From ed64976cec43f9f067a40fc6921b5513a19fd757 Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 16 Nov 2016 17:25:00 +0100 Subject: [PATCH] seccomp: Forge return codes for POSIX ACL syscalls Commands such as "cp -p" also use fsetxattr() in addition to fchown(), so we need to make sure these syscalls always return successful as well in order to avoid nasty "Invalid value" errors. Signed-off-by: aszlig --- src/libstore/build.cc | 4 ++++ tests/sandbox.nix | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 6c6d0dee3..6fc6220e0 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1659,6 +1659,10 @@ void setupSeccomp(void) { FORCE_SUCCESS(fchownat); FORCE_SUCCESS(lchown); + FORCE_SUCCESS(setxattr); + FORCE_SUCCESS(lsetxattr); + FORCE_SUCCESS(fsetxattr); + if (seccomp_load(ctx) != 0) { seccomp_release(ctx); throw SysError("unable to load seccomp BPF program"); diff --git a/tests/sandbox.nix b/tests/sandbox.nix index 7e2055038..dc72a5985 100644 --- a/tests/sandbox.nix +++ b/tests/sandbox.nix @@ -16,7 +16,7 @@ let sandboxTestScript = pkgs.writeText "sandbox-testscript.sh" '' [ $(id -u) -eq 0 ] - touch foo + cp -p "$testfile" foo chown 1024:1024 foo touch "$out" ''; @@ -31,6 +31,7 @@ let builder = "''${utils}/bin/bash"; args = ["-e" ${sandboxTestScript}]; PATH = "''${utils}/bin"; + testfile = builtins.toFile "test" "i am a test file"; } '';