forked from lix-project/lix
Merge remote-tracking branch 'upstream/master' into typed-goal-maps
This commit is contained in:
commit
0fefc2a439
1 changed files with 8 additions and 6 deletions
|
@ -1420,12 +1420,6 @@ void DerivationGoal::startBuilder()
|
||||||
Samba-in-QEMU. */
|
Samba-in-QEMU. */
|
||||||
createDirs(chrootRootDir + "/etc");
|
createDirs(chrootRootDir + "/etc");
|
||||||
|
|
||||||
writeFile(chrootRootDir + "/etc/passwd", fmt(
|
|
||||||
"root:x:0:0:Nix build user:%3%:/noshell\n"
|
|
||||||
"nixbld:x:%1%:%2%:Nix build user:%3%:/noshell\n"
|
|
||||||
"nobody:x:65534:65534:Nobody:/:/noshell\n",
|
|
||||||
sandboxUid(), sandboxGid(), settings.sandboxBuildDir));
|
|
||||||
|
|
||||||
/* Declare the build user's group so that programs get a consistent
|
/* Declare the build user's group so that programs get a consistent
|
||||||
view of the system (e.g., "id -gn"). */
|
view of the system (e.g., "id -gn"). */
|
||||||
writeFile(chrootRootDir + "/etc/group",
|
writeFile(chrootRootDir + "/etc/group",
|
||||||
|
@ -1730,6 +1724,14 @@ void DerivationGoal::startBuilder()
|
||||||
throw Error("cannot perform a sandboxed build because user namespaces are not enabled; check /proc/sys/user/max_user_namespaces");
|
throw Error("cannot perform a sandboxed build because user namespaces are not enabled; check /proc/sys/user/max_user_namespaces");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Now that we now the sandbox uid, we can write
|
||||||
|
/etc/passwd. */
|
||||||
|
writeFile(chrootRootDir + "/etc/passwd", fmt(
|
||||||
|
"root:x:0:0:Nix build user:%3%:/noshell\n"
|
||||||
|
"nixbld:x:%1%:%2%:Nix build user:%3%:/noshell\n"
|
||||||
|
"nobody:x:65534:65534:Nobody:/:/noshell\n",
|
||||||
|
sandboxUid(), sandboxGid(), settings.sandboxBuildDir));
|
||||||
|
|
||||||
/* Save the mount namespace of the child. We have to do this
|
/* Save the mount namespace of the child. We have to do this
|
||||||
*before* the child does a chroot. */
|
*before* the child does a chroot. */
|
||||||
sandboxMountNamespace = open(fmt("/proc/%d/ns/mnt", (pid_t) pid).c_str(), O_RDONLY);
|
sandboxMountNamespace = open(fmt("/proc/%d/ns/mnt", (pid_t) pid).c_str(), O_RDONLY);
|
||||||
|
|
Loading…
Reference in a new issue