diff options
| author | Caleb Ristvedt <caleb.ristvedt@cune.org> | 2024-04-21 10:42:20 +0100 |
|---|---|---|
| committer | Guix Patches Tester <> | 2024-04-21 11:53:08 +0200 |
| commit | 8b75201113a36e7850b1e9e7900fd7127bf8f27c (patch) | |
| tree | b1e22fa9fa698d24ed5d35d74993b78d8256a03e | |
| parent | b144a5a795ea785afb5c4c672d58390d3cb0d353 (diff) | |
| download | guix-patches-8b75201113a36e7850b1e9e7900fd7127bf8f27c.tar guix-patches-8b75201113a36e7850b1e9e7900fd7127bf8f27c.tar.gz | |
gnu: linux-container: Make it more suitable for derivation-building.
* gnu/build/linux-container.scm (mount-file-systems): First remount all
filesystems in the current mount namespace as private (by mounting / with
MS_PRIVATE and MS_REC), so that the set of mounts cannot increase except from
within the container. Also, the tmpfs mounted over the chroot directory now
inherits the chroot directory's permissions (p11-kit, for example, has a test
that assumes that the root directory is not writable for the current user, and
tmpfs is by default 1777 when created).
* guix/build/syscalls.scm (MS_PRIVATE, MS_REC): new variables.
Signed-off-by: Christopher Baines <mail@cbaines.net>
Change-Id: Ie26e3ac4a12bbf9087180c56ab775a0f75c40100
| -rw-r--r-- | gnu/build/linux-container.scm | 9 | ||||
| -rw-r--r-- | guix/build/syscalls.scm | 3 |
2 files changed, 11 insertions, 1 deletions
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index dee6885400..2e4e0d3bf3 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -99,7 +99,14 @@ for the process." ;; The container's file system is completely ephemeral, sans directories ;; bind-mounted from the host. - (mount "none" root "tmpfs") + ;; Make this private in the container namespace so everything mounted under + ;; it is local to this namespace. + (mount "none" "/" "none" (logior MS_REC MS_PRIVATE)) + (let ((current-perms (stat:perms (stat root)))) + (mount "none" root "tmpfs" 0 (string-append "mode=" + (number->string current-perms + 8)))) + ;; A proc mount requires a new pid namespace. (when mount-/proc? diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm index 39bcffd516..92f2bb21fc 100644 --- a/guix/build/syscalls.scm +++ b/guix/build/syscalls.scm @@ -54,6 +54,8 @@ MS_REC MS_SHARED MS_LAZYTIME + MS_PRIVATE + MS_REC MNT_FORCE MNT_DETACH MNT_EXPIRE @@ -551,6 +553,7 @@ the last argument of `mknod'." (define MS_REC 16384) (define MS_SHARED 1048576) (define MS_RELATIME 2097152) +(define MS_PRIVATE 262144) (define MS_STRICTATIME 16777216) (define MS_LAZYTIME 33554432) |