1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-18 03:30:45 +00:00
Commit graph

625555 commits

Author SHA1 Message Date
aszlig 2bb1556bf4
Merge pull request #289593 (confinement + DynamicUser)
This adds support for the systemd ProtectSystem and DynamicUser options
in conjunction with the systemd-confinement module, which has been a
limitation in the initial implementation and so far has thrown assertion
errors whenever those options were enabled.

Thanks to @ju1m, we now no longer need to resort to static users.

Review for this work took a little bit longer since I wanted to be
absolutely sure that we don't introduce any new regressions, which would
involve increasing the attack surface.

In the end however, we even managed to even lower the attack surface
even more since now the confined filesystem root is now read-only even
for the root user.
2024-05-13 00:42:48 +02:00
aszlig e4bd1e8f92
nixos/confinement: Use prio 100 for RootDirectory
One of the module that already supports the systemd-confinement module
is public-inbox. However with the changes to support DynamicUser and
ProtectSystem, the module will now fail at runtime if confinement is
enabled (it's optional and you'll need to override it via another
module).

The reason is that the RootDirectory is set to /var/empty in the
public-inbox module, which doesn't work well with the InaccessiblePaths
directive we now use to support DynamicUser/ProtectSystem.

To make this issue more visible, I decided to just change the priority
of the RootDirectory option definiton the default override priority so
that whenever another different option is defined, we'll get a conflict
at evaluation time.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:41 +02:00
aszlig 0a9cecc35a
nixos/systemd-confinement: Make / read-only
Our more thorough parametrised tests uncovered that with the changes for
supporting DynamicUser, we now have the situation that for static users
the root directory within the confined environment is now writable for
the user in question.

This is obviously not what we want and I'd consider that a regression.
However while discussing this with @ju1m and my suggestion being to
set TemporaryFileSystem to "/" (as we had previously), they had an even
better idea[1]:

> The goal is to deny write access to / to non-root users,
>
>   * TemporaryFileSystem=/ gives us that through the ownership of / by
>     root (instead of the service's user inherited from
>     RuntimeDirectory=).
>   * ProtectSystem=strict gives us that by mounting / read-only (while
>     keeping its ownership to the service's user).
>
> To avoid the incompatibilities of TemporaryFileSystem=/ mentioned
> above, I suggest to mount / read-only in all cases with
> ReadOnlyPaths = [ "+/" ]:
>
>   ...
>
> I guess this would require at least two changes to the current tests:
>
>   1. to no longer expect root to be able to write to some paths (like
>      /bin) (at least not without first remounting / in read-write
>      mode).
>   2. to no longer expect non-root users to fail to write to certain
>      paths with a "permission denied" error code, but with a
>      "read-only file system" error code.

I like the solution with ReadOnlyPaths even more because it further
reduces the attack surface if the user is root. In chroot-only mode this
is especially useful, since if there are no other bind-mounted paths
involved in the unit configuration, the whole file system within the
confined environment is read-only.

[1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:40 +02:00
aszlig 27f36b5e57
nixos/tests/confinement: Parametrise subtests
This is to make sure that we test all of the DynamicUser/User/Group and
PrivateTmp options in a uniform way. The reason why we need to do this
is because we recently introduced support for the DynamicUser option and
since there are some corner cases where we might end up with more
elevated privileges (eg. writable directories in some cases), we want to
make sure that the environment is as restrictive as with a static
User/Group assignment.

I also removed various checks that try to os.chown(), since with our new
recursive checker those are redundant.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:38 +02:00
aszlig 51d3f3475c
nixos/tests/confinement: Run test probes in Python
So far the architecture for the tests was that we would use a systemd
socket unit using the Accept option to start a small shell process where
we can pipe commands into by connecting to the socket created by the
socket unit.

This is unnecessary since we can directly use the code snippets from the
individual subtests and systemd will take care of checking the return
code in case we get any assertions[^1].

Another advantage of this is that tests now run in parallel, so we can
do rather expensive things such as looking in /nix to see whether
anything is writable.

The new assert_permissions() function is the main driver behind this and
allows for a more fine-grained way to check whether we got the right
permissions whilst also ignoring irrelevant things such as read-only
empty directories.

Our previous approach also just did a read-only check, which might be
fine in full-apivfs mode where the attack surface already is large, but
in chroot-only mode we really want to make sure nothing is every
writable.

A downside of the new approach is that currently the unit names are
numbered via lib.imap1, which makes it annoying to track its definition.

[^1]: Speaking of assertions, I wrapped the code to be run with pytest's
      assertion rewriting, so that we get more useful AssertionErrors.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:36 +02:00
aszlig f7d026b431
nixos/tests/confinement: Move to dedicated dir
When experimenting on ways how to refactor the test, I wrote a
significant enough amount of Python to warrant a dedicated Python file.

