audit: build with libcap_ng
See auditd-plugins(5) for motivation: > When the audit daemon starts your plugin, you will be running as root. > If you do not need root privileges, you should change uid/gid to lower > chances of being a target for exploit. If you need to retain capabilities, > using libcap-ng is the simplest way. `libcap_ng` is already in the closure via util-linux and thus does not unnecessarily bloat the system. It is also a very sane idea to allow plugins to drop privileges if they already conveniently support it.
This commit is contained in:
Grimmauld
parent
916454f796
commit
4db1e1cf13
@ -10,6 +10,7 @@
|
|||||||
python3,
|
python3,
|
||||||
swig,
|
swig,
|
||||||
pkgsCross,
|
pkgsCross,
|
||||||
|
libcap_ng,
|
||||||
|
|
||||||
# Enabling python support while cross compiling would be possible, but the
|
# Enabling python support while cross compiling would be possible, but the
|
||||||
# configure script tries executing python to gather info instead of relying on
|
# configure script tries executing python to gather info instead of relying on
|
||||||
@ -78,6 +79,7 @@ stdenv.mkDerivation (finalAttrs: {
|
|||||||
|
|
||||||
buildInputs = [
|
buildInputs = [
|
||||||
bash
|
bash
|
||||||
|
libcap_ng
|
||||||
];
|
];
|
||||||
|
|
||||||
configureFlags = [
|
configureFlags = [
|
||||||
@ -86,6 +88,9 @@ stdenv.mkDerivation (finalAttrs: {
|
|||||||
"--disable-zos-remote"
|
"--disable-zos-remote"
|
||||||
"--with-arm"
|
"--with-arm"
|
||||||
"--with-aarch64"
|
"--with-aarch64"
|
||||||
|
# capability dropping, currently mostly for plugins as those get spawned as root
|
||||||
|
# see auditd-plugins(5)
|
||||||
|
"--with-libcap-ng=yes"
|
||||||
(if enablePython then "--with-python" else "--without-python")
|
(if enablePython then "--with-python" else "--without-python")
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user