A modern, delicious implementation of the Nix package manager, focused on correctness, usability, and growth — and committed to doing right by its community
b90a435332
What we basically want is a seccomp mode 2 BPF program like this but for every architecture: BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_chown, 4, 0), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_fchown, 3, 0), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_fchownat, 2, 0), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_lchown, 1, 0), BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO) However, on 32 bit architectures we do have chown32, lchown32 and fchown32, so we'd need to add all the architecture blurb which libseccomp handles for us. So we only need to make sure that we add the 32bit seccomp arch while we're on x86_64 and otherwise we just stay at the native architecture which was set during seccomp_init(), which more or less replicates setting 32bit personality during runChild(). The FORCE_SUCCESS() macro here could be a bit less ugly but I think repeating the seccomp_rule_add() all over the place is way uglier. Another way would have been to create a vector of syscalls to iterate over, but that would make error messages uglier because we can either only print the (libseccomp-internal) syscall number or use seccomp_syscall_resolve_num_arch() to get the name or even make the vector a pair number/name, essentially duplicating everything again. Signed-off-by: aszlig <aszlig@redmoonstudios.org> |
||
---|---|---|
config | ||
corepkgs | ||
doc/manual | ||
maintainers | ||
misc | ||
mk | ||
perl | ||
scripts | ||
src | ||
tests | ||
.dir-locals.el | ||
.gitignore | ||
bootstrap.sh | ||
configure.ac | ||
COPYING | ||
dev-shell | ||
local.mk | ||
Makefile | ||
Makefile.config.in | ||
nix.spec.in | ||
README.md | ||
release.nix | ||
version |
Nix, the purely functional package manager
Nix is a new take on package management that is fairly unique. Because of it's purity aspects, a lot of issues found in traditional package managers don't appear with Nix.
To find out more about the tool, usage and installation instructions, please read the manual, which is available on the Nix website at http://nixos.org/nix/manual.
Contributing
Take a look at the Hacking Section of the manual. It helps you to get started with building Nix from source.
License
Nix is released under the LGPL v2.1
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.OpenSSL.org/).