Skip to content

Commit

Permalink
Merge pull request #11206 from tie/getxattr-enotsup
Browse files Browse the repository at this point in the history 
libstore: return ENOTSUP for getxattr functions
  • Loading branch information
@edolstra
edolstra authored Jul 29, 2024
2 parents 3faa77b + 1b47748 commit 9e2bed7
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions src/libstore/unix/build/local-derivation-goal.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1702,10 +1702,13 @@ void setupSeccomp()
throw SysError("unable to add seccomp rule");
}

/* Prevent builders from creating EAs or ACLs. Not all filesystems
/* Prevent builders from using EAs or ACLs. Not all filesystems
support these, and they're not allowed in the Nix store because
they're not representable in the NAR serialisation. */
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(setxattr), 0) != 0 ||
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(getxattr), 0) != 0 ||
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(lgetxattr), 0) != 0 ||
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fgetxattr), 0) != 0 ||
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(setxattr), 0) != 0 ||
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(lsetxattr), 0) != 0 ||
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(ENOTSUP), SCMP_SYS(fsetxattr), 0) != 0)
throw SysError("unable to add seccomp rule");
Expand Down

0 comments on commit 9e2bed7

Please sign in to comment.