sandbox: Optionally disable pivot_root

This is required for running the sandbox in a privileged container.
NixOS · Mar 21, 2019 · da0cee2 · da0cee2
1 parent 5886bc5
commit da0cee2
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 8 deletions.
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
@@ -700,6 +700,20 @@ password <replaceable>my-password</replaceable>
   </varlistentry>
 
 
+  <varlistentry xml:id="conf-sandbox-use-pivot_root">
+    <term><literal>sandbox-use-pivot_root</literal></term>
+
+    <listitem><para>Whether to use the <literal>pivot_root</literal>
+    system call, which is safer than plain <literal>chroot</literal> when
+    establishing the sandbox.</para>
+    <para>This option has the safe default <literal>true</literal>,
+    but needs to be set to <literal>false</literal> when running the
+    sandbox inside a container.</para>
+    </listitem>
+
+  </varlistentry>
+
+
   <varlistentry xml:id="conf-secret-key-files"><term><literal>secret-key-files</literal></term>
 
     <listitem><para>A whitespace-separated list of files containing

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
@@ -2720,20 +2720,24 @@ void DerivationGoal::runChild()
             if (chdir(chrootRootDir.c_str()) == -1)
                 throw SysError(format("cannot change directory to '%1%'") % chrootRootDir);
 
-            if (mkdir("real-root", 0) == -1)
-                throw SysError("cannot create real-root directory");
+            if (settings.sandboxUsePivotRoot) {
+                if (mkdir("real-root", 0) == -1)
+                    throw SysError("cannot create real-root directory");
 
-            if (pivot_root(".", "real-root") == -1)
-                throw SysError(format("cannot pivot old root directory onto '%1%'") % (chrootRootDir + "/real-root"));
+                if (pivot_root(".", "real-root") == -1)
+                    throw SysError(format("cannot pivot old root directory onto '%1%'") % (chrootRootDir + "/real-root"));
+            }
 
             if (chroot(".") == -1)
                 throw SysError(format("cannot change root directory to '%1%'") % chrootRootDir);
 
-            if (umount2("real-root", MNT_DETACH) == -1)
-                throw SysError("cannot unmount real root filesystem");
+            if (settings.sandboxUsePivotRoot) {
+                if (umount2("real-root", MNT_DETACH) == -1)
+                    throw SysError("cannot unmount real root filesystem");
 
-            if (rmdir("real-root") == -1)
-                throw SysError("cannot remove real-root directory");
+                if (rmdir("real-root") == -1)
+                    throw SysError("cannot remove real-root directory");
+            }
 
             /* Switch to the sandbox uid/gid in the user namespace,
                which corresponds to the build user or calling user in

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
@@ -205,6 +205,9 @@ public:
         "Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".",
         {"build-use-chroot", "build-use-sandbox"}};
 
+    Setting<bool> sandboxUsePivotRoot{this, true, "sandbox-use-pivot_root",
+        "Whether to use pivot_root when sandboxing is enabled. This is safer than plain chroot, but not supported when running the sandbox in a container."};
+
     Setting<PathSet> sandboxPaths{this, {}, "sandbox-paths",
         "The paths to make available inside the build sandbox.",
         {"build-chroot-dirs", "build-sandbox-paths"}};