seccomp: Forge return codes for POSIX ACL syscalls

Commands such as "cp -p" also use fsetxattr() in addition to fchown(), so we need to make sure these syscalls always return successful as well in order to avoid nasty "Invalid value" errors. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
author: aszlig <aszlig@redmoonstudios.org> 2016-11-16 17:25:00 +0100
committer: aszlig <aszlig@redmoonstudios.org> 2016-11-16 17:29:14 +0100
commit: ed64976cec43f9f067a40fc6921b5513a19fd757 (patch)
tree: 3655ae9476e89b896ce38309ea37eaab16fa26ea
parent: 651a18dd2466662e7027e4dc04147e4f38c7bbf8 (diff)
2 files changed, 6 insertions, 1 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 6c6d0dee3..6fc6220e0 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1659,6 +1659,10 @@ void setupSeccomp(void) {
     FORCE_SUCCESS(fchownat);
     FORCE_SUCCESS(lchown);
 
+    FORCE_SUCCESS(setxattr);
+    FORCE_SUCCESS(lsetxattr);
+    FORCE_SUCCESS(fsetxattr);
+
     if (seccomp_load(ctx) != 0) {
         seccomp_release(ctx);
         throw SysError("unable to load seccomp BPF program");
diff --git a/tests/sandbox.nix b/tests/sandbox.nix
index 7e2055038..dc72a5985 100644
--- a/tests/sandbox.nix
+++ b/tests/sandbox.nix
@@ -16,7 +16,7 @@ let
 
   sandboxTestScript = pkgs.writeText "sandbox-testscript.sh" ''
     [ $(id -u) -eq 0 ]
-    touch foo
+    cp -p "$testfile" foo
     chown 1024:1024 foo
     touch "$out"
   '';
@@ -31,6 +31,7 @@ let
       builder = "''${utils}/bin/bash";
       args = ["-e" ${sandboxTestScript}];
       PATH = "''${utils}/bin";
+      testfile = builtins.toFile "test" "i am a test file";
     }
   '';
author	aszlig <aszlig@redmoonstudios.org>	2016-11-16 17:25:00 +0100
committer	aszlig <aszlig@redmoonstudios.org>	2016-11-16 17:29:14 +0100
commit	ed64976cec43f9f067a40fc6921b5513a19fd757 (patch)
tree	3655ae9476e89b896ce38309ea37eaab16fa26ea
parent	651a18dd2466662e7027e4dc04147e4f38c7bbf8 (diff)