aboutsummaryrefslogtreecommitdiff
path: root/src/libstore/build
diff options
context:
space:
mode:
authorK900 <me@0upti.me>2024-04-14 16:41:06 +0300
committerK900 <me@0upti.me>2024-04-15 10:25:29 +0300
commiteffc28f6f5621cf0c32716f2137f9aee7567aa48 (patch)
treefe889bc617882fe55bfcb159c5241cbada149e80 /src/libstore/build
parent8d15e6af4b7446b8f542edfee8da035c97bdbbca (diff)
libstore/build: set NO_NEW_PRIVS for the sandbox
Change-Id: I711f64e2b68495ed9c85c1a4bd5025405805e43a
Diffstat (limited to 'src/libstore/build')
-rw-r--r--src/libstore/build/local-derivation-goal.cc5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 193fc598e..35e7ce907 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -41,6 +41,7 @@
#include <sched.h>
#include <sys/param.h>
#include <sys/mount.h>
+#include <sys/prctl.h>
#include <sys/syscall.h>
#if HAVE_SECCOMP
#include <seccomp.h>
@@ -1949,6 +1950,10 @@ void LocalDerivationGoal::runChild()
throw SysError("setuid failed");
setUser = false;
+
+ // Make sure we can't possibly gain new privileges in the sandbox
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
+ throw SysError("PR_SET_NO_NEW_PRIVS failed");
}
#endif