daemon: Drop Linux ambient capabilities before executing builder.

* config-daemon.ac: Check for <sys/prctl.h>. * nix/libstore/build.cc (DerivationGoal::runChild): When ‘useChroot’ is true, call ‘prctl’ to drop all ambient capabilities. Change-Id: If34637fc508e5fb6d278167f5df7802fc595284f
author: Ludovic Courtès <ludo@gnu.org> 2025-01-23 22:43:54 +0100
committer: Ludovic Courtès <ludo@gnu.org> 2025-03-26 17:57:44 +0100
commit: 0163c732a17f6358a6b0d8004b27d27650a7d5be (patch)
tree: 17eaf2dacba84b8e0f832db901dd21e1c4d3cf2c /config-daemon.ac
parent: a3d6f5ae70298b9b2ff357435ff5925cc6563b1a (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/config-daemon.ac b/config-daemon.ac
index 4e949bc88a3..35d9c8cd56b 100644
--- a/config-daemon.ac
+++ b/config-daemon.ac
@@ -79,7 +79,7 @@ if test "x$guix_build_daemon" = "xyes"; then
   dnl Chroot support.
   AC_CHECK_FUNCS([chroot unshare])
   AC_CHECK_HEADERS([sched.h sys/param.h sys/mount.h sys/syscall.h \
-    linux/close_range.h])
+    linux/close_range.h sys/prctl.h])
 
   if test "x$ac_cv_func_chroot" != "xyes"; then
     AC_MSG_ERROR(['chroot' function missing, bailing out])
author	Ludovic Courtès <ludo@gnu.org>	2025-01-23 22:43:54 +0100
committer	Ludovic Courtès <ludo@gnu.org>	2025-03-26 17:57:44 +0100
commit	0163c732a17f6358a6b0d8004b27d27650a7d5be (patch)
tree	17eaf2dacba84b8e0f832db901dd21e1c4d3cf2c /config-daemon.ac
parent	a3d6f5ae70298b9b2ff357435ff5925cc6563b1a (diff)