Add option to disable the seccomp filter
I needed this to test ACL/xattr removal in canonicalisePathMetaData(). Might also be useful if you need to build old Nixpkgs that doesn't have the required patches to remove setuid/setgid creation.
This commit is contained in:
Eelco Dolstra
parent
97307811ee
commit
1dd29d7aeb
2 changed files with 8 additions and 0 deletions
|
|
@ -2351,6 +2351,8 @@ void DerivationGoal::doExportReferencesGraph()
|
|||
void setupSeccomp()
|
||||
{
|
||||
#if __linux__
|
||||
if (!settings.filterSyscalls) return;
|
||||
|
||||
scmp_filter_ctx ctx;
|
||||
|
||||
if (!(ctx = seccomp_init(SCMP_ACT_ALLOW)))
|
||||
|
|
|
|||
|
|
@ -336,6 +336,12 @@ public:
|
|||
"String appended to the user agent in HTTP requests."};
|
||||
|
||||
#if __linux__
|
||||
Setting<bool> filterSyscalls{this, true, "filter-syscalls",
|
||||
"Whether to prevent certain dangerous system calls, such as "
|
||||
"creation of setuid/setgid files or adding ACLs or extended "
|
||||
"attributes. Only disable this if you're aware of the "
|
||||
"security implications."};
|
||||
|
||||
Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges",
|
||||
"Whether builders can acquire new privileges by calling programs with "
|
||||
"setuid/setgid bits or with file capabilities."};
|
||||
|
|
|
|||
Loading…
Reference in a new issue