Merge "libstore/local-derivation-goal: prohibit creating setuid/setgid binaries" into main

author: Maximilian Bosch <maximilian@mbosch.me> 2024-05-04 07:26:15 +0000
committer: Gerrit Code Review <gerrit@lix> 2024-05-04 07:26:15 +0000
commit: 79d0ae667066b758fd4202cd18294a0f40ddc8f0 (patch)
tree: 675df833182fbf4909a8a99a5d18c12ebad317da /src/libstore/build
parent: f8617f9dc65096ee1e83fe3d100cc252e9f94bf6 (diff)
parent: 045ee374387cb8fd9b1d83b14574c6d92694063d (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 03e33a46d..4278fab85 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -35,6 +35,7 @@
 /* Includes required for chroot support. */
 #if __linux__
 #include <sys/ioctl.h>
+#include "linux/fchmodat2-compat.hh"
 #include <net/if.h>
 #include <netinet/ip.h>
 #include <sys/mman.h>
@@ -1664,6 +1665,10 @@ void setupSeccomp()
         if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fchmodat), 1,
                 SCMP_A2(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0)
             throw SysError("unable to add seccomp rule");
+
+        if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), NIX_SYSCALL_FCHMODAT2, 1,
+                SCMP_A2(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0)
+            throw SysError("unable to add seccomp rule");
     }
 
     /* Prevent builders from creating EAs or ACLs. Not all filesystems
author	Maximilian Bosch <maximilian@mbosch.me>	2024-05-04 07:26:15 +0000
committer	Gerrit Code Review <gerrit@lix>	2024-05-04 07:26:15 +0000
commit	79d0ae667066b758fd4202cd18294a0f40ddc8f0 (patch)
tree	675df833182fbf4909a8a99a5d18c12ebad317da /src/libstore/build
parent	f8617f9dc65096ee1e83fe3d100cc252e9f94bf6 (diff)
parent	045ee374387cb8fd9b1d83b14574c6d92694063d (diff)