aboutsummaryrefslogtreecommitdiff
path: root/src/libstore
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-10-12 18:21:55 +0200
committerEelco Dolstra <edolstra@gmail.com>2017-10-12 18:21:55 +0200
commit1dd29d7aebae706f3e90a18bbfae727f2ed03c70 (patch)
tree9b8dc1516d14b4637dfc65a70989c53aa7de36dc /src/libstore
parent97307811ee478c30472539a477981d24ec0971de (diff)
Add option to disable the seccomp filter
I needed this to test ACL/xattr removal in canonicalisePathMetaData(). Might also be useful if you need to build old Nixpkgs that doesn't have the required patches to remove setuid/setgid creation.
Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/build.cc2
-rw-r--r--src/libstore/globals.hh6
2 files changed, 8 insertions, 0 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 3b3cebfb1..64cbc19bd 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2351,6 +2351,8 @@ void DerivationGoal::doExportReferencesGraph()
void setupSeccomp()
{
#if __linux__
+ if (!settings.filterSyscalls) return;
+
scmp_filter_ctx ctx;
if (!(ctx = seccomp_init(SCMP_ACT_ALLOW)))
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 41d332311..264e82a16 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -336,6 +336,12 @@ public:
"String appended to the user agent in HTTP requests."};
#if __linux__
+ Setting<bool> filterSyscalls{this, true, "filter-syscalls",
+ "Whether to prevent certain dangerous system calls, such as "
+ "creation of setuid/setgid files or adding ACLs or extended "
+ "attributes. Only disable this if you're aware of the "
+ "security implications."};
+
Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges",
"Whether builders can acquire new privileges by calling programs with "
"setuid/setgid bits or with file capabilities."};