diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2017-10-12T16·21+0200 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2017-10-12T16·21+0200 |
commit | 1dd29d7aebae706f3e90a18bbfae727f2ed03c70 (patch) | |
tree | 9b8dc1516d14b4637dfc65a70989c53aa7de36dc /src | |
parent | 97307811ee478c30472539a477981d24ec0971de (diff) |
Add option to disable the seccomp filter
I needed this to test ACL/xattr removal in canonicalisePathMetaData(). Might also be useful if you need to build old Nixpkgs that doesn't have the required patches to remove setuid/setgid creation.
Diffstat (limited to 'src')
-rw-r--r-- | src/libstore/build.cc | 2 | ||||
-rw-r--r-- | src/libstore/globals.hh | 6 |
2 files changed, 8 insertions, 0 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 3b3cebfb18f1..64cbc19bd96f 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2351,6 +2351,8 @@ void DerivationGoal::doExportReferencesGraph() void setupSeccomp() { #if __linux__ + if (!settings.filterSyscalls) return; + scmp_filter_ctx ctx; if (!(ctx = seccomp_init(SCMP_ACT_ALLOW))) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 41d3323117b4..264e82a16e20 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -336,6 +336,12 @@ public: "String appended to the user agent in HTTP requests."}; #if __linux__ + Setting<bool> filterSyscalls{this, true, "filter-syscalls", + "Whether to prevent certain dangerous system calls, such as " + "creation of setuid/setgid files or adding ACLs or extended " + "attributes. Only disable this if you're aware of the " + "security implications."}; + Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges", "Whether builders can acquire new privileges by calling programs with " "setuid/setgid bits or with file capabilities."}; |