max/nix-super
1
0
Fork 0
mirror of https://github.com/privatevoid-net/nix-super.git synced 2024-09-21 08:58:04 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions
nix-super/src/libstore
History
aszlig b90a435332
libstore/build: Forge chown() to return success 
What we basically want is a seccomp mode 2 BPF program like this but for
every architecture:

  BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
  BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_chown, 4, 0),
  BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_fchown, 3, 0),
  BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_fchownat, 2, 0),
  BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_lchown, 1, 0),
  BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
  BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO)

However, on 32 bit architectures we do have chown32, lchown32 and
fchown32, so we'd need to add all the architecture blurb which
libseccomp handles for us.

So we only need to make sure that we add the 32bit seccomp arch while
we're on x86_64 and otherwise we just stay at the native architecture
which was set during seccomp_init(), which more or less replicates
setting 32bit personality during runChild().

The FORCE_SUCCESS() macro here could be a bit less ugly but I think
repeating the seccomp_rule_add() all over the place is way uglier.

Another way would have been to create a vector of syscalls to iterate
over, but that would make error messages uglier because we can either
only print the (libseccomp-internal) syscall number or use
seccomp_syscall_resolve_num_arch() to get the name or even make the
vector a pair number/name, essentially duplicating everything again.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-11-16 16:48:30 +01:00
..
binary-cache-store.cc Merge branch 'ssh-store' of https://github.com/shlevy/nix 2016-11-09 18:57:22 +01:00
binary-cache-store.hh Remove addPathToAccessor 2016-10-21 18:09:30 +02:00
build.cc libstore/build: Forge chown() to return success 2016-11-16 16:48:30 +01:00
builtins.cc Enable HTTP/2 support 2016-09-14 16:36:02 +02:00
builtins.hh Make <nix/fetchurl.nix> a builtin builder 2015-07-20 04:38:46 +02:00
crypto.cc Use secret-key-files for verifying 2016-04-07 15:16:57 +02:00
crypto.hh Add "nix verify-paths" command 2016-03-29 16:37:16 +02:00
derivations.cc armv5tel can be built by armv6l and armv7l (#1063) 2016-09-16 22:03:34 +02:00
derivations.hh Add a mechanism for derivation attributes to reference the derivation's outputs 2016-08-17 17:19:32 +02:00
download.cc BinaryCacheStore: Optionally write a NAR listing 2016-10-21 16:50:28 +02:00
download.hh Make computeFSClosure() single-threaded again 2016-09-16 18:54:14 +02:00
export-import.cc Remove addPathToAccessor 2016-10-21 18:09:30 +02:00
fs-accessor.hh Add NAR / Store accessor abstraction 2016-02-25 17:43:19 +01:00
gc.cc printMsg(lvlError, ...) -> printError(...) etc. 2016-09-21 16:54:53 +02:00
globals.cc Add nix.conf options for -k and -K 2016-10-27 12:49:34 -04:00
globals.hh Remove $NIX_DB_DIR 2016-08-10 18:05:35 +02:00
http-binary-cache-store.cc Shut up clang warning 2016-10-19 15:02:48 +02:00
local-binary-cache-store.cc Make computeFSClosure() single-threaded again 2016-09-16 18:54:14 +02:00
local-fs-store.cc FSAccessor: Throw InvalidPath 2016-08-10 18:05:35 +02:00
local-store.cc Merge branch 'ssh-store' of https://github.com/shlevy/nix 2016-11-09 18:57:22 +01:00
local-store.hh Remove addPathToAccessor 2016-10-21 18:09:30 +02:00
local.mk Add build dependency for libseccomp 2016-11-16 16:48:26 +01:00
misc.cc Store::computeFSClosure(): Support a set of paths 2016-11-10 17:45:04 +01:00
nar-accessor.cc NarAccessor: Fix handling of non-executable files 2016-08-10 18:05:35 +02:00
nar-accessor.hh Add NAR / Store accessor abstraction 2016-02-25 17:43:19 +01:00
nar-info-disk-cache.cc SQLite:: Add some convenience 2016-08-10 18:05:35 +02:00
nar-info-disk-cache.hh HttpBinaryCacheStore: Fix caching of WantMassQuery 2016-06-01 16:24:17 +02:00
nar-info.cc Mark content-addressed paths in the Nix database and in .narinfo 2016-08-10 18:05:35 +02:00
nar-info.hh Make the store directory a member variable of Store 2016-06-01 16:24:17 +02:00
nix-store.pc.in Install some pkgconfig files 2014-09-18 12:00:40 +02:00
optimise-store.cc Don't rely on %m 2016-11-14 13:37:16 +01:00
pathlocks.cc printMsg(lvlError, ...) -> printError(...) etc. 2016-09-21 16:54:53 +02:00
pathlocks.hh Support sandbox builds by non-root users 2016-06-03 15:59:28 +02:00
profiles.cc printMsg(lvlError, ...) -> printError(...) etc. 2016-09-21 16:54:53 +02:00
profiles.hh Allow setting the state directory as a store parameter 2016-06-02 16:02:48 +02:00
references.cc OCD: foreach -> C++11 ranged for 2015-07-17 20:13:56 +02:00
references.hh Use "#pragma once" to prevent repeated header file inclusion 2012-07-18 14:59:03 -04:00
remote-fs-accessor.cc Factor a general remote FS accessor out of BinaryCacheStore 2016-09-02 14:24:34 -04:00
remote-fs-accessor.hh Factor a general remote FS accessor out of BinaryCacheStore 2016-09-02 14:24:34 -04:00
remote-store.cc Merge branch 'ssh-store' of https://github.com/shlevy/nix 2016-11-09 18:57:22 +01:00
remote-store.hh Merge branch 'ssh-store' of https://github.com/shlevy/nix 2016-11-09 18:57:22 +01:00
s3-binary-cache-store.cc Fix getS3Stats() 2016-10-06 17:00:52 +02:00
s3-binary-cache-store.hh Fix getS3Stats() 2016-10-06 17:00:52 +02:00
sandbox-defaults.sb.in Revert "remove sandbox-defaults.sb" 2015-11-21 16:40:24 -05:00
schema.sql Mark content-addressed paths in the Nix database and in .narinfo 2016-08-10 18:05:35 +02:00
sqlite.cc printMsg(lvlError, ...) -> printError(...) etc. 2016-09-21 16:54:53 +02:00
sqlite.hh SQLite:: Add some convenience 2016-08-10 18:05:35 +02:00
ssh-store.cc ssh-store: Start master on-demand 2016-09-12 08:07:50 -04:00
store-api.cc copyClosure() / copyStorePath(): Expose dontCheckSigs 2016-11-09 19:08:20 +01:00
store-api.hh Store::computeFSClosure(): Support a set of paths 2016-11-10 17:45:04 +01:00
worker-protocol.hh Merge branch 'ssh-store' of https://github.com/shlevy/nix 2016-11-09 18:57:22 +01:00