/proc/filesystems impurity in build environment

  • Done
  • quality assurance status badge
Details
2 participants
  • Chris Marusich
  • Ludovic Courtès
Owner
unassigned
Submitted by
Chris Marusich
Severity
normal
C
C
Chris Marusich wrote on 24 May 2020 10:32
(address . bug-guix@gnu.org)
87v9klravp.fsf@gmail.com
Hi,

The Linux kernel's /proc/filesystems is an impurity in the Guix build
environment. Its contents can cause the same derivation to behave
differently on different systems.

For example, the default kernel on Fedora systems uses SELinux, so
/proc/filesystems contains "selinuxfs". However, the default kernel on
Guix System does not use SELinux, so /proc/filesystems does not contain
"selinuxfs". This causes the sed derivation to fail when run on Fedora,
but not on Guix System:


Can we avoid this problem somehow? For example, is there a way to
normalize /proc/filesystems in the build environment?

We have the --impersonate-linux-2.6 option as a way to eliminate a
similar kind of impurity, but that option doesn't actually change the
contents of /proc/filesystems at all. I tried it.

--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl7KMSoACgkQ3UCaFdgi
Rp01gQ//bh7jj3rXhuZfDl/S5R3tv5OervsuO1oNxwczsGEHRqPs7Ij9YhP4fJQR
a6cu1oWVAVH4L3Bn48EH00Nt/8V1QlCORUqmLolUxA+g4ASvD2yFSh1eUa+4TdQe
htna+gMXdabphWhIVGHVfPfWPCALBSwaHzdc3LLMaut2ZaaHlHP0b0FIDmuqFX2o
gHm5XbRRn/pK7uVNt7LMQHGd+rM5aHLOjTRJ2eRLfCImBioBlIStFCPSPq7bFmX0
whoquRJqKN7Kr7Vk2huPdiUfCdx06cmWuHJvWEdo+EpBU4i0vyQSj7k5SYDlCpaw
drZYV+ItJb852MxdkMz8HT+htJp6cBvEXmMVGQr4AqfoBdfAfkcAflUEhhT0z7/c
TDZ3W7U2DiaeNoxFAX+IXfsdl7MAaNH//+1B3bkecBfFm10A1yK3irmYxaLzs//o
1YZVZnPGQIPyR/gfHWh7Tzc9eJSC4mv4nnlfhz/8il4SEgNLGkTLTZtlg3kCjKy6
bGC1e87pwJC+shx+daKW+E3KSbmrC6Og9myxlzqTcaAXN1IfgqeogBjtEnMWca1B
fXCLX4QvFyPQa/w3fcdCJK4G43Tv8zcY3/YZznN1dZ+fbGKKPI3Y6aquJgEPcHog
2RcNlvMRygY+7pC3uvNDN8rFg2kIPVIg1owHKSCGV13/hJqtpQ0=
=5Er2
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 29 May 2020 16:56
(name . Chris Marusich)(address . cmmarusich@gmail.com)(address . 41499@debbugs.gnu.org)
87imge3i34.fsf@gnu.org
Hi Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

Toggle quote (19 lines)
> The Linux kernel's /proc/filesystems is an impurity in the Guix build
> environment. Its contents can cause the same derivation to behave
> differently on different systems.
>
> For example, the default kernel on Fedora systems uses SELinux, so
> /proc/filesystems contains "selinuxfs". However, the default kernel on
> Guix System does not use SELinux, so /proc/filesystems does not contain
> "selinuxfs". This causes the sed derivation to fail when run on Fedora,
> but not on Guix System:
>
> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=41498
>
> Can we avoid this problem somehow? For example, is there a way to
> normalize /proc/filesystems in the build environment?
>
> We have the --impersonate-linux-2.6 option as a way to eliminate a
> similar kind of impurity, but that option doesn't actually change the
> contents of /proc/filesystems at all. I tried it.