This commit is mainly to prepare for that and make it easier to track
renames.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:34 +02:00
aszlig ba31b3753e
nixos/tests/confinement: Re-add description attr
The reason why I originally used the "description" attribute was that it
can be easily used to parametrise the tests so that we can specify
common constraints and apply it across a number of different
configurations.

When porting the tests to Python, the description attribute was replaced
by inlining it into the Python code, most probably because it was easier
to do in bulk since using Nix to generate the subtest parts would be
very complicated to do since we also had to please Black (a Python code
formatter that we no longer use in test scripts).

Since we now also want to support DynamicUser in systemd-confinement,
the need to parametrise the tests became apparent again because it's now
easier to refactor our subtests to run both with *and* without
DynamicUser set to true.

Signed-off-by: aszlig <aszlig@nix.build>
2024-05-13 00:40:32 +02:00
Julien Moutinho 0a5542c766
nixos/systemd-confinement: support ProtectSystem=/DynamicUser=
See https://discourse.nixos.org/t/hardening-systemd-services/17147/14
2024-05-13 00:40:25 +02:00
Franz Pletz 0d793f31de
Merge pull request #311123 from drawbu/fix-http-parser 2024-05-13 00:37:30 +02:00
Franz Pletz 70d4cc383a
Merge pull request #311154 from TomaSajt/pynac 2024-05-13 00:31:48 +02:00
Franz Pletz 4fce84a169
Merge pull request #295759 from iynaix/bump-webdataset 2024-05-13 00:30:07 +02:00
Franz Pletz 6e8d6c46bb
Merge pull request #310648 from WilliButz/rename/mm-tools 2024-05-13 00:29:03 +02:00
Martin Weinelt 7b32ae4b70
Merge pull request #307702 from mweinelt/openvino-2024.1.0
openvino: 2024.0.0 -> 2024.1.0
2024-05-13 00:24:31 +02:00
nicoo 928a3ffb9b
Merge #310779: fix ark-pixel-font build 2024-05-12 22:24:23 +00:00
Franz Pletz ece972dcfd
Merge pull request #310532 from kiike/pr/mpg321 2024-05-13 00:23:34 +02:00
Anderson Torres 776fc4d63e
live555: 2024.04.19 -> 2024.05.05 (#311081) 2024-05-12 22:18:41 +00:00
toastal 22e6798099
prosody: bump community modules to d3a72777f149 (#311078) 2024-05-12 22:17:12 +00:00
nixpkgs-merge-bot[bot] 0d7de02dab
Merge pull request #311034 from r-ryantm/auto-update/ryujinx
ryujinx: 1.1.1281 -> 1.1.1298
2024-05-12 22:12:28 +00:00
Weijia Wang f8cd185b51
Merge pull request #309941 from leona-ya/zhf-cornice
python3Packages.cornice: fix build and enable tests
2024-05-13 00:07:51 +02:00
Weijia Wang 4b9a67d8b8
Merge pull request #311147 from RaghavSood/openethereum/remove
openethereum: remove
2024-05-13 00:04:01 +02:00
Weijia Wang 836306cd7b
Merge pull request #311162 from jemand771/fix-python3-chai
python312Packages.chai: fix python 3.12 build
2024-05-13 00:02:40 +02:00
Aaron Jheng debbba4aeb
vsce: 2.26.0 -> 2.26.1 (#311071) 2024-05-12 22:00:02 +00:00
Tomo d8acb61cbe
python3Packages.hikari-lightbulb: init at 2.3.5 (#310981) 2024-05-12 21:58:23 +00:00
Jan van Esdonk 77b969d2f3
slumber: 1.1.0 -> 1.2.1 (#310994)
Co-authored-by: Jan van Esdonk <jan+dev@vanesdonk.de>
2024-05-12 21:57:02 +00:00
Gutyina Gergő 8509fd4fdb
lua-language-server: 3.8.3 -> 3.9.0 (#310908) 2024-05-12 21:55:19 +00:00
Emery Hemingway 375146c3a1
alephone: 1.7.1 -> 1.8 (#310862) 2024-05-12 21:50:50 +00:00
Cheng Shao 0aebbee388
HentaiAtHome: 1.6.2 -> 1.6.3 (#311044) 2024-05-12 21:49:23 +00:00
chewblacka 00363566e3
docfd: 5.1.0 -> 6.0.0 (#311043) 2024-05-12 21:48:17 +00:00
Priyanshu Tripathi 42768e4590
