56 lines
1.4 KiB
Nix
56 lines
1.4 KiB
Nix
# N.B.: landlock is a relatively new thing as of 2024/01, and undergoing ABI revisions.
|
|
# the ABI is versioned, and the sandboxer will work when run against either a newer or older kernel than it was built from,
|
|
# but it will complain (stderr) about an update being available if kernel max ABI != sandbox max ABI.
|
|
{ stdenv
|
|
, linux
|
|
, makeLinuxHeaders
|
|
}:
|
|
let
|
|
linuxHeaders = makeLinuxHeaders {
|
|
inherit (linux) src version;
|
|
};
|
|
in
|
|
stdenv.mkDerivation rec {
|
|
pname = "landlock-sandboxer";
|
|
version = linux.version;
|
|
src = linux.src;
|
|
|
|
NIX_DEBUG = 6;
|
|
|
|
buildInputs = [
|
|
linuxHeaders # to get the right linux headers!
|
|
];
|
|
|
|
# sourceRoot = "linux-${version}/samples/landlock";
|
|
preBuild = ''
|
|
cd samples/landlock
|
|
'';
|
|
|
|
makeFlags = [ "sandboxer" ];
|
|
installPhase = ''
|
|
mkdir -p $out/bin
|
|
install -m755 sandboxer $out/bin
|
|
'';
|
|
|
|
passthru = {
|
|
inherit linuxHeaders;
|
|
};
|
|
|
|
meta = {
|
|
description = ''
|
|
The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
|
|
'';
|
|
homepage = "https://landlock.io";
|
|
};
|
|
}
|
|
|
|
# alternatively, build more in line with kernel's build system.
|
|
# takes longer, but may inherit hardening settings and the like.
|
|
# linux.overrideAttrs (_: {
|
|
# buildFlags = [ "-C" "../samples/landlock" "sandboxer" ];
|
|
# installPhase = ''
|
|
# mkdir -p $out/bin
|
|
# install -m755 ../samples/landlock/sandboxer $out/bin
|
|
# '';
|
|
# })
|