The daemon mounts /proc in the build environment (see
libstore/build.cc):

/* Bind a new instance of procfs on /proc to reflect our
private PID namespace. */
createDirs(chrootRootDir + "/proc");
if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) == -1)
throw SysError("mounting /proc");

/proc is needed for many things on GNU/Linux. For example, libc’s
loader relies on /proc/self/exe to implement $ORIGIN, ‘getlogin_r’
relies on /proc/self/loginuid, ‘ttyname’ uses /proc/self/fd, ‘sysconf’
uses /proc/sys/kernel, etc. So we have to have /proc in there.

The problem is that /proc appears to be all-or-nothing.

What we could do maybe is bind-mount our own statically-defined
‘filesystems’ file on top of the procfs mount above.

There would still be many leaks in /proc anyway, so perhaps a better
approach is to patch ‘sed’ to not refer to it.

Thoughts?

Ludo’.
C
C
Chris Marusich wrote on 30 May 2020 10:23
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 41499@debbugs.gnu.org)
878sh9ygph.fsf@gmail.com
Hi Ludo,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (22 lines)
> The daemon mounts /proc in the build environment (see
> libstore/build.cc):
>
> /* Bind a new instance of procfs on /proc to reflect our
> private PID namespace. */
> createDirs(chrootRootDir + "/proc");
> if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) == -1)
> throw SysError("mounting /proc");
>
> /proc is needed for many things on GNU/Linux. For example, libc’s
> loader relies on /proc/self/exe to implement $ORIGIN, ‘getlogin_r’
> relies on /proc/self/loginuid, ‘ttyname’ uses /proc/self/fd, ‘sysconf’
> uses /proc/sys/kernel, etc. So we have to have /proc in there.
>
> The problem is that /proc appears to be all-or-nothing.
>
> What we could do maybe is bind-mount our own statically-defined
> ‘filesystems’ file on top of the procfs mount above.
>
> There would still be many leaks in /proc anyway, so perhaps a better
> approach is to patch ‘sed’ to not refer to it.

That makes sense. I have submitted an upstream patch to fix sed:


It could be fun to investigate how far we can go with respect to
limiting access in the sandbox to a minimal, uniform set of kernel
features. However, unless issues like this become more common, it may
not be that big of an issue.

Shall we close this bug report, then?

--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl7SF+oACgkQ3UCaFdgi
Rp162xAA1Mac+P41b1zAsz53GgViWR7C3EGjVc5fj76uJK5SIrKSm4IxqtFB5Kyd
5u+xyzAARLG8EGqgF0DgC9G3NCAbqUjAvm0C1a/QbrvRYi1jRsYaCFzoK5BbmA85
elgjq+x4JNPbj8jeQ1ZioyooI5I20Jqa0AGCw2JyPhqgzdotyMBRpVZg/nL/xnxP
cJ6BH6fME7mx1aslOBE2UET4R02Id7lKYKRRTTDspBvTlxUTeXtB4RNbiaH3a6VB
G/Dj+nRP6MVKl53Z5MoK6UIB/vY2BrBEjPpDMY1x8USDSEORO95GHagO95xzSdb1
wGO2eW85ptRJLrW0/F8XOhWvfjPcDkhlwfdmkvAFcbjub0nfquUTdezFs4/Tfcca
N2sX/vjEgS2qfRengRS2tYsiVc4RtVN8oa1wjKunaD4sEbYJT0kBbta8uSQR35Ot
aggvFEh1FlXARLi7cL69b6hqxVDZ969HKlsKke7N6f/vDav82t1jZZ2TLXQXBh1l
Gm+Fj+zbkM8SM6/KaxlWq5r4Rd57BKj1sd4OownpqaPPC6gtjwaMsdCejg/zj0qd
SqytN91+R9ijQyA10sMQOZjp7AXvmOYCqPHSBIGeswPTOIl7+B7GsP+vTJiGxd+i
nRz2Xgge5A/g2Do8OOgFg0lRBkjZ3kfu3+pmfZh9zAoi+XerQa8=
=JnX7
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 30 May 2020 16:12
(name . Chris Marusich)(address . cmmarusich@gmail.com)(address . 41499@debbugs.gnu.org)
87k10ttsuf.fsf@gnu.org
Hi,