atlauncher: 3.4.36.3 -> 3.4.36.4 (#311019) 2024-05-12 21:41:35 +00:00
Karl Fischer b2646e2b04
vsh: 0.12.2 -> 0.13.0 (#311016) 2024-05-12 21:41:01 +00:00
nicoo 581aee47b0
Merge #311014: Fix woob
Closes #310635
2024-05-12 21:39:10 +00:00
Weijia Wang 68c9699130
Merge pull request #311108 from 3JlOy-PYCCKUi/anilibria-winmaclinux
anilibria-winmaclinux: 1.2.16.2 -> 1.2.17
2024-05-12 23:38:40 +02:00
éclairevoyant 98312fb367
Merge pull request #309592 from LamprosPitsillos/init-matugen
matugen: init at 2.2.0
2024-05-12 21:34:19 +00:00
éclairevoyant b8e3cf06ee
ark-pixel-font: 2024.04.05 -> 2024.05.12 2024-05-12 17:17:00 -04:00
Pol Dellaiera 7257e9980e
Merge pull request #311050 from r-ryantm/auto-update/extremetuxracer
extremetuxracer: 0.8.3 -> 0.8.4
2024-05-12 23:04:30 +02:00
Pol Dellaiera cdf2a8e3bc
Merge pull request #311053 from r-ryantm/auto-update/python311Packages.gdown
python311Packages.gdown: 5.1.0 -> 5.2.0
2024-05-12 23:04:12 +02:00
Pol Dellaiera 6c1e15a8a0
Merge pull request #311065 from r-ryantm/auto-update/novops
novops: 0.14.0 -> 0.15.0
2024-05-12 23:04:03 +02:00
Pol Dellaiera 34a91b1bfe
Merge pull request #311067 from r-ryantm/auto-update/pipe-viewer
pipe-viewer: 0.5.0 -> 0.5.1
2024-05-12 23:03:54 +02:00
Doron Behar a894e58cd0
Merge pull request #311092 from r-ryantm/auto-update/url-parser
url-parser: 2.0.3 -> 2.0.4
2024-05-12 23:56:19 +03:00
Jade Lovelace 553dab119b
Merge pull request #311158 from lf-/jade/remove-outdated-maintainership
nixos: remove historical maintainership of modules by eelco
2024-05-12 13:26:25 -07:00
Franz Pletz ef26d99b37
Merge pull request #310873 from ivan/radvd-debuglevel
nixos/radvd: add debugLevel option
2024-05-12 22:23:24 +02:00
Pol Dellaiera 378c5c67ed
Merge pull request #310348 from ehmry/nginx-validateConfigFile
nixos/nginx: add validateConfigFile option
2024-05-12 21:58:59 +02:00
José Romildo Malaquias 88a9731a52
Merge pull request #311077 from romildo/upd.lxqt-openssh-askpass
lxqt.lxqt-openssh-askpass: 2.0.0 -> 2.0.1
2024-05-12 16:58:26 -03:00
Yaya b91ac4c903 electron-source.electron_30: 30.0.2 -> 30.0.3
- Changelog: https://github.com/electron/electron/releases/tag/v30.0.3
- Diff: https://github.com/electron/electron/compare/refs/tags/v30.0.2...v30.0.3
2024-05-12 21:57:24 +02:00
Yaya ca3b579b8a electron-source.electron_29: 29.3.2 -> 29.3.3
- Changelog: https://github.com/electron/electron/releases/tag/v29.3.3
- Diff: https://github.com/electron/electron/compare/refs/tags/v29.3.2...v29.3.3
- Fixes CVE-2024-3914
- Fixes CVE-2024-4558
2024-05-12 21:57:24 +02:00
Yaya d189975761 electron_30-bin: 30.0.2 -> 30.0.3
- Changelog: https://github.com/electron/electron/releases/tag/v30.0.3
- Diff: https://github.com/electron/electron/compare/refs/tags/v30.0.2...v30.0.3
2024-05-12 21:57:24 +02:00
Yaya dd6f51c6f0 electron_29-bin: 29.3.2 -> 29.3.3
- Changelog: https://github.com/electron/electron/releases/tag/v29.3.3
- Diff: https://github.com/electron/electron/compare/refs/tags/v29.3.2...v29.3.3
- Fixes CVE-2024-3914
- Fixes CVE-2024-4558
2024-05-12 21:57:24 +02:00
Willy b11a9b32ca python312Packages.chai: fix python 3.12 build
assertXYZ methods with the "s" suffix were removed in python 3.12, patch until fixed upstream
2024-05-12 21:53:13 +02:00
Pol Dellaiera 9a005b76bc
Merge pull request #310966 from r-ryantm/auto-update/git-cliff
git-cliff: 2.2.1 -> 2.2.2
2024-05-12 21:52:35 +02:00
Weijia Wang 4433bbfd2a
Merge pull request #304773 from acid-bong/no-libs
treewide: remove file-wide `with lib;` uses in nixos/modules/programs
2024-05-12 21:52:15 +02:00