diff options
| author | Ilya K <me@0upti.me> | 2024-04-16 05:33:41 +0000 |
|---|---|---|
| committer | Gerrit Code Review <gerrit@lix> | 2024-04-16 05:33:41 +0000 |
| commit | 6d79aa3d70a65b9eba2982325a8b6d149cbef453 (patch) | |
| tree | 093f2cbdcc8afd6b90dcccace34ca73e150ee784 /src | |
| parent | a41abb4594d951339d3b4346251ddbc5364c0a04 (diff) | |
| parent | effc28f6f5621cf0c32716f2137f9aee7567aa48 (diff) | |
Merge "libstore/build: set NO_NEW_PRIVS for the sandbox" into main
Diffstat (limited to 'src')
| -rw-r--r-- | src/libstore/build/local-derivation-goal.cc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index 193fc598e..35e7ce907 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -41,6 +41,7 @@ #include <sched.h> #include <sys/param.h> #include <sys/mount.h> +#include <sys/prctl.h> #include <sys/syscall.h> #if HAVE_SECCOMP #include <seccomp.h> @@ -1949,6 +1950,10 @@ void LocalDerivationGoal::runChild() throw SysError("setuid failed"); setUser = false; + + // Make sure we can't possibly gain new privileges in the sandbox + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) + throw SysError("PR_SET_NO_NEW_PRIVS failed"); } #endif |