diff options
author | Adam Joseph <adam@westernsemico.com> | 2022-07-16 19:37:27 -0700 |
---|---|---|
committer | Adam Joseph <adam@westernsemico.com> | 2022-07-16 19:37:27 -0700 |
commit | 8d35f387dcfa61c59f898de88ef45f3f97817267 (patch) | |
tree | a9434a37fd0133bbdf93c4fe3b169a6678aba09d | |
parent | 90830b1074cd09b58adde859fb1741a33390412f (diff) |
local-derivation-goal.cc: warn if failing and /proc/self/ns/user missing
This commit causes nix to `warn()` if sandbox setup has failed and
`/proc/self/ns/user` does not exist. This is usually a sign that the
kernel was compiled without `CONFIG_USER_NS=y`, which is required for
sandboxing.
-rw-r--r-- | src/libstore/build/local-derivation-goal.cc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index 674b2eaa3..3aa85e264 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -861,6 +861,9 @@ void LocalDerivationGoal::startBuilder() _exit(1); if (!userNamespacesEnabled && errno==EPERM) warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/user/max_user_namespaces"); + Path procSelfNsUser = "/proc/self/ns/user"; + if (!pathExists(procSelfNsUser)) + warn("/proc/self/ns/user does not exist; your kernel was likely built without CONFIG_USER_NS=y, which is required for sandboxing"); /* Mention sandbox-fallback in the error message so the user knows that having it disabled contributed to the unrecoverability of this failure */ |