Created
April 29, 2020 20:29
-
-
Save lovesegfault/684b3876bcfdcad3c4eb67ac62a37b9e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/src/libstore/build.cc b/src/libstore/build.cc | |
| index 147093fa..4a165f9b 100644 | |
| --- a/src/libstore/build.cc | |
| +++ b/src/libstore/build.cc | |
| @@ -3002,30 +3002,30 @@ void setupSeccomp() | |
| printError("unable to add ARM seccomp architecture; this may result in spurious build failures if running 32-bit ARM processes"); | |
| /* Prevent builders from creating setuid/setgid binaries. */ | |
| - for (int perm : { S_ISUID, S_ISGID }) { | |
| - if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(chmod), 1, | |
| - SCMP_A1(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0) | |
| - throw SysError("unable to add seccomp rule"); | |
| - | |
| - if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fchmod), 1, | |
| - SCMP_A1(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0) | |
| - throw SysError("unable to add seccomp rule"); | |
| - | |
| - if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fchmodat), 1, | |
| - SCMP_A2(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0) | |
| - throw SysError("unable to add seccomp rule"); | |
| - } | |
| + // for (int perm : { S_ISUID, S_ISGID }) { | |
| + // if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(chmod), 1, | |
| + // SCMP_A1(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0) | |
| + // throw SysError("unable to add seccomp rule"); | |
| + | |
| + // if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fchmod), 1, | |
| + // SCMP_A1(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0) | |
| + // throw SysError("unable to add seccomp rule"); | |
| + | |
| + // if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(fchmodat), 1, | |
| + // SCMP_A2(SCMP_CMP_MASKED_EQ, (scmp_datum_t) perm, (scmp_datum_t) perm)) != 0) | |
| + // throw SysError("unable to add seccomp rule"); | |
| + // } | |
| /* Prevent builders from creating EAs or ACLs. Not all filesystems | |
| support these, and they're not allowed in the Nix store because | |
| they're not representable in the NAR serialisation. */ | |
| - if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(setxattr), 0) != 0 || | |
| - seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(lsetxattr), 0) != 0 || | |
| - seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0) | |
| - throw SysError("unable to add seccomp rule"); | |
| + // if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(setxattr), 0) != 0 || | |
| + // seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(lsetxattr), 0) != 0 || | |
| + // seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0) | |
| + // throw SysError("unable to add seccomp rule"); | |
| - if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, settings.allowNewPrivileges ? 0 : 1) != 0) | |
| - throw SysError("unable to set 'no new privileges' seccomp attribute"); | |
| + // if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, settings.allowNewPrivileges ? 0 : 1) != 0) | |
| + // throw SysError("unable to set 'no new privileges' seccomp attribute"); | |
| if (seccomp_load(ctx) != 0) | |
| throw SysError("unable to load seccomp BPF program"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment