Merge pull request #306716 from ShamrockLee/apptainer-default-path-substitution

apptainer, singularity: refactor defaultPath substitution
2024-09-29 07:32:58 +00:00 · 2024-06-02 22:33:55 +00:00 · 2024-06-02 22:33:55 +00:00 · 9f48aac218
commit 9f48aac218
parent 7c3faeee22 d09aedb1a0
3 changed files with 53 additions and 5 deletions
--- a/pkgs/applications/virtualization/singularity/generic.nix
+++ b/pkgs/applications/virtualization/singularity/generic.nix
@ -44,6 +44,7 @@ in
  gpgme,
  libseccomp,
  libuuid,
+  mount,
  # This is for nvidia-container-cli
  nvidia-docker,
  openssl,
@ -79,6 +80,20 @@ in
  externalLocalStateDir ? null,
  # Remove the symlinks to `singularity*` when projectName != "singularity"
  removeCompat ? false,
+  # The defaultPath values to substitute in each source files.
+  #
+  # `defaultPath` are PATH variables hard-coded inside Apptainer/Singularity
+  # binaries to search for third-party utilities, as a hardening for
+  # `$out/bin/starter-suid`.
+  #
+  # The upstream provided values are suitable for FHS-conformant environment.
+  # We substitute them and insert Nixpkgs-specific values.
+  #
+  # Example:
+  # {
+  #   "path/to/source/file1" = [ "<originalDefaultPath11>" "<originalDefaultPath12>" ... ];
+  # }
+  sourceFilesWithDefaultPaths ? { },
  # Workaround #86349
  # should be removed when the issue is resolved
  vendorHash ? _defaultGoVendorArgs.vendorHash,
@ -87,7 +102,6 @@ in
 }:

 let
-  defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin";
  privileged-un-utils =
    if ((newuidmapPath == null) && (newgidmapPath == null)) then
      null
@ -97,6 +111,12 @@ let
        ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
        ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
      '');
+
+  concatMapStringAttrsSep =
+    sep: f: attrs:
+    lib.concatMapStringsSep sep (name: f name attrs.${name}) (lib.attrNames attrs);
+
+  addShellDoubleQuotes = s: lib.escapeShellArg ''"'' + s + lib.escapeShellArg ''"'';
 in
 (buildGoModule {
  inherit pname version src;
@ -185,6 +205,7 @@ in
    fakeroot
    fuse2fs # Mount ext3 filesystems
    go
+    mount # mount
    privileged-un-utils
    squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image
    squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges
@ -199,8 +220,19 @@ in
    patchShebangs --build "$configureScript" makeit e2e scripts mlocal/scripts

    # Patching the hard-coded defaultPath by prefixing the packages in defaultPathInputs
-    substituteInPlace cmd/internal/cli/actions.go \
-      --replace "defaultPath = \"${defaultPathOriginal}\"" "defaultPath = \"''${defaultPathInputs// /\/bin:}''${defaultPathInputs:+/bin:}${defaultPathOriginal}\""
+    ${concatMapStringAttrsSep "\n" (fileName: originalDefaultPaths: ''
+      substituteInPlace ${lib.escapeShellArg fileName} \
+        ${
+          lib.concatMapStringsSep " \\\n  " (
+            originalDefaultPath:
+            lib.concatStringsSep " " [
+              "--replace-fail"
+              (addShellDoubleQuotes (lib.escapeShellArg originalDefaultPath))
+              (addShellDoubleQuotes ''$inputsDefaultPath''${inputsDefaultPath:+:}${lib.escapeShellArg originalDefaultPath}'')
+            ]
+          ) originalDefaultPaths
+        }
+    '') sourceFilesWithDefaultPaths}

    substituteInPlace internal/pkg/util/gpu/nvidia.go \
      --replace \
@ -236,7 +268,7 @@ in
    substituteInPlace "$out/bin/run-singularity" \
      --replace "/usr/bin/env ${projectName}" "$out/bin/${projectName}"
    wrapProgram "$out/bin/${projectName}" \
-      --prefix PATH : "''${defaultPathInputs// /\/bin:}''${defaultPathInputs:+/bin:}"
+      --prefix PATH : "$inputsDefaultPath"
    # Make changes in the config file
    ${lib.optionalString forceNvcCli ''
      substituteInPlace "$out/etc/${projectName}/${projectName}.conf" \
@ -294,7 +326,9 @@ in
 }).overrideAttrs
  (
    finalAttrs: prevAttrs: {
+      inputsDefaultPath = lib.makeBinPath finalAttrs.defaultPathInputs;
      passthru = prevAttrs.passthru or { } // {
+        inherit sourceFilesWithDefaultPaths;
        tests = {
          image-hello-cowsay = singularity-tools.buildImage {
            name = "hello-cowsay";
--- a/pkgs/applications/virtualization/singularity/packages.nix
+++ b/pkgs/applications/virtualization/singularity/packages.nix
@ -35,6 +35,12 @@ let
        # when building on a system with disabled unprivileged namespace.
        # See https://github.com/NixOS/nixpkgs/pull/215690#issuecomment-1426954601
        defaultToSuid = null;
+
+        sourceFilesWithDefaultPaths = {
+          "cmd/internal/cli/actions.go" = [ "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin" ];
+          "e2e/env/env.go" = [ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ];
+          "internal/pkg/util/env/env.go" = [ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ];
+        };
      };

  singularity =
@ -71,6 +77,14 @@ let
        # on UNIX-like platforms,
        # and only have --without-suid but not --with-suid.
        defaultToSuid = true;
+
+        sourceFilesWithDefaultPaths = {
+          "cmd/internal/cli/actions.go" = [ "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin" ];
+          "e2e/env/env.go" = [ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ];
+          "internal/pkg/util/env/clean.go" = [
+            "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          ];
+        };
      };

  genOverridenNixos =
--- a/pkgs/build-support/singularity-tools/default.nix
+++ b/pkgs/build-support/singularity-tools/default.nix
@ -45,7 +45,7 @@ rec {
    , diskSize ? 1024
    , runScript ? "#!${stdenv.shell}\nexec /bin/sh"
    , runAsRoot ? null
-    , memSize ? 512
+    , memSize ? 1024
    , singularity ? defaultSingularity
    }:
    let