about summary refs log tree commit diff
path: root/src/libstore/globals.hh
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-10-12T16·21+0200
committerEelco Dolstra <edolstra@gmail.com>2017-10-12T16·21+0200
commit1dd29d7aebae706f3e90a18bbfae727f2ed03c70 (patch)
tree9b8dc1516d14b4637dfc65a70989c53aa7de36dc /src/libstore/globals.hh
parent97307811ee478c30472539a477981d24ec0971de (diff)
Add option to disable the seccomp filter
I needed this to test ACL/xattr removal in
canonicalisePathMetaData(). Might also be useful if you need to build
old Nixpkgs that doesn't have the required patches to remove
setuid/setgid creation.
Diffstat (limited to 'src/libstore/globals.hh')
-rw-r--r--src/libstore/globals.hh6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 41d3323117b4..264e82a16e20 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -336,6 +336,12 @@ public:
         "String appended to the user agent in HTTP requests."};
 
 #if __linux__
+    Setting<bool> filterSyscalls{this, true, "filter-syscalls",
+            "Whether to prevent certain dangerous system calls, such as "
+            "creation of setuid/setgid files or adding ACLs or extended "
+            "attributes. Only disable this if you're aware of the "
+            "security implications."};
+
     Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges",
         "Whether builders can acquire new privileges by calling programs with "
         "setuid/setgid bits or with file capabilities."};