search

fort-nix / nix-bitcoin

A collection of Nix packages and NixOS modules for easily installing full-featured Bitcoin nodes with an emphasis on security.
https://nixbitcoin.org
MIT License
511 stars 106 forks source link

Is it secure to have /nix/store bind-mount'ed to containers #639

Open milabs opened 1 year ago

milabs commented 1 year ago

Ok, nix-bitcoin is a great project which heavily uses containers. With the help of extra-container it's possible to deploy and run non-declarative bitcoin node container using tor in few minutes which is amazing.

My question is the following. We know that containers meant to be isolated from the host system and it's meant to give us one more level of security. On the other side exposing whole /nix/store to the container definitely has information leakage impact as it contains a lot of host-specific data which in theory could give an attacker some hints about the environment.

erikarvstedt commented 1 year ago

Agreed, the global nix store can leak sensitive data of the host system like hostname or home dir user names, or even more private info when home-manager is used. NixOS VMs are affected in the same way.

A fix would be to instead bind mount a FUSE filesystem that forwards to the nix store, restricted to the store path closure of the container system. I'll look into this, with low-medium prio.

prusnak commented 1 year ago

A fix would be to instead bind mount a FUSE filesystem that forwards to the nix store, restricted to the store path closure of the container system.

I am wondering whether using AppArmor for this is more or less convenient.