lix/tests/nixos/no-new-privileges/package.nix

{ runCommand, libcap }:
runCommand "cant-get-capabilities" { nativeBuildInputs = [ libcap.out ]; } ''
  if [ "$(/run/wrappers/bin/ohno 2>&1)" != "failed to inherit capabilities: Operation not permitted" ]; then
    echo "Oh no! We gained capabilities!"
    exit 1
  fi
  touch $out
''
libstore/build: always enable seccomp filtering and no-new-privileges Seccomp filtering and the no-new-privileges functionality improve the security of the sandbox, and have been enabled by default for a long time. In https://git.lix.systems/lix-project/lix/issues/265 it was decided that they should be enabled unconditionally. Accordingly, remove the allow-new-privileges (which had weird behavior anyway) and filter-syscall settings, and force the security features on. Syscall filtering can still be enabled at build time to support building on architectures libseccomp doesn't support. Change-Id: Iedbfa18d720ae557dee07a24f69b2520f30119cb 2024-05-08 17:15:00 +00:00			`{ runCommand, libcap }:`
			`runCommand "cant-get-capabilities" { nativeBuildInputs = [ libcap.out ]; } ''`
			`if [ "$(/run/wrappers/bin/ohno 2>&1)" != "failed to inherit capabilities: Operation not permitted" ]; then`
			`echo "Oh no! We gained capabilities!"`
			`exit 1`
			`fi`
			`touch $out`
			`''`