Whitelist/Blacklist paths that can use nix-ld

[alexandru0-dev]

I really like nix-ld tho it can come with some security issues, so I was thinking.
Is it possible to restrict the binaries that can be run by nix-ld or is impossible by design?

[Mic92]

The only security issue I am aware of is #38
However this requires someone to create a setuid binary with an unpatched binary (something that we don't do in NixOS usually).
Is there anything else?

[alexandru0-dev]

If an untrusted binary is statically linked, rip.
But if it's dynamically linked, due to Nixos not being FHS it's not going to work out of the box, tho with nix-ld if the library needed are in the library list it execute as expected.
Am I missing something?

I found nix-ld very useful as I use it for Mason plugin (for Neovim)

[Mic92]

So your issue is that untrusted dynamic binaries can now run on NixOS, whereas before they were not able to?

[Mic92]

I think one could potentially mitigate with apparmor who is allowed to read from /lib64. I would not like to add some complex policy framework to nix-ld itself. NIX_LD_LIBRARY is already sort of sanitized by glibc in the context of setuid libraries, the same needs to be done for NIX_LD...

[alexandru0-dev]

Usually no, the only way that this could be done I think is with using /nix/store paths when linking but unless the hash is the sams idk how this would be doable.

[Mic92]

If it was a file instead of a symlink it might become easier to apply effecitve permissions?

[alexandru0-dev]

I think one could potentially mitigate with apparmor who is allowed to read from /lib64. I would not like to add some complex policy framework to nix-ld itself. NIX_LD_LIBRARY is already sort of sanitized by glibc in the context of setuid libraries, the same needs to be done for NIX_LD...

I guess it's doable tho it would add complexity.
Haven't read your src code so idk exactly the design of your project, tho isn't a way for nix-ld to know for which binary is trying to load libraries?

[Mic92]

No there is not and it would be also hard to implement because we don't have a proper libc inside nix-ld. What you can do is only setting NIX_LD_LIBRARY_PATH/NIX_LD for binaries where you want plugins i.e. for vim.

[alexandru0-dev]

What you can do is only setting NIX_LD_LIBRARY_PATH/NIX_LD for binaries where you want plugins i.e. for vim.

Probably I can just try to wrap neovim with the environment variables and see how it plays out or try to find another way to display installed lsp servers using Mason and install them thru nixos/nix as usual.

Thx for everything
Btw i could contribute to the rust version.
(Also could the rust version in the future support reading the paths of the binary?)

(I can also code in C tho if the project grows it could be way harder to maintain)

[Mic92]

I am personally already using the rust version on my own machines. If you have a design in mind please let us in the a WIP PR or an issue in nix-ld-rs, so we can discuss it early on before time is wasted on implementation.

[alexandru0-dev]

What you can do is only setting NIX_LD_LIBRARY_PATH/NIX_LD for binaries where you want plugins i.e. for vim.

It works as expected, only thing is that I need to make a patch to unset the global environment variables or make an option and submit the PR