From 0cd560c95dd981bde84c93379f6af677d31a2d0b Mon Sep 17 00:00:00 2001
From: Jonpez2 <jonpez63@gmail.com>
Date: Mon, 6 Jun 2022 16:56:42 +0100
Subject: [PATCH 1/4] Add security.csm to ignored-acls

The security.csm ACL is, as far as I know, never reasonable to remove, so let's add it to the ignore-list in the vanilla nix image.  This makes this image usable on GKE.
---
 docker.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docker.nix b/docker.nix
index 0cd64856f..a236d61d3 100644
--- a/docker.nix
+++ b/docker.nix
@@ -125,6 +125,7 @@ let
     sandbox = "false";
     build-users-group = "nixbld";
     trusted-public-keys = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=";
+    ignored-acls = security.csm;
   };
   nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v: "${n} = ${v}") nixConf)) + "\n";
 

From a7d25d339d94993fc8731de658f18a06e0e2a07e Mon Sep 17 00:00:00 2001
From: Jonpez2 <jonpez63@gmail.com>
Date: Wed, 8 Jun 2022 09:32:14 +0100
Subject: [PATCH 2/4] Add security.csm to the default ignore list

---
 src/libstore/globals.hh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index feb6899cd..0ee27ecb6 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -802,7 +802,7 @@ public:
         )"};
 
     Setting<StringSet> ignoredAcls{
-        this, {"security.selinux", "system.nfs4_acl"}, "ignored-acls",
+        this, {"security.selinux", "system.nfs4_acl", "security.csm"}, "ignored-acls",
         R"(
           A list of ACLs that should be ignored, normally Nix attempts to
           remove all ACLs from files and directories in the Nix store, but

From 7b968af93005348477ee19c1eb2c35937b39f249 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Wed, 8 Jun 2022 17:41:31 +0200
Subject: [PATCH 3/4] Update docker.nix

Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
---
 docker.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker.nix b/docker.nix
index a236d61d3..cbda39073 100644
--- a/docker.nix
+++ b/docker.nix
@@ -125,7 +125,7 @@ let
     sandbox = "false";
     build-users-group = "nixbld";
     trusted-public-keys = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=";
-    ignored-acls = security.csm;
+    ignored-acls = "security.csm";
   };
   nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v: "${n} = ${v}") nixConf)) + "\n";
 

From 3f5f84258d0d8e348f2452ca97be066b0b1b741d Mon Sep 17 00:00:00 2001
From: Jonpez2 <jonpez63@gmail.com>
Date: Fri, 10 Jun 2022 09:17:28 +0100
Subject: [PATCH 4/4] Update docker.nix

Co-authored-by: Eelco Dolstra <edolstra@gmail.com>
---
 docker.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docker.nix b/docker.nix
index cbda39073..0cd64856f 100644
--- a/docker.nix
+++ b/docker.nix
@@ -125,7 +125,6 @@ let
     sandbox = "false";
     build-users-group = "nixbld";
     trusted-public-keys = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=";
-    ignored-acls = "security.csm";
   };
   nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v: "${n} = ${v}") nixConf)) + "\n";