nixos/security/wrappers: use musl rather than glibc, and unset GLIBC_…

…TUNABLES This mitigates CVE-2023-4911, crucially without a mass-rebuild. Change-Id: I591a817e6d4575243937d9ccab51c23a96bed6f9
NixOS · Oct 4, 2023 · 3e1010e · 3e1010e
1 parent ad1ca74
commit 3e1010e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
@@ -5,7 +5,11 @@ let
 
   parentWrapperDir = dirOf wrapperDir;
 
-  securityWrapper = sourceProg : pkgs.callPackage ./wrapper.nix {
+  # This is security-sensitive code, and glibc vulns happen from time to time.
+  # musl is security-focused and generally more minimal, so it's a better choice here.
+  # The dynamic linker is still a fairly complex piece of code, and the wrappers are
+  # quite small, so linking it statically is more appropriate.
+  securityWrapper = sourceProg : pkgs.pkgsStatic.callPackage ./wrapper.nix {
     inherit sourceProg;
   };
 

diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c
@@ -154,6 +154,9 @@ static int make_caps_ambient(const char *self_path) {
 int main(int argc, char **argv) {
     ASSERT(argc >= 1);
 
+    // mitigate CVE-2023-4911
+    unsetenv("GLIBC_TUNABLES");
+
     // Read the capabilities set on the wrapper and raise them in to
     // the ambient set so the program we're wrapping receives the
     // capabilities too!