picnoir/nix-gh
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add X32 to the seccomp filter

Browse source 
Fixes #1432.
This commit is contained in:
Eelco Dolstra 2017-07-04 19:00:51 +02:00
parent 42c5774e78
commit a3dc1e65ab
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/libstore/build.cc
View file

@ -2317,6 +2317,10 @@ void setupSeccomp()
seccomp_arch_add(ctx, SCMP_ARCH_X86) != 0)
throw SysError("unable to add 32-bit seccomp architecture");
if (settings.thisSystem == "x86_64-linux" &&
seccomp_arch_add(ctx, SCMP_ARCH_X32) != 0)
throw SysError("unable to add X32 seccomp architecture");
/* Prevent builders from creating setuid/setgid binaries. */
for (int perm : { S_ISUID, S_ISGID }) {
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(chmod), 1,