NixOS / nix

Nix, the purely functional package manager
https://nixos.org/
GNU Lesser General Public License v2.1
12.63k stars 1.51k forks source link

sandbox allows capturing kernel cmdline from /proc #4327

Open xaverdh opened 3 years ago

xaverdh commented 3 years ago

Describe the bug

The sandbox should probably hide some parts of /proc ?

Steps To Reproduce build the following derivation:

with import <nixpkgs> {}; stdenv.mkDerivation {
  name = "proc-cmdline-capture";
  buildCommand = ''cat /proc/cmdline > $out '';
}

Expected behavior

Access to some parts of /proc should probably be denied by the sandbox.

nix-env --version output

nix-env (Nix) 2.4pre20201201_5a6ddb3

Additional context

Also see https://github.com/NixOS/nixpkgs/issues/60416, where this came up.

zimbatm commented 3 years ago

This could help make builds more reproducible as well. It would require to mount a fake procfs or at least bind-mount some of the paths over with fake values.

stale[bot] commented 3 years ago

I marked this as stale due to inactivity. → More info

NickCao commented 1 year ago

Still relevant as in https://github.com/NixOS/nixpkgs/issues/205125

amarshall commented 11 months ago

Still relevant. Relatedly, /proc/modules is available causing unexpected issues in https://github.com/nix-community/home-manager/pull/4644

Bot-wxt1221 commented 2 months ago

I meet the same problem here. https://github.com/NixOS/nixpkgs/issues/335612