diff options
| -rw-r--r-- | nix/libstore/build.cc | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index eee3a33a58..e77869fc3e 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2219,8 +2219,24 @@ static pid_t spawnSlirp4netns(int tapfd, int notifyReadyFD, slirpCtx.supplementaryGroups = {}; slirpCtx.setSupplementaryGroups = true; } - slirpCtx.seccompFilter = slirpSeccompFilter(); - slirpCtx.addSeccompFilter = true; + /* Unless built with '--enable-kernel=4.3.0' or similar, glibc on i686 + uses 'socketcall' instead of dedicated system calls like 'socket' and + 'bind'. Since the seccomp filter cannot inspect 'socketcall' arguments + in a meaningful way, it can only prohibit all 'socketcall' calls; the + other option is to disable the seccomp filter entirely, meaning that + slirp4netns would have access to abstract unix sockets in the root + network namespace. */ +#ifdef __NR_socketcall +#ifndef NO_SOCKETCALL_LIBC + if(getenv("GUIX_FORCE_SECCOMP") == NULL) + printMsg(lvlInfo, "warning: seccomp filter for slirp4netns presumed unusable with this libc, disabling it"); + else +#endif +#endif + { + slirpCtx.seccompFilter = slirpSeccompFilter(); + slirpCtx.addSeccompFilter = true; + } /* Silence slirp4netns output unless requested */ if(verbosity <= lvlInfo) { |