Only mount /sys in uid-range builds

Maybe this should be a separate system feature... /sys exposes a lot
of impure info about the host system.

2 files changed, 7 insertions, 6 deletions

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 6c3f94a76..e927a65f0 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -3173,11 +3173,12 @@ void DerivationGoal::runChild()
             if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) == -1)
                 throw SysError("mounting /proc");
 
-            /* Mount sysfs on /sys. FIXME: only in user namespace
-               builds. */
-            createDirs(chrootRootDir + "/sys");
-            if (mount("none", (chrootRootDir + "/sys").c_str(), "sysfs", 0, 0) == -1)
-                throw SysError("mounting /sys");
+            /* Mount sysfs on /sys. */
+            if (useUidRange) {
+                createDirs(chrootRootDir + "/sys");
+                if (mount("none", (chrootRootDir + "/sys").c_str(), "sysfs", 0, 0) == -1)
+                    throw SysError("mounting /sys");
+            }
 
             /* Mount a new tmpfs on /dev/shm to ensure that whatever
                the builder puts in /dev/shm is cleaned up automatically. */
diff --git a/src/libstore/user-lock.cc b/src/libstore/user-lock.cc
index 2254386da..fb2a45f48 100644
--- a/src/libstore/user-lock.cc
+++ b/src/libstore/user-lock.cc
@@ -122,7 +122,7 @@ struct CgroupUserLock : UserLock
         return uid;
     }
 
-    std::vector<gid_t> getSupplementaryGIDs() override { return {}; } // FIXME
+    std::vector<gid_t> getSupplementaryGIDs() override { return {}; }
 
     static std::unique_ptr<UserLock> acquire()
     {