libseccomp: Disable only on RISC-V if Linux.

The isSeccomputable flag treated Linux without seccomp as just a
normal variant, when it really should be treated as a special case
incurring complexity debt to support.

5 files changed, 8 insertions, 9 deletions

diff --git a/lib/systems/inspect.nix b/lib/systems/inspect.nix
index 2f0c402f3981..d7fabf684b72 100644
--- a/lib/systems/inspect.nix
+++ b/lib/systems/inspect.nix
@@ -41,8 +41,6 @@ rec {
 
     isEfi          = map (family: { cpu.family = family; })
                        [ "x86" "arm" "aarch64" ];
-    isSeccomputable = map (family: { kernel = kernels.linux; cpu.family = family; })
-                        [ "x86" "arm" "aarch64" "mips" ];
   };
 
   matchAnyAttrs = patterns:
diff --git a/pkgs/development/libraries/libseccomp/default.nix b/pkgs/development/libraries/libseccomp/default.nix
index d953fd12e68b..e0c77a0cf357 100644
--- a/pkgs/development/libraries/libseccomp/default.nix
+++ b/pkgs/development/libraries/libseccomp/default.nix
@@ -25,6 +25,7 @@ stdenv.mkDerivation rec {
     homepage    = "https://github.com/seccomp/libseccomp";
     license     = licenses.lgpl21;
     platforms   = platforms.linux;
+    badPlatforms = platforms.riscv;
     maintainers = with maintainers; [ thoughtpolice wkennington ];
   };
 }
diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index 763c28464ab3..7b3590e5c195 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -41,8 +41,10 @@ in stdenv.mkDerivation rec {
   buildInputs =
     [ linuxHeaders libcap kmod xz pam acl
       /* cryptsetup */ libuuid glib libgcrypt libgpgerror libidn2
-      libmicrohttpd ] ++ stdenv.lib.meta.enableIfAvailable kexectools ++
-    [ libseccomp libffi audit lz4 bzip2 libapparmor
+      libmicrohttpd ] ++
+      stdenv.lib.meta.enableIfAvailable kexectools ++
+      stdenv.lib.meta.enableIfAvailable libseccomp ++
+    [ libffi audit lz4 bzip2 libapparmor
       iptables gnu-efi
       # This is actually native, but we already pull it from buildPackages
       pythonLxmlEnv
diff --git a/pkgs/tools/package-management/nix/default.nix b/pkgs/tools/package-management/nix/default.nix
index 5140ddd0283d..677c3896fc12 100644
--- a/pkgs/tools/package-management/nix/default.nix
+++ b/pkgs/tools/package-management/nix/default.nix
@@ -30,7 +30,7 @@ let
     buildInputs = [ curl openssl sqlite xz bzip2 ]
       ++ lib.optional (stdenv.isLinux || stdenv.isDarwin) libsodium
       ++ lib.optionals is20 [ brotli ] # Since 1.12
-      ++ lib.optional (hostPlatform.isSeccomputable) libseccomp
+      ++ lib.meta.enableIfAvailable libseccomp
       ++ lib.optional ((stdenv.isLinux || stdenv.isDarwin) && is20)
           (aws-sdk-cpp.override {
             apis = ["s3"];
@@ -60,7 +60,7 @@ let
           hostPlatform != buildPlatform && hostPlatform ? nix && hostPlatform.nix ? system
       ) ''--with-system=${hostPlatform.nix.system}''
          # RISC-V support in progress https://github.com/seccomp/libseccomp/pull/50
-      ++ lib.optional (!hostPlatform.isSeccomputable) "--disable-seccomp-sandboxing";
+      ++ lib.optional (!libseccomp.meta.available) "--disable-seccomp-sandboxing";
 
     makeFlags = "profiledir=$(out)/etc/profile.d";
 
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 8d2a17a79daa..7c61381281d0 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -9792,9 +9792,7 @@ with pkgs;
 
   libgroove = callPackage ../development/libraries/libgroove { };
 
-  libseccomp =  if hostPlatform.isSeccomputable
-                  then callPackage ../development/libraries/libseccomp { }
-                else null;
+  libseccomp = callPackage ../development/libraries/libseccomp { };
 
   libsecret = callPackage ../development/libraries/libsecret { };