From f047e4357b4f7ad66c2e476506bf35cab82e441e Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager Date: Wed, 8 May 2024 19:15:00 +0200 Subject: libstore/build: always enable seccomp filtering and no-new-privileges Seccomp filtering and the no-new-privileges functionality improve the security of the sandbox, and have been enabled by default for a long time. In https://git.lix.systems/lix-project/lix/issues/265 it was decided that they should be enabled unconditionally. Accordingly, remove the allow-new-privileges (which had weird behavior anyway) and filter-syscall settings, and force the security features on. Syscall filtering can still be enabled at build time to support building on architectures libseccomp doesn't support. Change-Id: Iedbfa18d720ae557dee07a24f69b2520f30119cb --- src/libstore/linux/fchmodat2-compat.hh | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) (limited to 'src/libstore/linux/fchmodat2-compat.hh') diff --git a/src/libstore/linux/fchmodat2-compat.hh b/src/libstore/linux/fchmodat2-compat.hh index b05da6786..6ad8a5578 100644 --- a/src/libstore/linux/fchmodat2-compat.hh +++ b/src/libstore/linux/fchmodat2-compat.hh @@ -20,18 +20,16 @@ #pragma once ///@file -#if HAVE_SECCOMP -# if defined(__alpha__) -# define NIX_SYSCALL_FCHMODAT2 562 -# elif defined(__x86_64__) && SIZE_MAX == 0xFFFFFFFF // x32 -# define NIX_SYSCALL_FCHMODAT2 1073742276 -# elif defined(__mips__) && defined(__mips64) && defined(_ABIN64) // mips64/n64 -# define NIX_SYSCALL_FCHMODAT2 5452 -# elif defined(__mips__) && defined(__mips64) && defined(_ABIN32) // mips64/n32 -# define NIX_SYSCALL_FCHMODAT2 6452 -# elif defined(__mips__) && defined(_ABIO32) // mips32 -# define NIX_SYSCALL_FCHMODAT2 4452 -# else -# define NIX_SYSCALL_FCHMODAT2 452 -# endif -#endif // HAVE_SECCOMP +#if defined(__alpha__) +# define NIX_SYSCALL_FCHMODAT2 562 +#elif defined(__x86_64__) && SIZE_MAX == 0xFFFFFFFF // x32 +# define NIX_SYSCALL_FCHMODAT2 1073742276 +#elif defined(__mips__) && defined(__mips64) && defined(_ABIN64) // mips64/n64 +# define NIX_SYSCALL_FCHMODAT2 5452 +#elif defined(__mips__) && defined(__mips64) && defined(_ABIN32) // mips64/n32 +# define NIX_SYSCALL_FCHMODAT2 6452 +#elif defined(__mips__) && defined(_ABIO32) // mips32 +# define NIX_SYSCALL_FCHMODAT2 4452 +#else +# define NIX_SYSCALL_FCHMODAT2 452 +#endif -- cgit v1.2.3