From f047e4357b4f7ad66c2e476506bf35cab82e441e Mon Sep 17 00:00:00 2001
From: Alois Wohlschlager <alois1@gmx-topmail.de>
Date: Wed, 8 May 2024 19:15:00 +0200
Subject: libstore/build: always enable seccomp filtering and no-new-privileges

Seccomp filtering and the no-new-privileges functionality improve the security
of the sandbox, and have been enabled by default for a long time. In
https://git.lix.systems/lix-project/lix/issues/265 it was decided that they
should be enabled unconditionally. Accordingly, remove the allow-new-privileges
(which had weird behavior anyway) and filter-syscall settings, and force the
security features on. Syscall filtering can still be enabled at build time to
support building on architectures libseccomp doesn't support.

Change-Id: Iedbfa18d720ae557dee07a24f69b2520f30119cb
---
 meson.build | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'meson.build')

diff --git a/meson.build b/meson.build
index 0d59ff751..16cf80cf4 100644
--- a/meson.build
+++ b/meson.build
@@ -182,6 +182,9 @@ deps += cpuid
 # seccomp only makes sense on Linux
 seccomp_required = is_linux ? get_option('seccomp-sandboxing') : false
 seccomp = dependency('libseccomp', 'seccomp', required : seccomp_required, version : '>=2.5.5')
+if is_linux and not seccomp.found()
+  warning('Sandbox security is reduced because libseccomp has not been found! Please provide libseccomp if it supports your CPU architecture.')
+endif
 configdata += {
   'HAVE_SECCOMP': seccomp.found().to_int(),
 }
-- 
cgit v1.2.3