nixpkgs/pkgs/applications/virtualization/qemu/force-uid0-on-9p.patch

diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 3f271fc..dc273f4 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -45,6 +45,23 @@
 
 #define VIRTFS_META_DIR ".virtfs_metadata"
 
+static int is_in_store_path(const char *path)
+{
+    static char *store_path = NULL;
+    int store_path_len = -1;
+
+    if (store_path_len == -1) {
+        if ((store_path = getenv("NIX_STORE")) != NULL)
+            store_path_len = strlen(store_path);
+        else
+            store_path_len = 0;
+    }
+
+    if (store_path_len > 0)
+        return strncmp(path, store_path, strlen(store_path)) == 0;
+    return 0;
+}
+
 static char *local_mapped_attr_path(FsContext *ctx, const char *path)
 {
     int dirlen;
@@ -128,6 +145,8 @@ static int local_lstat(FsContext *fs_ctx, V9fsPath *fs_path, struct stat *stbuf)
     if (err) {
         goto err_out;
     }
+    stbuf->st_uid = 0;
+    stbuf->st_gid = 0;
     if (fs_ctx->export_flags & V9FS_SM_MAPPED) {
         /* Actual credentials are part of extended attrs */
         uid_t tmp_uid;
@@ -462,6 +481,11 @@ static ssize_t local_pwritev(FsContext *ctx, V9fsFidOpenState *fs,
     return ret;
 }
 
+static inline int maybe_chmod(const char *path, mode_t mode)
+{
+    return is_in_store_path(path) ? 0 : chmod(path, mode);
+}
+
 static int local_chmod(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp)
 {
     char *buffer;
@@ -477,7 +501,7 @@ static int local_chmod(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp)
     } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) ||
                (fs_ctx->export_flags & V9FS_SM_NONE)) {
         buffer = rpath(fs_ctx, path);
-        ret = chmod(buffer, credp->fc_mode);
+        ret = maybe_chmod(buffer, credp->fc_mode);
         g_free(buffer);
     }
     return ret;
@@ -621,6 +645,8 @@ static int local_fstat(FsContext *fs_ctx, int fid_type,
     if (err) {
         return err;
     }
+    stbuf->st_uid = 0;
+    stbuf->st_gid = 0;
     if (fs_ctx->export_flags & V9FS_SM_MAPPED) {
         /* Actual credentials are part of extended attrs */
         uid_t tmp_uid;
@@ -916,7 +942,8 @@ static int local_chown(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp)
         (fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) ||
         (fs_ctx->export_flags & V9FS_SM_NONE)) {
         buffer = rpath(fs_ctx, path);
-        ret = lchown(buffer, credp->fc_uid, credp->fc_gid);
+        ret = is_in_store_path(buffer)
+            ? 0 : lchown(buffer, credp->fc_uid, credp->fc_gid);
         g_free(buffer);
     } else if (fs_ctx->export_flags & V9FS_SM_MAPPED) {
         buffer = rpath(fs_ctx, path);
nixos/tests: Use a patched QEMU for testing The reason to patch QEMU is that with latest Nix, tests like "printing" or "misc" fail because they expect the store paths to be owned by uid 0 and gid 0. Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix builds inside of a new user namespace. Unfortunately this also means that bind-mounted store paths that are part of the derivation's inputs are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534. This in turn causes things like sudo or cups to fail with errors about insecure file permissions. So in order to avoid that, let's make sure the VM always gets files owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store path. In addition, this adds a virtualisation.qemu.program option so that we can make sure that we only use the patched version if we're really running NixOS VM tests (that is, whenever we have imported test-instrumentation.nix). Tested against the "misc" and "printing" tests. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-11-17 16:06:17 +00:00			`diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c`
qemu_test: Make chown() calls to the store a no-op The "misc" NixOS test is using Nix to query the store and it tries to change the ownership of it while doing so. This fails if Nix is not in a seccomp-sandboxed userid namespace, so let's make chown() a no-op when applied to store paths. Fixes the misc test (and possibly future tests) on older Nix versions. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-12-16 11:42:54 +00:00			`index 3f271fc..dc273f4 100644`
nixos/tests: Use a patched QEMU for testing The reason to patch QEMU is that with latest Nix, tests like "printing" or "misc" fail because they expect the store paths to be owned by uid 0 and gid 0. Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix builds inside of a new user namespace. Unfortunately this also means that bind-mounted store paths that are part of the derivation's inputs are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534. This in turn causes things like sudo or cups to fail with errors about insecure file permissions. So in order to avoid that, let's make sure the VM always gets files owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store path. In addition, this adds a virtualisation.qemu.program option so that we can make sure that we only use the patched version if we're really running NixOS VM tests (that is, whenever we have imported test-instrumentation.nix). Tested against the "misc" and "printing" tests. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-11-17 16:06:17 +00:00			`--- a/hw/9pfs/9p-local.c`
			`+++ b/hw/9pfs/9p-local.c`
qemu_test: Make chown() calls to the store a no-op The "misc" NixOS test is using Nix to query the store and it tries to change the ownership of it while doing so. This fails if Nix is not in a seccomp-sandboxed userid namespace, so let's make chown() a no-op when applied to store paths. Fixes the misc test (and possibly future tests) on older Nix versions. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-12-16 11:42:54 +00:00			`@@ -45,6 +45,23 @@`

