mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-25 03:17:13 +00:00
ef45195126
If useSELinux is not set, enable seccomp mode by default and avoid building the SUID helper sandbox at all. This involves a small patch which causes the commandline arguments to be swapped: --disable-seccomp-sandbox to disable it, while the option is active by default.
21 lines
794 B
Diff
21 lines
794 B
Diff
diff --git a/content/common/seccomp_sandbox.h b/content/common/seccomp_sandbox.h
|
|
index a07d6f3..a622a35 100644
|
|
--- a/content/common/seccomp_sandbox.h
|
|
+++ b/content/common/seccomp_sandbox.h
|
|
@@ -29,15 +29,9 @@ static bool SeccompSandboxEnabled() {
|
|
// TODO(evan): turn on for release too once we've flushed out all the bugs,
|
|
// allowing us to delete this file entirely and just rely on the "disabled"
|
|
// switch.
|
|
-#ifdef NDEBUG
|
|
- // Off by default; allow turning on with a switch.
|
|
- return CommandLine::ForCurrentProcess()->HasSwitch(
|
|
- switches::kEnableSeccompSandbox);
|
|
-#else
|
|
// On by default; allow turning off with a switch.
|
|
return !CommandLine::ForCurrentProcess()->HasSwitch(
|
|
switches::kDisableSeccompSandbox);
|
|
-#endif // NDEBUG
|
|
}
|
|
#endif // SECCOMP_SANDBOX
|
|
|