Merge changes I45d3895f,I541be3ea,Ibe51416d into main

* changes:
  libstore/build: block io_uring
  libstore/build: use an allowlist approach to syscall filtering
  libstore/build: always treat seccomp setup failures as fatal

2 files changed, 23 insertions, 0 deletions

diff --git a/maintainers/check-syscalls.nix b/maintainers/check-syscalls.nix
new file mode 100644
index 000000000..1a3de5c6d
--- /dev/null
+++ b/maintainers/check-syscalls.nix
@@ -0,0 +1,16 @@
+{
+  runCommandNoCC,
+  lib,
+  libseccomp,
+  writeShellScriptBin,
+}:
+let
+  syscalls-csv = runCommandNoCC "syscalls.csv" { } ''
+    echo ${lib.escapeShellArg libseccomp.src}
+    tar -xf ${lib.escapeShellArg libseccomp.src} --strip-components=2 ${libseccomp.name}/src/syscalls.csv
+    mv syscalls.csv "$out"
+  '';
+in
+writeShellScriptBin "check-syscalls" ''
+  ${./check-syscalls.sh} ${syscalls-csv}
+''
diff --git a/maintainers/check-syscalls.sh b/maintainers/check-syscalls.sh
new file mode 100755
index 000000000..cd72ac23b
--- /dev/null
+++ b/maintainers/check-syscalls.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -e
+
+diff -u <(awk < src/libstore/build/local-derivation-goal.cc '/BEGIN extract-syscalls/ { extracting = 1; next }
+match($0, /allowSyscall\(ctx, SCMP_SYS\(([^)]*)\)\);|\/\/ skip ([^ ]*)/, result) { print result[1] result[2] }
+/END extract-syscalls/ { extracting = 0; next }') <(tail -n+2 "$1" | cut -d, -f 1)