Add option to disable the seccomp filter

I needed this to test ACL/xattr removal in
canonicalisePathMetaData(). Might also be useful if you need to build
old Nixpkgs that doesn't have the required patches to remove
setuid/setgid creation.

2 files changed, 8 insertions, 0 deletions

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 3b3cebfb18f1..64cbc19bd96f 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2351,6 +2351,8 @@ void DerivationGoal::doExportReferencesGraph()
 void setupSeccomp()
 {
 #if __linux__
+    if (!settings.filterSyscalls) return;
+
     scmp_filter_ctx ctx;
 
     if (!(ctx = seccomp_init(SCMP_ACT_ALLOW)))
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 41d3323117b4..264e82a16e20 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -336,6 +336,12 @@ public:
         "String appended to the user agent in HTTP requests."};
 
 #if __linux__
+    Setting<bool> filterSyscalls{this, true, "filter-syscalls",
+            "Whether to prevent certain dangerous system calls, such as "
+            "creation of setuid/setgid files or adding ACLs or extended "
+            "attributes. Only disable this if you're aware of the "
+            "security implications."};
+
     Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges",
         "Whether builders can acquire new privileges by calling programs with "
         "setuid/setgid bits or with file capabilities."};