aboutsummaryrefslogtreecommitdiff
path: root/src/libstore
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/globals.hh9
-rw-r--r--src/libstore/local-store.cc4
2 files changed, 10 insertions, 3 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index a50eb6803..2f9e8c6e8 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -797,6 +797,15 @@ public:
may be useful in certain scenarios (e.g. to spin up containers or
set up userspace network interfaces in tests).
)"};
+
+ Setting<StringSet> ignoredAcls{
+ this, {"security.selinux"}, "ignored-acls",
+ R"(
+ A list of ACLs that should be ignored, normally Nix attempts to
+ remove all ACLs from files and directories in the Nix store, but
+ some ACLs like `security.selinux` or `system.nfs4_acl` can't be
+ removed even by root. Therefore it's best to just ignore them.
+ )"};
#endif
Setting<Strings> hashedMirrors{
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index 3a1688272..79011b522 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -590,9 +590,7 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe
throw SysError("querying extended attributes of '%s'", path);
for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) {
- /* Ignore SELinux security labels since these cannot be
- removed even by root. */
- if (eaName == "security.selinux") continue;
+ if (settings.ignoredAcls.get().count(eaName)) continue;
if (lremovexattr(path.c_str(), eaName.c_str()) == -1)
throw SysError("removing extended attribute '%s' from '%s'", eaName, path);
}