Add option to disable the seccomp filter

I needed this to test ACL/xattr removal in canonicalisePathMetaData(). Might also be useful if you need to build old Nixpkgs that doesn't have the required patches to remove setuid/setgid creation.
NixOS · Oct 12, 2017 · 1dd29d7 · 1dd29d7 · dtzWill · Jan 11, 2018
1 parent 9730781
commit 1dd29d7
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
@@ -2351,6 +2351,8 @@ void DerivationGoal::doExportReferencesGraph()
 void setupSeccomp()
 {
 #if __linux__
+    if (!settings.filterSyscalls) return;
+
     scmp_filter_ctx ctx;
 
     if (!(ctx = seccomp_init(SCMP_ACT_ALLOW)))

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
@@ -336,6 +336,12 @@ public:
         "String appended to the user agent in HTTP requests."};
 
 #if __linux__
+    Setting<bool> filterSyscalls{this, true, "filter-syscalls",
+            "Whether to prevent certain dangerous system calls, such as "
+            "creation of setuid/setgid files or adding ACLs or extended "
+            "attributes. Only disable this if you're aware of the "
+            "security implications."};
+
     Setting<bool> allowNewPrivileges{this, false, "allow-new-privileges",
         "Whether builders can acquire new privileges by calling programs with "
         "setuid/setgid bits or with file capabilities."};