diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2024-05-04 07:26:15 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@lix> | 2024-05-04 07:26:15 +0000 |
commit | 79d0ae667066b758fd4202cd18294a0f40ddc8f0 (patch) | |
tree | 675df833182fbf4909a8a99a5d18c12ebad317da /src/libstore/build/local-derivation-goal.cc | |
parent | f8617f9dc65096ee1e83fe3d100cc252e9f94bf6 (diff) | |
parent | 045ee374387cb8fd9b1d83b14574c6d92694063d (diff) |
Merge "libstore/local-derivation-goal: prohibit creating setuid/setgid binaries" into main
Diffstat (limited to 'src/libstore/build/local-derivation-goal.cc')
-rw-r--r-- | src/libstore/build/local-derivation-goal.cc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index 03e33a46d..4278fab85 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -35,6 +35,7 @@ /* Includes required for chroot support. */ #if __linux__ #include <sys/ioctl.h> +#include "linux/fchmodat2-compat.hh" #include <net/if.h> #include <netinet/ip.h> #include <sys/mman.h> @@ -1664,6 +1665,10 @@ void setupSeccomp() if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fchmodat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0) throw SysError("unable to add seccomp rule"); + + if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), NIX_SYSCALL_FCHMODAT2, 1, + SCMP_A2(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0) + throw SysError("unable to add seccomp rule"); } /* Prevent builders from creating EAs or ACLs. Not all filesystems |