diff options
| author | Alois Wohlschlager <alois1@gmx-topmail.de> | 2024-05-08 19:15:00 +0200 |
|---|---|---|
| committer | alois31 <alois1@gmx-topmail.de> | 2024-05-24 21:19:29 +0000 |
| commit | f047e4357b4f7ad66c2e476506bf35cab82e441e (patch) | |
| tree | fcfc0bd4776ca73e19f5125aa9d7f778fc8b3fc7 /src/libstore/globals.hh | |
| parent | 19ea351642d48a49a2b41248cbbc4569aa16c0a9 (diff) | |
libstore/build: always enable seccomp filtering and no-new-privileges
Seccomp filtering and the no-new-privileges functionality improve the security
of the sandbox, and have been enabled by default for a long time. In
https://git.lix.systems/lix-project/lix/issues/265 it was decided that they
should be enabled unconditionally. Accordingly, remove the allow-new-privileges
(which had weird behavior anyway) and filter-syscall settings, and force the
security features on. Syscall filtering can still be enabled at build time to
support building on architectures libseccomp doesn't support.
Change-Id: Iedbfa18d720ae557dee07a24f69b2520f30119cb
Diffstat (limited to 'src/libstore/globals.hh')
| -rw-r--r-- | src/libstore/globals.hh | 23 |
1 files changed, 0 insertions, 23 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 8856d8fae..85789f6b5 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -912,29 +912,6 @@ public: )"}; #if __linux__ - Setting<bool> filterSyscalls{ - this, true, "filter-syscalls", - R"( - Whether to prevent certain dangerous system calls, such as - creation of setuid/setgid files or adding ACLs or extended - attributes. Only disable this if you're aware of the - security implications. - )"}; - - Setting<bool> allowNewPrivileges{ - this, false, "allow-new-privileges", - R"( - (Linux-specific.) By default, builders on Linux cannot acquire new - privileges by calling setuid/setgid programs or programs that have - file capabilities. For example, programs such as `sudo` or `ping` - will fail. (Note that in sandbox builds, no such programs are - available unless you bind-mount them into the sandbox via the - `sandbox-paths` option.) You can allow the use of such programs by - enabling this option. This is impure and usually undesirable, but - may be useful in certain scenarios (e.g. to spin up containers or - set up userspace network interfaces in tests). - )"}; - Setting<StringSet> ignoredAcls{ this, {"security.selinux", "system.nfs4_acl", "security.csm"}, "ignored-acls", R"( |