lix/tests/nixos/no-new-privileges/sandbox.nix

let
  inherit (import ../util.nix) mkNixBuildTest;
in
mkNixBuildTest {
  name = "no-new-privileges-in-sandbox";
  extraMachineConfig =
    { pkgs, ... }:
    {
      security.wrappers.ohno = {
        owner = "root";
        group = "root";
        capabilities = "cap_sys_nice=eip";
        source = "${pkgs.libcap}/bin/getpcaps";
      };
      nix.settings.extra-sandbox-paths = [ "/run/wrappers/bin/ohno" ];
    };
  expressionFile = ./package.nix;
}
libstore/build: always enable seccomp filtering and no-new-privileges Seccomp filtering and the no-new-privileges functionality improve the security of the sandbox, and have been enabled by default for a long time. In https://git.lix.systems/lix-project/lix/issues/265 it was decided that they should be enabled unconditionally. Accordingly, remove the allow-new-privileges (which had weird behavior anyway) and filter-syscall settings, and force the security features on. Syscall filtering can still be enabled at build time to support building on architectures libseccomp doesn't support. Change-Id: Iedbfa18d720ae557dee07a24f69b2520f30119cb 2024-05-08 17:15:00 +00:00			`let`
			`inherit (import ../util.nix) mkNixBuildTest;`
			`in`
			`mkNixBuildTest {`
			`name = "no-new-privileges-in-sandbox";`
			`extraMachineConfig =`
			`{ pkgs, ... }:`
			`{`
			`security.wrappers.ohno = {`
			`owner = "root";`
			`group = "root";`
			`capabilities = "cap_sys_nice=eip";`
			`source = "${pkgs.libcap}/bin/getpcaps";`
			`};`
			`nix.settings.extra-sandbox-paths = [ "/run/wrappers/bin/ohno" ];`
			`};`
			`expressionFile = ./package.nix;`
			`}`