amaharaneko/guix-mirrors
1
1
Fork 0
mirror of https://codeberg.org/guix/guix.git synced 2025-10-02 02:15:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

daemon: Drop Linux ambient capabilities before executing builder.

Browse source 
* config-daemon.ac: Check for <sys/prctl.h>.
* nix/libstore/build.cc (DerivationGoal::runChild): When ‘useChroot’ is
true, call ‘prctl’ to drop all ambient capabilities.

Change-Id: If34637fc508e5fb6d278167f5df7802fc595284f
This commit is contained in:
Ludovic Courtès 2025-01-23 22:43:54 +01:00
parent a3d6f5ae70
commit 0163c732a1
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
2 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
nix/libstore/build.cc
View file

@ -50,6 +50,9 @@
#if HAVE_SCHED_H
#include <sched.h>
#endif
#if HAVE_SYS_PRCTL_H
#include <sys/prctl.h>
#endif
#define CHROOT_ENABLED HAVE_CHROOT && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE)
@ -2075,6 +2078,12 @@ void DerivationGoal::runChild()
#if CHROOT_ENABLED
if (useChroot) {
# if HAVE_SYS_PRCTL_H
/* Drop ambient capabilities such as CAP_CHOWN that might have
been granted when starting guix-daemon. */
prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
# endif
if (!fixedOutput) {
/* Initialise the loopback interface. */
AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP));