mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2026-06-12 10:24:08 +02:00
Reepca Russelstein
f519ddf733
Docker's default seccomp filter prevents use of the ADDR_NO_RANDOMIZE flag with the personality system call. It causes personality to return EPERM. In general, we assume that any result other than the only documented one, EINVAL, is caused by seccomp. If we detect that ADDR_NO_RANDOMIZE is blocked, and the --allow-aslr option was passed, we simply don't use it. This allows guix-daemon to continue to work even in these containers, without any implicit weakening of reproducibility. Since it is presumably desirable to be able to build guix itself in such an environment, also pass --allow-aslr to guix-daemon in test-env. * nix/libstore/globals.hh (Settings::allowASLR): new field. * nix/nix-daemon/guix-daemon.cc (options): add --allow-aslr option. (parse_opt): use it to set Settings::allowASLR. * nix/libstore/build.cc (DerivationGoal::startBuilder): detect when ADDR_NO_RANDOMIZE is blocked and --allow-aslr is passed and don't use it in that case. * doc/guix.texi: document --allow-aslr in "Invoking guix-daemon". * build-aux/test-env.in: always pass --allow-aslr. Fixes: guix/guix#3917 Change-Id: I51c5899a9559e161f9e107c2e6a36df395ab3134 Signed-off-by: Ludovic Courtès <ludo@gnu.org> Modified-by: Ludovic Courtès <ludo@gnu.org> Merges: #4616