Chris Marusich <cmmarusich@gmail.com> skribis:

Toggle quote (33 lines)
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> The daemon mounts /proc in the build environment (see
>> libstore/build.cc):
>>
>> /* Bind a new instance of procfs on /proc to reflect our
>> private PID namespace. */
>> createDirs(chrootRootDir + "/proc");
>> if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) == -1)
>> throw SysError("mounting /proc");
>>
>> /proc is needed for many things on GNU/Linux. For example, libc’s
>> loader relies on /proc/self/exe to implement $ORIGIN, ‘getlogin_r’
>> relies on /proc/self/loginuid, ‘ttyname’ uses /proc/self/fd, ‘sysconf’
>> uses /proc/sys/kernel, etc. So we have to have /proc in there.
>>
>> The problem is that /proc appears to be all-or-nothing.
>>
>> What we could do maybe is bind-mount our own statically-defined
>> ‘filesystems’ file on top of the procfs mount above.
>>
>> There would still be many leaks in /proc anyway, so perhaps a better
>> approach is to patch ‘sed’ to not refer to it.
>
> That makes sense. I have submitted an upstream patch to fix sed:
>
> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=36150
>
> It could be fun to investigate how far we can go with respect to
> limiting access in the sandbox to a minimal, uniform set of kernel
> features. However, unless issues like this become more common, it may
> not be that big of an issue.

There’s /proc, but there are also syscalls that leak info, such as
uname(2).

Fortunately these issues are quite rare in practice (it’s mentioned in
which references an earlier NixOS paper that discusses it.)

Toggle quote (2 lines)
> Shall we close this bug report, then?

I think so.

Thanks,
Ludo’.
C
C
Chris Marusich wrote on 2 Jun 2020 03:17
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 41499-close@debbugs.gnu.org)
877dwqw9iy.fsf@gmail.com
Hi Ludo,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (11 lines)
> There’s /proc, but there are also syscalls that leak info, such as
> uname(2).
>
> Fortunately these issues are quite rare in practice (it’s mentioned in
> <https://guix.gnu.org/blog/2015/reproducible-builds-a-means-to-an-end/>,
> which references an earlier NixOS paper that discusses it.)
>
>> Shall we close this bug report, then?
>
> I think so.

OK. Thank you for the interesting link! I'm closing this bug report.

--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl7VqMUACgkQ3UCaFdgi
Rp1hUQ//Q9w83wLWXLXLt6LKl9zQtlisZTNs0v4sCpVcHo5teQdXkKc72ejBacDj
WetxO4wAKIb2JVCuC20WPoZRSWCXCO4PYDmYofHFv6MwQfKqojyvPknefxmvwDD0
77DRnBVl4q3Pf3xBwYpfpBRNxrjruUdl8UbS9Z+3j5gQJncfYabVY4zYb60Q5oJ+
QqX08422zf6xKbigmghg01SpZL5tNGcht0xEQbPk+2W93vJrIsGqT+rytsbNF61C
MAzMfmQ1lUH62c6F9sYUyd92qk5aUT1YkpJyvv3c4Sdis0UxpFrI9fQDk1GqhCQl
eZvRVPKs7LVFOEpmtLtpPERNZohqGnhwDYJer99GrKRqTCD6AdMYYssWxDEq78Pa
ZgXYzGu+/HHLo6DNm0bPB84cMpBDrDztjievVXN7xR5aL0M+95+79GzsZq+mrq5x
cmQR1FeAAwPp1rBQ/Pml4duZoR2ZgVuKoRBRShxCG/whdWKPe30vJRNo9TIL5AGH
GmKml8oq80fr16MjK++tZKNuGYVnDFJ2n4Wy8B2xzJnS0fXDCzAxJ22YIJlAkn1c
tzqXPXMYw7dkAhGZuPYytZJedoQeFxfcIghywz2DNkSdFL7gQeKCGHoLfu0XlZGa
k24pO+GVRUeDHUZlH1az8tsRiLzXotXGnAFGxQrMzkD3xB7C66Y=
=UkjR
-----END PGP SIGNATURE-----

?