nix icon indicating copy to clipboard operation
nix copied to clipboard
verified publisher icon NixOS

sandbox allows capturing kernel cmdline from /proc

Open xaverdh opened this issue 5 years ago • 5 comments

Describe the bug

The sandbox should probably hide some parts of /proc ?

Steps To Reproduce build the following derivation:

with import <nixpkgs> {}; stdenv.mkDerivation {
  name = "proc-cmdline-capture";
  buildCommand = ''cat /proc/cmdline > $out '';
}

Expected behavior

Access to some parts of /proc should probably be denied by the sandbox.

nix-env --version output

nix-env (Nix) 2.4pre20201201_5a6ddb3

Additional context

Also see https://github.com/NixOS/nixpkgs/issues/60416, where this came up.

xaverdh avatar Dec 08 '20 10:12 xaverdh

This could help make builds more reproducible as well. It would require to mount a fake procfs or at least bind-mount some of the paths over with fake values.

zimbatm avatar Dec 09 '20 11:12 zimbatm

I marked this as stale due to inactivity. → More info

stale[bot] avatar Jun 07 '21 13:06 stale[bot]

Still relevant as in https://github.com/NixOS/nixpkgs/issues/205125

NickCao avatar Dec 18 '22 09:12 NickCao

Still relevant. Relatedly, /proc/modules is available causing unexpected issues in https://github.com/nix-community/home-manager/pull/4644

amarshall avatar Nov 20 '23 17:11 amarshall

I meet the same problem here. https://github.com/NixOS/nixpkgs/issues/335612

Bot-wxt1221 avatar Aug 19 '24 00:08 Bot-wxt1221