From 8438114399ce025b6977215dbaedc05697a6d958 Mon Sep 17 00:00:00 2001 From: Magic_RB Date: Mon, 3 May 2021 09:54:31 +0200 Subject: [PATCH] Add ignored_acls setting Signed-off-by: Magic_RB --- src/libstore/globals.hh | 9 +++++++++ src/libstore/local-store.cc | 4 +--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 8784d5faf..7e01b4960 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -805,6 +805,15 @@ public: may be useful in certain scenarios (e.g. to spin up containers or set up userspace network interfaces in tests). )"}; + + Setting ignoredAcls{ + this, {"security.selinux"}, "ignored-acls", + R"( + A list of ACLs that should be ignored, normally Nix attempts to + remove all ACLs from files and directories in the Nix store, but + some ACLs like `security.selinux` or `system.nfs4_acl` can't be + removed even by root. Therefore it's best to just ignore them. + )"}; #endif Setting hashedMirrors{ diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 747eb205e..c6f774bc2 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -583,9 +583,7 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe throw SysError("querying extended attributes of '%s'", path); for (auto & eaName: tokenizeString(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) { - /* Ignore SELinux security labels since these cannot be - removed even by root. */ - if (eaName == "security.selinux") continue; + if (settings.ignoredAcls.get().count(eaName)) continue; if (lremovexattr(path.c_str(), eaName.c_str()) == -1) throw SysError("removing extended attribute '%s' from '%s'", eaName, path); }