diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2021-12-10 14:49:25 +0100 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2021-12-10 14:49:25 +0100 |
commit | f9437b4f18d0a8e172b1002dd1a472129b95a5f5 (patch) | |
tree | 1620baa7ba9c6747da689c008453c42535e6409e /src | |
parent | c7b66caaca0833f0b88f3a93cbeaad73b4da1089 (diff) | |
parent | 8438114399ce025b6977215dbaedc05697a6d958 (diff) |
Merge branch 'master' of https://github.com/MagicRB/nix
Diffstat (limited to 'src')
-rw-r--r-- | src/libstore/globals.hh | 9 | ||||
-rw-r--r-- | src/libstore/local-store.cc | 4 |
2 files changed, 10 insertions, 3 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index a50eb6803..2f9e8c6e8 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -797,6 +797,15 @@ public: may be useful in certain scenarios (e.g. to spin up containers or set up userspace network interfaces in tests). )"}; + + Setting<StringSet> ignoredAcls{ + this, {"security.selinux"}, "ignored-acls", + R"( + A list of ACLs that should be ignored, normally Nix attempts to + remove all ACLs from files and directories in the Nix store, but + some ACLs like `security.selinux` or `system.nfs4_acl` can't be + removed even by root. Therefore it's best to just ignore them. + )"}; #endif Setting<Strings> hashedMirrors{ diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 3a1688272..79011b522 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -590,9 +590,7 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe throw SysError("querying extended attributes of '%s'", path); for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) { - /* Ignore SELinux security labels since these cannot be - removed even by root. */ - if (eaName == "security.selinux") continue; + if (settings.ignoredAcls.get().count(eaName)) continue; if (lremovexattr(path.c_str(), eaName.c_str()) == -1) throw SysError("removing extended attribute '%s' from '%s'", eaName, path); } |