[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
03/07: gnu: linux-container: Make it more suitable for derivation-buildi
|
From: |
guix-commits |
|
Subject: |
03/07: gnu: linux-container: Make it more suitable for derivation-building. |
|
Date: |
Fri, 24 Apr 2020 16:15:43 -0400 (EDT) |
reepca pushed a commit to branch guile-daemon
in repository guix.
commit 73da0e3a2396cabbeafa12b31f37ada05a95e762
Author: Caleb Ristvedt <address@hidden>
AuthorDate: Thu Dec 12 07:04:07 2019 -0600
gnu: linux-container: Make it more suitable for derivation-building.
* gnu/build/linux-container.scm (mount-file-systems): First remount all
filesystems in the current mount namespace as private (by mounting / with
MS_PRIVATE and MS_REC), so that the set of mounts cannot increase except
from within the container. Also, the tmpfs mounted over the chroot
directory
now inherits the chroot directory's permissions (p11-kit, for example,
has a
test that assumes that the root directory is not writable for the current
user, and tmpfs is by default 1777 when created).
* guix/build/syscalls.scm (MS_PRIVATE, MS_REC): new variables.
---
gnu/build/linux-container.scm | 9 ++++++++-
guix/build/syscalls.scm | 4 ++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index 87695c9..adfcc32 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -99,7 +99,14 @@ for the process."
;; The container's file system is completely ephemeral, sans directories
;; bind-mounted from the host.
- (mount "none" root "tmpfs")
+ ;; Make this private in the container namespace so everything mounted under
+ ;; it is local to this namespace.
+ (mount "none" "/" "none" (logior MS_REC MS_PRIVATE))
+ (let ((current-perms (stat:perms (stat root))))
+ (mount "none" root "tmpfs" 0 (string-append "mode="
+ (number->string current-perms
+ 8))))
+
;; A proc mount requires a new pid namespace.
(when mount-/proc?
diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm
index 0938ec0..b9d1938 100644
--- a/guix/build/syscalls.scm
+++ b/guix/build/syscalls.scm
@@ -45,6 +45,8 @@
MS_MOVE
MS_STRICTATIME
MS_LAZYTIME
+ MS_PRIVATE
+ MS_REC
MNT_FORCE
MNT_DETACH
MNT_EXPIRE
@@ -452,6 +454,8 @@ the returned procedure is called."
(define MS_NOATIME 1024)
(define MS_BIND 4096)
(define MS_MOVE 8192)
+(define MS_REC 16384)
+(define MS_PRIVATE 262144)
(define MS_STRICTATIME 16777216)
(define MS_LAZYTIME 33554432)
- branch guile-daemon created (now 6c1ff3f), guix-commits, 2020/04/24
- 01/07: guix: split (guix store) and (guix derivations)., guix-commits, 2020/04/24
- 02/07: guix: store: Register derivation outputs., guix-commits, 2020/04/24
- 06/07: guix/store/environment.scm: new module, guix-commits, 2020/04/24
- 04/07: syscalls: add missing pieces for derivation build environment, guix-commits, 2020/04/24
- 03/07: gnu: linux-container: Make it more suitable for derivation-building.,
guix-commits <=
- 07/07: guix/store/build-derivations.scm: new module., guix-commits, 2020/04/24
- 05/07: config: add variables for more directories, %impersonate-linux-2.6?, guix-commits, 2020/04/24