Ignore errors unsharing/restoring the mount namespace

This prevents Nix from barfing when run in a container where it
doesn't have the appropriate privileges.
This commit is contained in:
Eelco Dolstra 2021-11-16 14:23:05 +01:00
parent 51ffc19f02
commit 8c93a481af
2 changed files with 15 additions and 7 deletions

View file

@ -1631,6 +1631,7 @@ void setStackSize(size_t stackSize)
}
#endif
}
static AutoCloseFD fdSavedMountNamespace;
void saveMountNamespace()
@ -1638,9 +1639,10 @@ void saveMountNamespace()
#if __linux__
static std::once_flag done;
std::call_once(done, []() {
fdSavedMountNamespace = open("/proc/self/ns/mnt", O_RDONLY);
if (!fdSavedMountNamespace)
AutoCloseFD fd = open("/proc/self/ns/mnt", O_RDONLY);
if (!fd)
throw SysError("saving parent mount namespace");
fdSavedMountNamespace = std::move(fd);
});
#endif
}
@ -1648,8 +1650,12 @@ void saveMountNamespace()
void restoreMountNamespace()
{
#if __linux__
try {
if (fdSavedMountNamespace && setns(fdSavedMountNamespace.get(), CLONE_NEWNS) == -1)
throw SysError("restoring parent mount namespace");
} catch (Error & e) {
debug(e.msg());
}
#endif
}

View file

@ -257,9 +257,11 @@ void mainWrapped(int argc, char * * argv)
#if __linux__
if (getuid() == 0) {
try {
saveMountNamespace();
if (unshare(CLONE_NEWNS) == -1)
throw SysError("setting up a private mount namespace");
} catch (Error & e) { }
}
#endif