lachrimae/lix
0
0
Fork 0
forked from lix-project/lix
Code Pull requests Activity

Add option to disable the seccomp filter

Browse source 
I needed this to test ACL/xattr removal in
canonicalisePathMetaData(). Might also be useful if you need to build
old Nixpkgs that doesn't have the required patches to remove
setuid/setgid creation.
This commit is contained in:
Eelco Dolstra 2017-10-12 18:21:55 +02:00
parent 97307811ee
commit 1dd29d7aeb
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
2 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/libstore/build.cc
View file

@ -2351,6 +2351,8 @@ void DerivationGoal::doExportReferencesGraph()
void setupSeccomp() void setupSeccomp()
{ {
#if __linux__ #if __linux__
if (!settings.filterSyscalls) return;
scmp_filter_ctx ctx; scmp_filter_ctx ctx;
if (!(ctx = seccomp_init(SCMP_ACT_ALLOW))) if (!(ctx = seccomp_init(SCMP_ACT_ALLOW)))

6
src/libstore/globals.hh
View file

@ -336,6 +336,12 @@ public:
"String appended to the user agent in HTTP requests."}; "String appended to the user agent in HTTP requests."};
#if __linux__ #if __linux__
Setting<bool> filterSyscalls{this, true, "filter-syscalls",
"Whether to prevent certain dangerous system calls, such as "
"creation of setuid/setgid files or adding ACLs or extended "
"attributes. Only disable this if you're aware of the "
"security implications."};
Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges", Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges",
"Whether builders can acquire new privileges by calling programs with " "Whether builders can acquire new privileges by calling programs with "
"setuid/setgid bits or with file capabilities."}; "setuid/setgid bits or with file capabilities."};