From 1dd29d7aebae706f3e90a18bbfae727f2ed03c70 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 12 Oct 2017 18:21:55 +0200 Subject: [PATCH] Add option to disable the seccomp filter I needed this to test ACL/xattr removal in canonicalisePathMetaData(). Might also be useful if you need to build old Nixpkgs that doesn't have the required patches to remove setuid/setgid creation. --- src/libstore/build.cc | 2 ++ src/libstore/globals.hh | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 3b3cebfb..64cbc19b 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2351,6 +2351,8 @@ void DerivationGoal::doExportReferencesGraph() void setupSeccomp() { #if __linux__ + if (!settings.filterSyscalls) return; + scmp_filter_ctx ctx; if (!(ctx = seccomp_init(SCMP_ACT_ALLOW))) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 41d33231..264e82a1 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -336,6 +336,12 @@ public: "String appended to the user agent in HTTP requests."}; #if __linux__ + Setting filterSyscalls{this, true, "filter-syscalls", + "Whether to prevent certain dangerous system calls, such as " + "creation of setuid/setgid files or adding ACLs or extended " + "attributes. Only disable this if you're aware of the " + "security implications."}; + Setting allowNewPrivileges{this, false, "allow-new-privileges", "Whether builders can acquire new privileges by calling programs with " "setuid/setgid bits or with file capabilities."};