diff options
| author | Eelco Dolstra <edolstra@gmail.com> | 2023-02-10 20:41:13 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-10 20:41:13 +0100 |
| commit | 67451d8ed797d1bd5fb69f6218ea686761ad13b0 (patch) | |
| tree | b7d7fc553066c29ae6009445c089f620b36352ad /src/libstore | |
| parent | 9ebbe35817a7f7becf77d9f0cd76c54d693f6f28 (diff) | |
| parent | a21405a4e8a5ca4bfbe8df8de2f76d69c4608a9f (diff) | |
Merge pull request #7802 from edolstra/fix-7783
Fix PID namespace support check
Diffstat (limited to 'src/libstore')
| -rw-r--r-- | src/libstore/build/local-derivation-goal.cc | 24 |
1 files changed, 6 insertions, 18 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index e1cc504f8..7c4892c96 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -209,7 +209,7 @@ void LocalDerivationGoal::tryLocalBuild() #if __linux__ if (useChroot) { - if (!mountNamespacesSupported() || !pidNamespacesSupported()) { + if (!mountAndPidNamespacesSupported()) { if (!settings.sandboxFallback) throw Error("this system does not support the kernel namespaces that are required for sandboxing; use '--no-sandbox' to disable sandboxing"); debug("auto-disabling sandboxing because the prerequisite namespaces are not available"); @@ -385,12 +385,6 @@ void LocalDerivationGoal::cleanupPostOutputsRegisteredModeNonCheck() } -int childEntry(void * arg) -{ - ((LocalDerivationGoal *) arg)->runChild(); - return 1; -} - #if __linux__ static void linkOrCopy(const Path & from, const Path & to) { @@ -916,21 +910,15 @@ void LocalDerivationGoal::startBuilder() if (getuid() == 0 && setgroups(0, 0) == -1) throw SysError("setgroups failed"); - size_t stackSize = 1 * 1024 * 1024; - char * stack = (char *) mmap(0, stackSize, - PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0); - if (stack == MAP_FAILED) throw SysError("allocating stack"); - - int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD; + ProcessOptions options; + options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD; if (privateNetwork) - flags |= CLONE_NEWNET; + options.cloneFlags |= CLONE_NEWNET; if (usingUserNamespace) - flags |= CLONE_NEWUSER; + options.cloneFlags |= CLONE_NEWUSER; - pid_t child = clone(childEntry, stack + stackSize, flags, this); + pid_t child = startProcess([&]() { runChild(); }, options); - if (child == -1) - throw SysError("creating sandboxed builder process using clone()"); writeFull(builderOut.writeSide.get(), fmt("%d %d\n", usingUserNamespace, child)); _exit(0); |