libstore: add LocalDerivationGoal setupSyscallFilter hook

The seccomp setup code was a huge chunk of conditionally compiled platform-specific code. For this reason, it is appropriate to move it to the platform-specific implementation file. Ideally its setup could be moved a bit to make it happen at the same place as the Darwin restrictions, but that change is going to be less mechanical. Change-Id: I496aa3c4fabf34656aba1e32b0089044ab5b99f8
author: Alois Wohlschlager <alois1@gmx-topmail.de> 2024-08-06 16:38:32 +0200
committer: Alois Wohlschlager <alois1@gmx-topmail.de> 2024-08-06 18:27:09 +0200
commit: 741d3b441c479a07596aadf9a6ac8f90b115d363 (patch)
tree: 69d57ee91c738c7aae1f614e73cdd78b4b875cc0 /src/libstore/build/local-derivation-goal.hh
parent: f84997cbefb2f2dd99e48f0ad39f747ed83d69e9 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
index 237417b42..e87f2c696 100644
--- a/src/libstore/build/local-derivation-goal.hh
+++ b/src/libstore/build/local-derivation-goal.hh
@@ -340,6 +340,12 @@ protected:
     virtual Pid startChild(std::function<void()> openSlave);
 
     /**
+     * Set up the system call filtering required for the sandbox.
+     * This currently only has an effect on Linux.
+     */
+    virtual void setupSyscallFilter() {}
+
+    /**
      * Execute the builder, replacing the current process.
      * Generally this means an `execve` call.
      */
author	Alois Wohlschlager <alois1@gmx-topmail.de>	2024-08-06 16:38:32 +0200
committer	Alois Wohlschlager <alois1@gmx-topmail.de>	2024-08-06 18:27:09 +0200
commit	741d3b441c479a07596aadf9a6ac8f90b115d363 (patch)
tree	69d57ee91c738c7aae1f614e73cdd78b4b875cc0 /src/libstore/build/local-derivation-goal.hh
parent	f84997cbefb2f2dd99e48f0ad39f747ed83d69e9 (diff)