diff options
Diffstat (limited to 'src/libstore')
-rw-r--r-- | src/libstore/globals.hh | 9 | ||||
-rw-r--r-- | src/libstore/local-store.cc | 4 |
2 files changed, 10 insertions, 3 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index a50eb6803..2f9e8c6e8 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -797,6 +797,15 @@ public: may be useful in certain scenarios (e.g. to spin up containers or set up userspace network interfaces in tests). )"}; + + Setting<StringSet> ignoredAcls{ + this, {"security.selinux"}, "ignored-acls", + R"( + A list of ACLs that should be ignored, normally Nix attempts to + remove all ACLs from files and directories in the Nix store, but + some ACLs like `security.selinux` or `system.nfs4_acl` can't be + removed even by root. Therefore it's best to just ignore them. + )"}; #endif Setting<Strings> hashedMirrors{ diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 3a1688272..79011b522 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -590,9 +590,7 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe throw SysError("querying extended attributes of '%s'", path); for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) { - /* Ignore SELinux security labels since these cannot be - removed even by root. */ - if (eaName == "security.selinux") continue; + if (settings.ignoredAcls.get().count(eaName)) continue; if (lremovexattr(path.c_str(), eaName.c_str()) == -1) throw SysError("removing extended attribute '%s' from '%s'", eaName, path); } |