing store mount option: {opt}"): with subtest(f"testing store mount option: {opt}"):
machine.succeed(f'[[ "$(findmnt --direction backward --first-only --noheadings --output OPTIONS /nix/store)" =~ (^|,){opt}(,|$) ]]') machine.succeed(f'[[ "$(findmnt --direction backward --first-only --noheadings --output OPTIONS /nix/store)" =~ (^|,){opt}(,|$) ]]')
# should still be suid
machine.succeed('[ -u /nix/store/evil/bin/suid ]')
# runs as alice and is not root
machine.succeed('[ "$(sudo -u alice /nix/store/evil/bin/suid)" == 1000 ]')
# can be remounted and runs as root
machine.succeed('mount -o remount,suid,bind /nix/store && mount >&2')
machine.succeed('[ "$(sudo -u alice /nix/store/evil/bin/suid)" == 0 ]')
# double checking we can undo it
machine.succeed('mount -o remount,nosuid,bind /nix/store && mount >&2')
machine.succeed('[ "$(sudo -u alice /nix/store/evil/bin/suid)" == 1000 ]')
# should still be a character device
machine.succeed('[ -c /nix/store/evil/dev/zero ]')
# should not work
machine.fail('[ "$(dd if=/nix/store/evil/dev/zero bs=1 count=1 | xxd -pl1)" == 00 ]')
# can be remounted and works
machine.succeed('mount -o remount,dev,bind /nix/store && mount >&2')
machine.succeed('[ "$(dd if=/nix/store/evil/dev/zero bs=1 count=1 | xxd -pl1)" == 00 ]')
# double checking we can undo it
machine.succeed('mount -o remount,nodev,bind /nix/store && mount >&2')
machine.fail('[ "$(dd if=/nix/store/evil/dev/zero bs=1 count=1 | xxd -pl1)" == 00 ]')
''; '';
meta.maintainers = with pkgs.lib.maintainers; [ numinit ]; meta.maintainers = with pkgs.lib.maintainers; [ numinit ];