daemon: Drop Linux ambient capabilities before executing builder.

* config-daemon.ac: Check for <sys/prctl.h>. * nix/libstore/build.cc (DerivationGoal::runChild): When ‘useChroot’ is true, call ‘prctl’ to drop all ambient capabilities. Change-Id: If34637fc508e5fb6d278167f5df7802fc595284f
2025-10-02 02:15:12 +00:00 · 2025-01-23 22:43:54 +01:00 · 2025-01-23 22:43:54 +01:00 · 0163c732a1
commit 0163c732a1
parent a3d6f5ae70
2 changed files with 10 additions and 1 deletions
--- a/config-daemon.ac
+++ b/config-daemon.ac
@ -79,7 +79,7 @@ if test "x$guix_build_daemon" = "xyes"; then
  dnl Chroot support.
  AC_CHECK_FUNCS([chroot unshare])
  AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \
-    linux/close_range.h])
+    linux/close_range.h sys/prctl.h])

  if test "x$ac_cv_func_chroot" != "xyes"; then
    AC_MSG_ERROR(['chroot' function missing, bailing out])
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@ -50,6 +50,9 @@
 #if HAVE_SCHED_H
 #include <sched.h>
 #endif
+#if HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>
+#endif


 #define CHROOT_ENABLED HAVE_CHROOT && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE)
@ -2075,6 +2078,12 @@ void DerivationGoal::runChild()

 #if CHROOT_ENABLED
        if (useChroot) {
+# if HAVE_SYS_PRCTL_H
+	    /* Drop ambient capabilities such as CAP_CHOWN that might have
+	       been granted when starting guix-daemon.  */
+	    prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
+# endif
+
 	    if (!fixedOutput) {
 		/* Initialise the loopback interface. */
 		AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP));