diff options
| -rw-r--r-- | doc/manual/command-ref/conf-file.xml | 17 | ||||
| -rw-r--r-- | src/libstore/build.cc | 3 | ||||
| -rw-r--r-- | src/libstore/globals.hh | 6 |
3 files changed, 26 insertions, 0 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index 616983bc7f0e..cde32b35f5b4 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -643,6 +643,23 @@ password <replaceable>my-password</replaceable> </varlistentry> + <varlistentry xml:id="conf-allow-new-privileges"><term><literal>allow-new-privileges</literal></term> + + <listitem><para>(Linux-specific.) By default, builders on Linux + cannot acquire new privileges by calling setuid/setgid programs or + programs that have file capabilities. For example, programs such + as <command>sudo</command> or <command>ping</command> will + fail. (Note that in sandbox builds, no such programs are available + unless you bind-mount them into the sandbox via the + <option>build-sandbox-paths</option> option.) You can allow the + use of such programs by enabling this option. This is impure and + usually undesirable, but may be useful in certain scenarios + (e.g. to spin up containers or set up userspace network interfaces + in tests).</para></listitem> + + </varlistentry> + + </variablelist> </para> diff --git a/src/libstore/build.cc b/src/libstore/build.cc index f40a8c5498ee..355fb3b7dfe5 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2340,6 +2340,9 @@ void setupSeccomp() seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0) throw SysError("unable to add seccomp rule"); + if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, settings.allowNewPrivileges ? 0 : 1) != 0) + throw SysError("unable to set 'no new privileges' seccomp attribute"); + if (seccomp_load(ctx) != 0) throw SysError("unable to load seccomp BPF program"); #endif diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index af37ec61d7a1..c8d67b07110b 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -321,6 +321,12 @@ public: Setting<std::string> userAgentSuffix{this, "", "user-agent-suffix", "String appended to the user agent in HTTP requests."}; + +#if __linux__ + Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges", + "Whether builders can acquire new privileges by calling programs with " + "setuid/setgid bits or with file capabilities."}; +#endif }; |