syscall_limiter: init at b02c031

2 files changed, 45 insertions, 0 deletions

diff --git a/pkgs/os-specific/linux/syscall_limiter/default.nix b/pkgs/os-specific/linux/syscall_limiter/default.nix
new file mode 100644
index 00000000000..658137a569e
--- /dev/null
+++ b/pkgs/os-specific/linux/syscall_limiter/default.nix
@@ -0,0 +1,43 @@
+{ stdenv
+, fetchFromGitHub
+, libseccomp
+, perl
+, which
+}:
+
+stdenv.mkDerivation rec {
+  name = "syscall_limiter-${version}";
+  version = "${date}-${stdenv.lib.strings.substring 0 7 rev}";
+  date = "20160105";
+  rev = "b02c0316a2aaff496f712f1467e20337006655cc";
+
+  src = fetchFromGitHub {
+    owner = "vi";
+    repo = "syscall_limiter";
+    inherit rev;
+    sha256 = "14q5k5c8hk7gnxhgwaamwbibasb3pwj6jnqsxa1bdp16n6jdajxd";
+  };
+
+  configurePhase = "";
+
+  buildPhase = ''
+    make CC="gcc -I${libseccomp}/include -L${libseccomp}/lib"
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -v limit_syscalls $out/bin
+    cp -v monitor.sh $out/bin/limit_syscalls_monitor.sh
+    substituteInPlace $out/bin/limit_syscalls_monitor.sh \
+      --replace perl ${perl}/bin/perl \
+      --replace which ${which}/bin/which
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Start Linux programs with only selected syscalls enabled";
+    homepage = https://github.com/vi/syscall_limiter;
+    license = licenses.mit;
+    maintainers = with maintainers; [ obadz ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 986004c5642..0d18d984eb7 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -885,6 +885,8 @@ let
     pynotify = pythonPackages.notify;
   };
 
+  syscall_limiter = callPackage ../os-specific/linux/syscall_limiter {};
+
   syslogng = callPackage ../tools/system/syslog-ng { };
 
   syslogng_incubator = callPackage ../tools/system/syslog-ng-incubator { };