Add option to disable the seccomp filter

I needed this to test ACL/xattr removal in
canonicalisePathMetaData(). Might also be useful if you need to build
old Nixpkgs that doesn't have the required patches to remove
setuid/setgid creation.
This commit is contained in:
Eelco Dolstra 2017-10-12 18:21:55 +02:00
parent 97307811ee
commit 1dd29d7aeb
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
2 changed files with 8 additions and 0 deletions

View file

@ -2351,6 +2351,8 @@ void DerivationGoal::doExportReferencesGraph()
void setupSeccomp()
{
#if __linux__
if (!settings.filterSyscalls) return;
scmp_filter_ctx ctx;
if (!(ctx = seccomp_init(SCMP_ACT_ALLOW)))

View file

@ -336,6 +336,12 @@ public:
"String appended to the user agent in HTTP requests."};
#if __linux__
Setting<bool> filterSyscalls{this, true, "filter-syscalls",
"Whether to prevent certain dangerous system calls, such as "
"creation of setuid/setgid files or adding ACLs or extended "
"attributes. Only disable this if you're aware of the "
"security implications."};
Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges",
"Whether builders can acquire new privileges by calling programs with "
"setuid/setgid bits or with file capabilities."};