picnoir/nix-gh
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

seccomp: Forge return codes for POSIX ACL syscalls

Browse source 
Commands such as "cp -p" also use fsetxattr() in addition to fchown(),
so we need to make sure these syscalls always return successful as well
in order to avoid nasty "Invalid value" errors.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2016-11-16 17:25:00 +01:00
parent 651a18dd24
commit ed64976cec
No known key found for this signature in database
GPG key ID: 1DE8E48E57DB5436
2 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/libstore/build.cc
View file

@ -1659,6 +1659,10 @@ void setupSeccomp(void) {
FORCE_SUCCESS(fchownat);
FORCE_SUCCESS(lchown);
FORCE_SUCCESS(setxattr);
FORCE_SUCCESS(lsetxattr);
FORCE_SUCCESS(fsetxattr);
if (seccomp_load(ctx) != 0) {
seccomp_release(ctx);
throw SysError("unable to load seccomp BPF program");

3
tests/sandbox.nix
View file

@ -16,7 +16,7 @@ let
sandboxTestScript = pkgs.writeText "sandbox-testscript.sh" ''
[ $(id -u) -eq 0 ]
touch foo
cp -p "$testfile" foo
chown 1024:1024 foo
touch "$out"
'';
@ -31,6 +31,7 @@ let
builder = "''${utils}/bin/bash";
args = ["-e" ${sandboxTestScript}];
PATH = "''${utils}/bin";
testfile = builtins.toFile "test" "i am a test file";
}
'';