lix-project/lix
20
55
Fork 31
Code Issues 345 Code Review (Gerrit) Projects 3 Releases Wiki Activity

Add a seccomp rule to disallow setxattr()

Browse source
This commit is contained in:
Eelco Dolstra 2017-05-30 13:55:17 +02:00
parent d798349ede
commit 2ac99a32da
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
1 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/libstore/build.cc
View file

@ -2315,8 +2315,8 @@ void setupSeccomp()
seccomp_arch_add(ctx, SCMP_ARCH_X86) != 0) seccomp_arch_add(ctx, SCMP_ARCH_X86) != 0)
throw SysError("unable to add 32-bit seccomp architecture"); throw SysError("unable to add 32-bit seccomp architecture");
/* Prevent builders from creating setuid/setgid binaries. */
for (int perm : { S_ISUID, S_ISGID }) { for (int perm : { S_ISUID, S_ISGID }) {
// TODO: test chmod and fchmod.
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(chmod), 1, if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(chmod), 1,
SCMP_A1(SCMP_CMP_MASKED_EQ, perm, perm)) != 0) SCMP_A1(SCMP_CMP_MASKED_EQ, perm, perm)) != 0)
throw SysError("unable to add seccomp rule"); throw SysError("unable to add seccomp rule");
@ -2330,6 +2330,14 @@ void setupSeccomp()
throw SysError("unable to add seccomp rule"); throw SysError("unable to add seccomp rule");
} }
/* Prevent builders from creating EAs or ACLs. Not all filesystems
support these, and they're not allowed in the Nix store because
they're not representable in the NAR serialisation. */
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(setxattr), 0) != 0 ||
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(lsetxattr), 0) != 0 ||
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0)
throw SysError("unable to add seccomp rule");
if (seccomp_load(ctx) != 0) if (seccomp_load(ctx) != 0)
throw SysError("unable to load seccomp BPF program"); throw SysError("unable to load seccomp BPF program");
#endif #endif