			`#define VIRTFS_META_DIR ".virtfs_metadata"`

			`+static int is_in_store_path(const char *path)`
			`+{`
			`+ static char *store_path = NULL;`
			`+ int store_path_len = -1;`
			`+`
			`+ if (store_path_len == -1) {`
			`+ if ((store_path = getenv("NIX_STORE")) != NULL)`
			`+ store_path_len = strlen(store_path);`
			`+ else`
			`+ store_path_len = 0;`
			`+ }`
			`+`
			`+ if (store_path_len > 0)`
			`+ return strncmp(path, store_path, strlen(store_path)) == 0;`
			`+ return 0;`
			`+}`
			`+`
			`static char local_mapped_attr_path(FsContext ctx, const char *path)`
			`{`
			`int dirlen;`
			`@@ -128,6 +145,8 @@ static int local_lstat(FsContext fs_ctx, V9fsPath fs_path, struct stat *stbuf)`
nixos/tests: Use a patched QEMU for testing The reason to patch QEMU is that with latest Nix, tests like "printing" or "misc" fail because they expect the store paths to be owned by uid 0 and gid 0. Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix builds inside of a new user namespace. Unfortunately this also means that bind-mounted store paths that are part of the derivation's inputs are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534. This in turn causes things like sudo or cups to fail with errors about insecure file permissions. So in order to avoid that, let's make sure the VM always gets files owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store path. In addition, this adds a virtualisation.qemu.program option so that we can make sure that we only use the patched version if we're really running NixOS VM tests (that is, whenever we have imported test-instrumentation.nix). Tested against the "misc" and "printing" tests. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-11-17 16:06:17 +00:00			`if (err) {`
			`goto err_out;`
			`}`
			`+ stbuf->st_uid = 0;`
			`+ stbuf->st_gid = 0;`
			`if (fs_ctx->export_flags & V9FS_SM_MAPPED) {`
			`/* Actual credentials are part of extended attrs */`
			`uid_t tmp_uid;`
qemu_test: Make chown() calls to the store a no-op The "misc" NixOS test is using Nix to query the store and it tries to change the ownership of it while doing so. This fails if Nix is not in a seccomp-sandboxed userid namespace, so let's make chown() a no-op when applied to store paths. Fixes the misc test (and possibly future tests) on older Nix versions. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-12-16 11:42:54 +00:00			`@@ -462,6 +481,11 @@ static ssize_t local_pwritev(FsContext ctx, V9fsFidOpenState fs,`
nixos/tests: Use a patched QEMU for testing The reason to patch QEMU is that with latest Nix, tests like "printing" or "misc" fail because they expect the store paths to be owned by uid 0 and gid 0. Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix builds inside of a new user namespace. Unfortunately this also means that bind-mounted store paths that are part of the derivation's inputs are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534. This in turn causes things like sudo or cups to fail with errors about insecure file permissions. So in order to avoid that, let's make sure the VM always gets files owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store path. In addition, this adds a virtualisation.qemu.program option so that we can make sure that we only use the patched version if we're really running NixOS VM tests (that is, whenever we have imported test-instrumentation.nix). Tested against the "misc" and "printing" tests. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-11-17 16:06:17 +00:00			`return ret;`
			`}`

