picnoir
/
nix-gh
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add X32 to the seccomp filter 

Fixes #1432.

(cherry picked from commit a3dc1e65ab)
This commit is contained in:
Eelco Dolstra 2017-07-04 19:00:51 +02:00
parent b59788fc48
commit 9943f98c35
No known key found for this signature in database
GPG Key ID: 8170B4726D7198DE
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/libstore/build.cc
View File

@ -2275,6 +2275,10 @@ void setupSeccomp()
seccomp_arch_add(ctx, SCMP_ARCH_X86) != 0)
throw SysError("unable to add 32-bit seccomp architecture");
if (settings.thisSystem == "x86_64-linux" &&
seccomp_arch_add(ctx, SCMP_ARCH_X32) != 0)
throw SysError("unable to add X32 seccomp architecture");
/* Prevent builders from creating setuid/setgid binaries. */
for (int perm : { S_ISUID, S_ISGID }) {
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(chmod), 1,