Add a seccomp filter to prevent creating setuid/setgid binaries

This prevents builders from setting the S_ISUID or S_ISGID bits, preventing users from using a nixbld* user to create a setuid/setgid binary to interfere with subsequent builds under the same nixbld* uid. This is based on aszlig's seccomp code (47f587700d). Reported by Linus Heckemann. (cherry picked from commit 6cc6c15a2d)
2025-11-15 23:12:44 +01:00 · 2017-05-29 11:34:24 +02:00 · 2017-05-29 11:34:24 +02:00 · e296b8884e
commit e296b8884e
parent a8d13e66ee
5 changed files with 67 additions and 0 deletions
--- a/release.nix
+++ b/release.nix
@ -27,6 +27,7 @@ let
          [ curl bison flex perl libxml2 libxslt bzip2 xz
            dblatex (dblatex.tex or tetex) nukeReferences pkgconfig sqlite libsodium
            docbook5 docbook5_xsl
+            libseccomp
          ] ++ lib.optional (!lib.inNixShell) git;

        configureFlags = ''
@ -85,6 +86,7 @@ let

        buildInputs =
          [ curl perl bzip2 xz openssl pkgconfig sqlite boehmgc ]
+          ++ lib.optional stdenv.isLinux libseccomp
          ++ lib.optional stdenv.isLinux libsodium;

        configureFlags = ''