landlock-sandboxer: build against headers which match the sandboxer source

This commit is contained in:
2024-02-01 13:53:39 +00:00
parent 17f35a3619
commit 4f352c5725

View File

@@ -3,12 +3,24 @@
# but it will complain (stderr) about an update being available if kernel max ABI != sandbox max ABI. # but it will complain (stderr) about an update being available if kernel max ABI != sandbox max ABI.
{ stdenv { stdenv
, linux , linux
, makeLinuxHeaders
}: }:
let
linuxHeaders = makeLinuxHeaders {
inherit (linux) src version;
};
in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "landlock-sandboxer"; pname = "landlock-sandboxer";
version = linux.version; version = linux.version;
src = linux.src; src = linux.src;
NIX_DEBUG = 6;
buildInputs = [
linuxHeaders # to get the right linux headers!
];
# sourceRoot = "linux-${version}/samples/landlock"; # sourceRoot = "linux-${version}/samples/landlock";
preBuild = '' preBuild = ''
cd samples/landlock cd samples/landlock
@@ -20,6 +32,10 @@ stdenv.mkDerivation rec {
install -m755 sandboxer $out/bin install -m755 sandboxer $out/bin
''; '';
passthru = {
inherit linuxHeaders;
};
meta = { meta = {
description = '' description = ''
The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.