diff options
| author | Reepca Russelstein <reepca@russelstein.xyz> | 2025-07-25 00:13:39 -0500 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2025-09-01 16:13:29 +0200 |
| commit | 9202921e812708b23788b2209cdb576d456f56db (patch) | |
| tree | 138953f3d1c5324bf675fd31dc6c8f80abab09a3 /doc/htmlxref.cnf | |
| parent | f607aaaaaafe19257ef09ca519d325df6ae97e05 (diff) | |
perform-download: Use (ice-9 sandbox) for mirrors.
"guix perform-download" is used to implement the daemon's "download" and
"git-download" builtin builders. Because these are builtins, it runs without
any additional isolation beyond merely running as a build user. In such a
context, allowing arbitrary user-supplied code to be evaluated will easily
lead to the build user being taken over, which can then be used to corrupt
future builds, enable exploitation of certain vulnerabilities, and in the case
of the rootless daemon completely take over guix-daemon.
Use (ice-9 sandbox) to ensure that only safe bindings are available during the
evaluation of the content-addressed-mirrors file.
* guix/perform-download.scm (%safe-bindings, %sandbox-module): new variables.
(syntax-noop): new syntax.
(eval-content-addressed-mirrors, assert-store-file,
call-with-input-file/no-symlinks): new procedures.
(perform-download): use assert-store-file to ensure files are in the store
before being read. Use call-with-input-file/no-symlinks for opening
untrusted files. Use eval-content-addressed-mirrors to evaluate the
content-addressed-mirrors file.
Change-Id: I8ed27a95d84dbcc7d72d0d75f172d113f8be6c79
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'doc/htmlxref.cnf')
0 files changed, 0 insertions, 0 deletions