diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2018-02-19T16·39+0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-19T16·39+0100 |
| commit | 623fcb071e1440a995d8ebcd769d67a45a439711 (patch) | |
| tree | 78799c142db526e942a0e99268675e8d76c1fc85 | |
| parent | e1eb63a5860dd7efaf66c3ec83006c58f87bf3cb (diff) | |
| parent | e59a8a63e10992834a48e2b43c854c2e4f990dbe (diff) | |
Merge pull request #1882 from shlevy/no-seccomp-no-filterSyscalls
Don't silently succeed seccomp setup when !HAVE_SECCOMP.
| -rw-r--r-- | src/libstore/build.cc | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 9b7abaa3d1ee..30f22833fa70 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2471,9 +2471,9 @@ void DerivationGoal::chownToBuilder(const Path & path) void setupSeccomp() { -#if __linux__ && HAVE_SECCOMP +#if __linux__ if (!settings.filterSyscalls) return; - +#if HAVE_SECCOMP scmp_filter_ctx ctx; if (!(ctx = seccomp_init(SCMP_ACT_ALLOW))) @@ -2519,6 +2519,11 @@ void setupSeccomp() if (seccomp_load(ctx) != 0) throw SysError("unable to load seccomp BPF program"); +#else + throw Error("%s\n%s", + "seccomp is not supported on this platform" + "you can avoid this by setting the filter-syscalls option to false, but note that untrusted builds can then create setuid binaries!"); +#endif #endif } |