qemu_test: Make chown() calls to the store a no-op The "misc" NixOS test is using Nix to query the store and it tries to change the ownership of it while doing so. This fails if Nix is not in a seccomp-sandboxed userid namespace, so let's make chown() a no-op when applied to store paths. Fixes the misc test (and possibly future tests) on older Nix versions. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-12-16 11:42:54 +00:00			`+static inline int maybe_chmod(const char *path, mode_t mode)`
nixos/tests: Use a patched QEMU for testing The reason to patch QEMU is that with latest Nix, tests like "printing" or "misc" fail because they expect the store paths to be owned by uid 0 and gid 0. Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix builds inside of a new user namespace. Unfortunately this also means that bind-mounted store paths that are part of the derivation's inputs are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534. This in turn causes things like sudo or cups to fail with errors about insecure file permissions. So in order to avoid that, let's make sure the VM always gets files owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store path. In addition, this adds a virtualisation.qemu.program option so that we can make sure that we only use the patched version if we're really running NixOS VM tests (that is, whenever we have imported test-instrumentation.nix). Tested against the "misc" and "printing" tests. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-11-17 16:06:17 +00:00			`+{`
qemu_test: Make chown() calls to the store a no-op The "misc" NixOS test is using Nix to query the store and it tries to change the ownership of it while doing so. This fails if Nix is not in a seccomp-sandboxed userid namespace, so let's make chown() a no-op when applied to store paths. Fixes the misc test (and possibly future tests) on older Nix versions. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-12-16 11:42:54 +00:00			`+ return is_in_store_path(path) ? 0 : chmod(path, mode);`
nixos/tests: Use a patched QEMU for testing The reason to patch QEMU is that with latest Nix, tests like "printing" or "misc" fail because they expect the store paths to be owned by uid 0 and gid 0. Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix builds inside of a new user namespace. Unfortunately this also means that bind-mounted store paths that are part of the derivation's inputs are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534. This in turn causes things like sudo or cups to fail with errors about insecure file permissions. So in order to avoid that, let's make sure the VM always gets files owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store path. In addition, this adds a virtualisation.qemu.program option so that we can make sure that we only use the patched version if we're really running NixOS VM tests (that is, whenever we have imported test-instrumentation.nix). Tested against the "misc" and "printing" tests. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-11-17 16:06:17 +00:00			`+}`
			`+`
			`static int local_chmod(FsContext fs_ctx, V9fsPath fs_path, FsCred *credp)`
			`{`
			`char *buffer;`
qemu_test: Make chown() calls to the store a no-op The "misc" NixOS test is using Nix to query the store and it tries to change the ownership of it while doing so. This fails if Nix is not in a seccomp-sandboxed userid namespace, so let's make chown() a no-op when applied to store paths. Fixes the misc test (and possibly future tests) on older Nix versions. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-12-16 11:42:54 +00:00			`@@ -477,7 +501,7 @@ static int local_chmod(FsContext fs_ctx, V9fsPath fs_path, FsCred *credp)`
nixos/tests: Use a patched QEMU for testing The reason to patch QEMU is that with latest Nix, tests like "printing" or "misc" fail because they expect the store paths to be owned by uid 0 and gid 0. Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix builds inside of a new user namespace. Unfortunately this also means that bind-mounted store paths that are part of the derivation's inputs are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534. This in turn causes things like sudo or cups to fail with errors about insecure file permissions. So in order to avoid that, let's make sure the VM always gets files owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store path. In addition, this adds a virtualisation.qemu.program option so that we can make sure that we only use the patched version if we're really running NixOS VM tests (that is, whenever we have imported test-instrumentation.nix). Tested against the "misc" and "printing" tests. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-11-17 16:06:17 +00:00			`} else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) \|\|`
			`(fs_ctx->export_flags & V9FS_SM_NONE)) {`
			`buffer = rpath(fs_ctx, path);`
			`- ret = chmod(buffer, credp->fc_mode);`
			`+ ret = maybe_chmod(buffer, credp->fc_mode);`
			`g_free(buffer);`
			`}`
			`return ret;`
qemu_test: Make chown() calls to the store a no-op The "misc" NixOS test is using Nix to query the store and it tries to change the ownership of it while doing so. This fails if Nix is not in a seccomp-sandboxed userid namespace, so let's make chown() a no-op when applied to store paths. Fixes the misc test (and possibly future tests) on older Nix versions. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-12-16 11:42:54 +00:00			`@@ -621,6 +645,8 @@ static int local_fstat(FsContext *fs_ctx, int fid_type,`
nixos/tests: Use a patched QEMU for testing The reason to patch QEMU is that with latest Nix, tests like "printing" or "misc" fail because they expect the store paths to be owned by uid 0 and gid 0. Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix builds inside of a new user namespace. Unfortunately this also means that bind-mounted store paths that are part of the derivation's inputs are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534. This in turn causes things like sudo or cups to fail with errors about insecure file permissions. So in order to avoid that, let's make sure the VM always gets files owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store path. In addition, this adds a virtualisation.qemu.program option so that we can make sure that we only use the patched version if we're really running NixOS VM tests (that is, whenever we have imported test-instrumentation.nix). Tested against the "misc" and "printing" tests. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-11-17 16:06:17 +00:00			`if (err) {`
			`return err;`
			`}`
			`+ stbuf->st_uid = 0;`
			`+ stbuf->st_gid = 0;`
			`if (fs_ctx->export_flags & V9FS_SM_MAPPED) {`
			`/* Actual credentials are part of extended attrs */`
			`uid_t tmp_uid;`
qemu_test: Make chown() calls to the store a no-op The "misc" NixOS test is using Nix to query the store and it tries to change the ownership of it while doing so. This fails if Nix is not in a seccomp-sandboxed userid namespace, so let's make chown() a no-op when applied to store paths. Fixes the misc test (and possibly future tests) on older Nix versions. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2016-12-16 11:42:54 +00:00			`@@ -916,7 +942,8 @@ static int local_chown(FsContext fs_ctx, V9fsPath fs_path, FsCred *credp)`
			`(fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) \|\|`
			`(fs_ctx->export_flags & V9FS_SM_NONE)) {`
			`buffer = rpath(fs_ctx, path);`
			`- ret = lchown(buffer, credp->fc_uid, credp->fc_gid);`
			`+ ret = is_in_store_path(buffer)`
			`+ ? 0 : lchown(buffer, credp->fc_uid, credp->fc_gid);`
			`g_free(buffer);`
			`} else if (fs_ctx->export_flags & V9FS_SM_MAPPED) {`
			`buffer = rpath(fs_ctx, path);`