forked from lix-project/lix
configure: Add a flag to disable seccomp.
This is needed for new arches where libseccomp support doesn't exist yet. Fixes #1878.
This commit is contained in:
parent
3a5a241b32
commit
690ac7c90b
4 changed files with 19 additions and 4 deletions
|
@ -7,6 +7,7 @@ ENABLE_S3 = @ENABLE_S3@
|
||||||
HAVE_SODIUM = @HAVE_SODIUM@
|
HAVE_SODIUM = @HAVE_SODIUM@
|
||||||
HAVE_READLINE = @HAVE_READLINE@
|
HAVE_READLINE = @HAVE_READLINE@
|
||||||
HAVE_BROTLI = @HAVE_BROTLI@
|
HAVE_BROTLI = @HAVE_BROTLI@
|
||||||
|
HAVE_SECCOMP = @HAVE_SECCOMP@
|
||||||
LIBCURL_LIBS = @LIBCURL_LIBS@
|
LIBCURL_LIBS = @LIBCURL_LIBS@
|
||||||
OPENSSL_LIBS = @OPENSSL_LIBS@
|
OPENSSL_LIBS = @OPENSSL_LIBS@
|
||||||
PACKAGE_NAME = @PACKAGE_NAME@
|
PACKAGE_NAME = @PACKAGE_NAME@
|
||||||
|
|
16
configure.ac
16
configure.ac
|
@ -186,9 +186,21 @@ AC_SUBST(HAVE_BROTLI, [$have_brotli])
|
||||||
|
|
||||||
# Look for libseccomp, required for Linux sandboxing.
|
# Look for libseccomp, required for Linux sandboxing.
|
||||||
if test "$sys_name" = linux; then
|
if test "$sys_name" = linux; then
|
||||||
PKG_CHECK_MODULES([LIBSECCOMP], [libseccomp],
|
AC_ARG_ENABLE([seccomp-sandboxing],
|
||||||
[CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS"])
|
AC_HELP_STRING([--disable-seccomp-sandboxing],
|
||||||
|
[Don't build support for seccomp sandboxing (only recommended if your arch doesn't support libseccomp yet!)]
|
||||||
|
))
|
||||||
|
if test "x$enable_seccomp_sandboxing" != "xno"; then
|
||||||
|
PKG_CHECK_MODULES([LIBSECCOMP], [libseccomp],
|
||||||
|
[CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS"])
|
||||||
|
have_seccomp=1
|
||||||
|
else
|
||||||
|
have_seccomp=
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
have_seccomp=
|
||||||
fi
|
fi
|
||||||
|
AC_SUBST(HAVE_SECCOMP, [$have_seccomp])
|
||||||
|
|
||||||
|
|
||||||
# Look for aws-cpp-sdk-s3.
|
# Look for aws-cpp-sdk-s3.
|
||||||
|
|
|
@ -49,7 +49,9 @@
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/mount.h>
|
#include <sys/mount.h>
|
||||||
#include <sys/syscall.h>
|
#include <sys/syscall.h>
|
||||||
|
#if HAVE_SECCOMP
|
||||||
#include <seccomp.h>
|
#include <seccomp.h>
|
||||||
|
#endif
|
||||||
#define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
|
#define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -2469,7 +2471,7 @@ void DerivationGoal::chownToBuilder(const Path & path)
|
||||||
|
|
||||||
void setupSeccomp()
|
void setupSeccomp()
|
||||||
{
|
{
|
||||||
#if __linux__
|
#if __linux__ && HAVE_SECCOMP
|
||||||
if (!settings.filterSyscalls) return;
|
if (!settings.filterSyscalls) return;
|
||||||
|
|
||||||
scmp_filter_ctx ctx;
|
scmp_filter_ctx ctx;
|
||||||
|
|
|
@ -25,7 +25,7 @@ ifeq ($(OS), SunOS)
|
||||||
libstore_LDFLAGS += -lsocket
|
libstore_LDFLAGS += -lsocket
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifeq ($(OS), Linux)
|
ifeq ($(HAVE_SECCOMP), 1)
|
||||||
libstore_LDFLAGS += -lseccomp
|
libstore_LDFLAGS += -lseccomp
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue