From effc28f6f5621cf0c32716f2137f9aee7567aa48 Mon Sep 17 00:00:00 2001
From: K900 <me@0upti.me>
Date: Sun, 14 Apr 2024 16:41:06 +0300
Subject: libstore/build: set NO_NEW_PRIVS for the sandbox

Change-Id: I711f64e2b68495ed9c85c1a4bd5025405805e43a
---
 src/libstore/build/local-derivation-goal.cc | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/libstore/build/local-derivation-goal.cc')

diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 193fc598e..35e7ce907 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -41,6 +41,7 @@
 #include <sched.h>
 #include <sys/param.h>
 #include <sys/mount.h>
+#include <sys/prctl.h>
 #include <sys/syscall.h>
 #if HAVE_SECCOMP
 #include <seccomp.h>
@@ -1949,6 +1950,10 @@ void LocalDerivationGoal::runChild()
                 throw SysError("setuid failed");
 
             setUser = false;
+
+            // Make sure we can't possibly gain new privileges in the sandbox
+            if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
+                throw SysError("PR_SET_NO_NEW_PRIVS failed");
         }
 #endif
 
-- 
cgit v1.2.3