Add build dependency for libseccomp

We're going to use libseccomp instead of creating the raw BPF program, because we have different syscall numbers on different architectures. Although our initial seccomp rules will be quite small it really doesn't make sense to generate the raw BPF program because we need to duplicate it and/or make branches on every single architecture we want to suuport. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-11-16 12:30:11 +01:00 · 2016-11-16 12:30:11 +01:00 · 1c52e344c4
parent e8838713df
commit 1c52e344c4
4 changed files with 16 additions and 1 deletions
--- a/Makefile.config.in
+++ b/Makefile.config.in
@ -10,6 +10,7 @@ OPENSSL_LIBS = @OPENSSL_LIBS@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 SODIUM_LIBS = @SODIUM_LIBS@
+LIBSECCOMP_LIBS = @LIBSECCOMP_LIBS@
 LIBLZMA_LIBS = @LIBLZMA_LIBS@
 SQLITE3_LIBS = @SQLITE3_LIBS@
 bash = @bash@
--- a/configure.ac
+++ b/configure.ac
@ -194,6 +194,15 @@ AC_SUBST(HAVE_SODIUM, [$have_sodium])
 PKG_CHECK_MODULES([LIBLZMA], [liblzma], [CXXFLAGS="$LIBLZMA_CFLAGS $CXXFLAGS"])


+# Look for libseccomp, required for Linux sandboxing.
+if test "$sys_name" = linux; then
+  PKG_CHECK_MODULES([LIBSECCOMP], [libseccomp],
+                    [CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS"])
+#  AC_CHECK_LIB([seccomp], [seccomp_init], [true],
+#    [AC_MSG_ERROR([Nix requires libseccomp for sandboxing.  See https://github.com/seccomp/libseccomp.])])
+fi
+
+
 # Look for aws-cpp-sdk-s3.
 AC_LANG_PUSH(C++)
 AC_CHECK_HEADERS([aws/s3/S3Client.h],
--- a/release.nix
+++ b/release.nix
@ -25,7 +25,7 @@ let

        buildInputs =
          [ curl bison flex perl libxml2 libxslt bzip2 xz
-            pkgconfig sqlite libsodium boehmgc
+            pkgconfig sqlite libsodium libseccomp boehmgc
            docbook5 docbook5_xsl
            autoconf-archive
          ] ++ lib.optional (!lib.inNixShell) git;
@ -75,6 +75,7 @@ let
        buildInputs =
          [ curl perl bzip2 xz openssl pkgconfig sqlite boehmgc ]
          ++ lib.optional stdenv.isLinux libsodium
+          ++ lib.optional stdenv.isLinux libseccomp
          ++ lib.optional stdenv.isLinux
            (aws-sdk-cpp.override {
              apis = ["s3"];
--- a/src/libstore/local.mk
+++ b/src/libstore/local.mk
@ -18,6 +18,10 @@ ifeq ($(OS), SunOS)
 	libstore_LDFLAGS += -lsocket
 endif

+ifeq ($(OS), Linux)
+	libstore_LDFLAGS += -lseccomp
+endif
+
 libstore_CXXFLAGS = \
 -DNIX_PREFIX=\"$(prefix)\" \
 -DNIX_STORE_DIR=\"$(storedir)\" \