Fix "Bad system call" running i686-linux binaries on x86_64-linux
To determine which seccomp filters to install, we were incorrectly using settings.thisSystem, which doesn't denote the actual system when --system is used. Fixes #2791.
This commit is contained in:
parent
989cb37777
commit
f9a2ea4486
3 changed files with 11 additions and 4 deletions
|
@ -2510,17 +2510,17 @@ void setupSeccomp()
|
||||||
seccomp_release(ctx);
|
seccomp_release(ctx);
|
||||||
});
|
});
|
||||||
|
|
||||||
if (settings.thisSystem == "x86_64-linux" &&
|
if (nativeSystem == "x86_64-linux" &&
|
||||||
seccomp_arch_add(ctx, SCMP_ARCH_X86) != 0)
|
seccomp_arch_add(ctx, SCMP_ARCH_X86) != 0)
|
||||||
throw SysError("unable to add 32-bit seccomp architecture");
|
throw SysError("unable to add 32-bit seccomp architecture");
|
||||||
|
|
||||||
if (settings.thisSystem == "x86_64-linux" &&
|
if (nativeSystem == "x86_64-linux" &&
|
||||||
seccomp_arch_add(ctx, SCMP_ARCH_X32) != 0)
|
seccomp_arch_add(ctx, SCMP_ARCH_X32) != 0)
|
||||||
throw SysError("unable to add X32 seccomp architecture");
|
throw SysError("unable to add X32 seccomp architecture");
|
||||||
|
|
||||||
if (settings.thisSystem == "aarch64-linux" &&
|
if (nativeSystem == "aarch64-linux" &&
|
||||||
seccomp_arch_add(ctx, SCMP_ARCH_ARM) != 0)
|
seccomp_arch_add(ctx, SCMP_ARCH_ARM) != 0)
|
||||||
printError("unsable to add ARM seccomp architecture; this may result in spurious build failures if running 32-bit ARM processes.");
|
printError("unable to add ARM seccomp architecture; this may result in spurious build failures if running 32-bit ARM processes");
|
||||||
|
|
||||||
/* Prevent builders from creating setuid/setgid binaries. */
|
/* Prevent builders from creating setuid/setgid binaries. */
|
||||||
for (int perm : { S_ISUID, S_ISGID }) {
|
for (int perm : { S_ISUID, S_ISGID }) {
|
||||||
|
|
|
@ -38,6 +38,9 @@ extern char * * environ;
|
||||||
namespace nix {
|
namespace nix {
|
||||||
|
|
||||||
|
|
||||||
|
const std::string nativeSystem = SYSTEM;
|
||||||
|
|
||||||
|
|
||||||
BaseError & BaseError::addPrefix(const FormatOrString & fs)
|
BaseError & BaseError::addPrefix(const FormatOrString & fs)
|
||||||
{
|
{
|
||||||
prefix_ = fs.s + prefix_;
|
prefix_ = fs.s + prefix_;
|
||||||
|
|
|
@ -30,6 +30,10 @@ struct Sink;
|
||||||
struct Source;
|
struct Source;
|
||||||
|
|
||||||
|
|
||||||
|
/* The system for which Nix is compiled. */
|
||||||
|
extern const std::string nativeSystem;
|
||||||
|
|
||||||
|
|
||||||
/* Return an environment variable. */
|
/* Return an environment variable. */
|
||||||
string getEnv(const string & key, const string & def = "");
|
string getEnv(const string & key, const string & def = "");
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue