[2.23.1] nix sandbox broken on darwin #11002
Labels
Comments
|
Found a fix:
Basically, these are the steps to manually change nix.conf & reload nix-daemon. We also need to undo changes to nix.conf, so that darwin-rebuild can update them. Leaving it open till sandbox option is fixed on darwin. |
utkarshgupta137
changed the title
|
Seeing this on 2.18.4 too; seems like it must be caused by the recent Linux security fix: 2.18.3...2.18.4. Ironically this regresses the sandboxing on Darwin. |
|
I believe relaxing the read permissions on the build parent directory, at least on macOS, would address this. Edit: Although actually I have no idea why the sandbox would affect things in that case. I’ll have to dig into this more another day. Edit edit: Oh, it’s because |
|
I will try to fix this tomorrow. |
Eliot00
added a commit
to Eliot00/NixOSConfig
that referenced
this issue
Jul 2, 2024
Thank you @utkarshgupta137! Worked flawlessly for me, disabled sandboxing right away! |
roberth
added
macos
github-actions bot
pushed a commit
that referenced
this issue
Jul 5, 2024
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.
The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.
Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.
Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.
Fixes: 1d3696f
Closes: #11002
(cherry picked from commit af2e114)
github-actions bot
pushed a commit
that referenced
this issue
Jul 5, 2024
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.
The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.
Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.
Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.
Fixes: 1d3696f
Closes: #11002
(cherry picked from commit af2e114)
roberth
pushed a commit
that referenced
this issue
Jul 5, 2024
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.
The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.
Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.
Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.
Fixes: 1d3696f
Closes: #11002
(cherry picked from commit af2e114)
github-actions bot
pushed a commit
that referenced
this issue
Jul 5, 2024
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.
The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.
Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.
Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.
Fixes: 1d3696f
Closes: #11002
(cherry picked from commit af2e114)
(cherry picked from commit 9feee13)
github-actions bot
pushed a commit
that referenced
this issue
Jul 5, 2024
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.
The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.
Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.
Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.
Fixes: 1d3696f
Closes: #11002
(cherry picked from commit af2e114)
(cherry picked from commit 9feee13)
github-actions bot
pushed a commit
that referenced
this issue
Jul 5, 2024
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.
The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.
Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.
Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.
Fixes: 1d3696f
Closes: #11002
(cherry picked from commit af2e114)
(cherry picked from commit 9feee13)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Most nix commands which require building are not working on darwin anymore after upgrading to nix 2.23.1
Steps To Reproduce
Run any nix command such as darwin-rebuild, home-manager, nix flake run etc. which tries to trigger a build.
Error on darwin-rebuild switch:
Error on home-manager switch:
Expected behavior
No errors. I'm unable to use any nix commands which trigger a build
nix-env --versionoutputnix-env (Nix) 2.23.1
Additional context
The culprit seems to be: 20ac781.
My nix config: https://github.com/utkarshgupta137/nix-config/
P.S. I've enabled nix.settings.sandbox
Priorities
Add 👍 to issues you find important.
The text was updated successfully, but these errors were encountered: