diff options
| author | aszlig <aszlig@redmoonstudios.org> | 2016-11-16T11·30+0100 |
|---|---|---|
| committer | aszlig <aszlig@redmoonstudios.org> | 2016-11-16T15·48+0100 |
| commit | 1c52e344c48e9cb8cf2b332201d5c96c06e4cf3e (patch) | |
| tree | 2ad9578b76f342111e27d8cf6fb923fcdeeef62e | |
| parent | e8838713df29d94529ea4d7865180e936393340b (diff) | |
Add build dependency for libseccomp
We're going to use libseccomp instead of creating the raw BPF program, because we have different syscall numbers on different architectures. Although our initial seccomp rules will be quite small it really doesn't make sense to generate the raw BPF program because we need to duplicate it and/or make branches on every single architecture we want to suuport. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
| -rw-r--r-- | Makefile.config.in | 1 | ||||
| -rw-r--r-- | configure.ac | 9 | ||||
| -rw-r--r-- | release.nix | 3 | ||||
| -rw-r--r-- | src/libstore/local.mk | 4 |
4 files changed, 16 insertions, 1 deletions
diff --git a/Makefile.config.in b/Makefile.config.in index 2db7172b15..57f1f3e778 100644 --- a/Makefile.config.in +++ b/Makefile.config.in @@ -10,6 +10,7 @@ OPENSSL_LIBS = @OPENSSL_LIBS@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ SODIUM_LIBS = @SODIUM_LIBS@ +LIBSECCOMP_LIBS = @LIBSECCOMP_LIBS@ LIBLZMA_LIBS = @LIBLZMA_LIBS@ SQLITE3_LIBS = @SQLITE3_LIBS@ bash = @bash@ diff --git a/configure.ac b/configure.ac index 91ed9947ab..1a5ad660ab 100644 --- a/configure.ac +++ b/configure.ac @@ -194,6 +194,15 @@ AC_SUBST(HAVE_SODIUM, [$have_sodium]) PKG_CHECK_MODULES([LIBLZMA], [liblzma], [CXXFLAGS="$LIBLZMA_CFLAGS $CXXFLAGS"]) +# Look for libseccomp, required for Linux sandboxing. +if test "$sys_name" = linux; then + PKG_CHECK_MODULES([LIBSECCOMP], [libseccomp], + [CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS"]) +# AC_CHECK_LIB([seccomp], [seccomp_init], [true], +# [AC_MSG_ERROR([Nix requires libseccomp for sandboxing. See https://github.com/seccomp/libseccomp.])]) +fi + + # Look for aws-cpp-sdk-s3. AC_LANG_PUSH(C++) AC_CHECK_HEADERS([aws/s3/S3Client.h], diff --git a/release.nix b/release.nix index 6b16bc718a..fbed401df0 100644 --- a/release.nix +++ b/release.nix @@ -25,7 +25,7 @@ let buildInputs = [ curl bison flex perl libxml2 libxslt bzip2 xz - pkgconfig sqlite libsodium boehmgc + pkgconfig sqlite libsodium libseccomp boehmgc docbook5 docbook5_xsl autoconf-archive ] ++ lib.optional (!lib.inNixShell) git; @@ -75,6 +75,7 @@ let buildInputs = [ curl perl bzip2 xz openssl pkgconfig sqlite boehmgc ] ++ lib.optional stdenv.isLinux libsodium + ++ lib.optional stdenv.isLinux libseccomp ++ lib.optional stdenv.isLinux (aws-sdk-cpp.override { apis = ["s3"]; diff --git a/src/libstore/local.mk b/src/libstore/local.mk index 9d5c04dca0..a8222025cf 100644 --- a/src/libstore/local.mk +++ b/src/libstore/local.mk @@ -18,6 +18,10 @@ ifeq ($(OS), SunOS) libstore_LDFLAGS += -lsocket endif +ifeq ($(OS), Linux) + libstore_LDFLAGS += -lseccomp +endif + libstore_CXXFLAGS = \ -DNIX_PREFIX=\"$(prefix)\" \ -DNIX_STORE_DIR=\"$(storedir)\" \ |