libstore/build: always enable seccomp filtering and no-new-privileges

Seccomp filtering and the no-new-privileges functionality improve the security
of the sandbox, and have been enabled by default for a long time. In
https://git.lix.systems/lix-project/lix/issues/265 it was decided that they
should be enabled unconditionally. Accordingly, remove the allow-new-privileges
(which had weird behavior anyway) and filter-syscall settings, and force the
security features on. Syscall filtering can still be enabled at build time to
support building on architectures libseccomp doesn't support.

Change-Id: Iedbfa18d720ae557dee07a24f69b2520f30119cb

1 files changed, 12 insertions, 0 deletions

diff --git a/doc/manual/rl-next/linux-sandbox-consistency.md b/doc/manual/rl-next/linux-sandbox-consistency.md
new file mode 100644
index 000000000..6538362b3
--- /dev/null
+++ b/doc/manual/rl-next/linux-sandbox-consistency.md
@@ -0,0 +1,12 @@
+---
+synopsis: Enforce syscall filtering and no-new-privileges on Linux
+cls: 1063
+category: Breaking Changes
+credits: alois31
+---
+
+In order to improve consistency of the build environment, system call filtering and no-new-privileges are now unconditionally enabled on Linux.
+The `filter-syscalls` and `allow-new-privileges` options which could be used to disable these features under some circumstances have been removed.
+
+In order to support building on architectures without libseccomp support, the option to disable syscall filtering at build time remains.
+However, other uses of this option are heavily discouraged, since it would reduce the security of the sandbox substantially.