From 690ac7c90b5bf3c599e210c53365c7d229c8b0ff Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Sun, 18 Feb 2018 02:35:01 -0500 Subject: [PATCH] configure: Add a flag to disable seccomp. This is needed for new arches where libseccomp support doesn't exist yet. Fixes #1878. --- Makefile.config.in | 1 + configure.ac | 16 ++++++++++++++-- src/libstore/build.cc | 4 +++- src/libstore/local.mk | 2 +- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/Makefile.config.in b/Makefile.config.in index fab821946..a9785dc73 100644 --- a/Makefile.config.in +++ b/Makefile.config.in @@ -7,6 +7,7 @@ ENABLE_S3 = @ENABLE_S3@ HAVE_SODIUM = @HAVE_SODIUM@ HAVE_READLINE = @HAVE_READLINE@ HAVE_BROTLI = @HAVE_BROTLI@ +HAVE_SECCOMP = @HAVE_SECCOMP@ LIBCURL_LIBS = @LIBCURL_LIBS@ OPENSSL_LIBS = @OPENSSL_LIBS@ PACKAGE_NAME = @PACKAGE_NAME@ diff --git a/configure.ac b/configure.ac index 83b2346d0..14f742cf3 100644 --- a/configure.ac +++ b/configure.ac @@ -186,9 +186,21 @@ AC_SUBST(HAVE_BROTLI, [$have_brotli]) # Look for libseccomp, required for Linux sandboxing. if test "$sys_name" = linux; then - PKG_CHECK_MODULES([LIBSECCOMP], [libseccomp], - [CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS"]) + AC_ARG_ENABLE([seccomp-sandboxing], + AC_HELP_STRING([--disable-seccomp-sandboxing], + [Don't build support for seccomp sandboxing (only recommended if your arch doesn't support libseccomp yet!)] + )) + if test "x$enable_seccomp_sandboxing" != "xno"; then + PKG_CHECK_MODULES([LIBSECCOMP], [libseccomp], + [CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS"]) + have_seccomp=1 + else + have_seccomp= + fi +else + have_seccomp= fi +AC_SUBST(HAVE_SECCOMP, [$have_seccomp]) # Look for aws-cpp-sdk-s3. diff --git a/src/libstore/build.cc b/src/libstore/build.cc index cc69ff1c7..9b7abaa3d 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -49,7 +49,9 @@ #include #include #include +#if HAVE_SECCOMP #include +#endif #define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old)) #endif @@ -2469,7 +2471,7 @@ void DerivationGoal::chownToBuilder(const Path & path) void setupSeccomp() { -#if __linux__ +#if __linux__ && HAVE_SECCOMP if (!settings.filterSyscalls) return; scmp_filter_ctx ctx; diff --git a/src/libstore/local.mk b/src/libstore/local.mk index c7ac534e2..e11efa5c2 100644 --- a/src/libstore/local.mk +++ b/src/libstore/local.mk @@ -25,7 +25,7 @@ ifeq ($(OS), SunOS) libstore_LDFLAGS += -lsocket endif -ifeq ($(OS), Linux) +ifeq ($(HAVE_SECCOMP), 1) libstore_LDFLAGS += -lseccomp endif