aboutsummaryrefslogtreecommitdiff
path: root/src/libstore/build/local-derivation-goal.cc
diff options
context:
space:
mode:
authorMaximilian Bosch <maximilian@mbosch.me>2024-05-04 07:26:15 +0000
committerGerrit Code Review <gerrit@lix>2024-05-04 07:26:15 +0000
commit79d0ae667066b758fd4202cd18294a0f40ddc8f0 (patch)
tree675df833182fbf4909a8a99a5d18c12ebad317da /src/libstore/build/local-derivation-goal.cc
parentf8617f9dc65096ee1e83fe3d100cc252e9f94bf6 (diff)
parent045ee374387cb8fd9b1d83b14574c6d92694063d (diff)
Merge "libstore/local-derivation-goal: prohibit creating setuid/setgid binaries" into main
Diffstat (limited to 'src/libstore/build/local-derivation-goal.cc')
-rw-r--r--src/libstore/build/local-derivation-goal.cc5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 03e33a46d..4278fab85 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -35,6 +35,7 @@
/* Includes required for chroot support. */
#if __linux__
#include <sys/ioctl.h>
+#include "linux/fchmodat2-compat.hh"
#include <net/if.h>
#include <netinet/ip.h>
#include <sys/mman.h>
@@ -1664,6 +1665,10 @@ void setupSeccomp()
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fchmodat), 1,
SCMP_A2(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0)
throw SysError("unable to add seccomp rule");
+
+ if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), NIX_SYSCALL_FCHMODAT2, 1,
+ SCMP_A2(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0)
+ throw SysError("unable to add seccomp rule");
}
/* Prevent builders from creating EAs or ACLs. Not all filesystems