Nix daemon should use seccomp filtering about nix HOT 6 CLOSED

Hm, I guess seccomp isn't what you're looking for, because IMHO it is too restrictive in our case (as it only allows read, write, sigreturn and exit syscalls). If you really want to use seccomp for that to avoid chrooting, we might need to create a preload wrapper which passes every open, fork, exec, whatnot to some special master daemon which executes that action and hands down the FD over unix sockets. And this in turn leads to way more complexity around a feature which is not meant to be used like that.

A better way would be to make use of an LSM to properly avoid running as root. Unfortunately the availability of the LSM varies depending on the distribution/kernel configuration.

from nix.

You're talking about the old seccomp. The new seccomp filtering feature in Linux 3.5 should allow (almost) arbitrary syscall filtering using BPF. See http://kernelnewbies.org/Linux_3.5/#head-c48d6a7a26b6aae95139358285eee012d6212b9e.

from nix.

Hm, my impression was that it does not allow syscalls beyond the scope of the currently active capabilities (like chroot)?
Going to have a look at that this weekend if noone else did in the meantime...

from nix.

It doesn't, but it should allow restricting a root process, e.g. disallowing file system access outside of /nix or setuid to non-nixbld users.

from nix.

Okay, as I'm already implementing seccomp BPF for steam (see aszlig/nixpkgs@49d6a8b, I'm assigning this issue to me, as I'm on my way in making this generic.

Correction: I would have assigned this to me :-)

from nix.

Closing this, we're already using seccomp.

from nix.