aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYorick van Pelt <yorick@yorickvanpelt.nl>2023-02-14 13:29:30 +0100
committerYorick van Pelt <yorick@yorickvanpelt.nl>2023-02-14 13:55:41 +0100
commit49fd72a903b7bc2fdc4735111ca5569122cf55ee (patch)
tree756cb0de9292c3a54ff58bcfabb256a9227216b0
parentad1f61c39b716f4876d5f4c1dd9e37681631edb3 (diff)
Make /etc writability conditional on uid-range feature
-rw-r--r--src/libstore/build/local-derivation-goal.cc5
-rw-r--r--tests/nixos/containers/systemd-nspawn.nix1
2 files changed, 4 insertions, 2 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index de023f336..7b125f5d2 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -670,6 +670,8 @@ void LocalDerivationGoal::startBuilder()
nobody account. The latter is kind of a hack to support
Samba-in-QEMU. */
createDirs(chrootRootDir + "/etc");
+ if (parsedDrv->useUidRange())
+ chownToBuilder(chrootRootDir + "/etc");
if (parsedDrv->useUidRange() && (!buildUser || buildUser->getUIDCount() < 65536))
throw Error("feature 'uid-range' requires the setting '%s' to be enabled", settings.autoAllocateUids.name);
@@ -970,7 +972,8 @@ void LocalDerivationGoal::startBuilder()
sandboxUid(), sandboxGid(), settings.sandboxBuildDir));
/* Make /etc unwritable */
- chmod_(chrootRootDir + "/etc", 0555);
+ if (!parsedDrv->useUidRange())
+ chmod_(chrootRootDir + "/etc", 0555);
/* Save the mount- and user namespace of the child. We have to do this
*before* the child does a chroot. */
diff --git a/tests/nixos/containers/systemd-nspawn.nix b/tests/nixos/containers/systemd-nspawn.nix
index 457af6064..f54f32f2a 100644
--- a/tests/nixos/containers/systemd-nspawn.nix
+++ b/tests/nixos/containers/systemd-nspawn.nix
@@ -56,7 +56,6 @@ runCommand "test"
# Make /run a tmpfs to shut up a systemd warning.
mkdir /run
mount -t tmpfs none /run
- chmod 0700 /run
mount -t cgroup2 none /sys/fs/cgroup