On macOS with auto-uid-allocation and sandboxing, use the correct gid

macOS doesn't have user namespacing, so the gid of the builder needs
to be nixbld. The logic got "has sandboxing enabled" confused with
"has user namespaces".

Fixes #7529.
This commit is contained in:
Eelco Dolstra 2023-01-05 04:58:55 -08:00
parent d644b45615
commit 4e84b532ed
2 changed files with 9 additions and 5 deletions

View file

@ -123,8 +123,12 @@ struct AutoUserLock : UserLock
std::vector<gid_t> getSupplementaryGIDs() override { return {}; } std::vector<gid_t> getSupplementaryGIDs() override { return {}; }
static std::unique_ptr<UserLock> acquire(uid_t nrIds, bool useChroot) static std::unique_ptr<UserLock> acquire(uid_t nrIds, bool useUserNamespace)
{ {
#if !defined(__linux__)
useUserNamespace = false;
#endif
settings.requireExperimentalFeature(Xp::AutoAllocateUids); settings.requireExperimentalFeature(Xp::AutoAllocateUids);
assert(settings.startId > 0); assert(settings.startId > 0);
assert(settings.uidCount % maxIdsPerBuild == 0); assert(settings.uidCount % maxIdsPerBuild == 0);
@ -157,7 +161,7 @@ struct AutoUserLock : UserLock
auto lock = std::make_unique<AutoUserLock>(); auto lock = std::make_unique<AutoUserLock>();
lock->fdUserLock = std::move(fd); lock->fdUserLock = std::move(fd);
lock->firstUid = firstUid; lock->firstUid = firstUid;
if (useChroot) if (useUserNamespace)
lock->firstGid = firstUid; lock->firstGid = firstUid;
else { else {
struct group * gr = getgrnam(settings.buildUsersGroup.get().c_str()); struct group * gr = getgrnam(settings.buildUsersGroup.get().c_str());
@ -174,10 +178,10 @@ struct AutoUserLock : UserLock
} }
}; };
std::unique_ptr<UserLock> acquireUserLock(uid_t nrIds, bool useChroot) std::unique_ptr<UserLock> acquireUserLock(uid_t nrIds, bool useUserNamespace)
{ {
if (settings.autoAllocateUids) if (settings.autoAllocateUids)
return AutoUserLock::acquire(nrIds, useChroot); return AutoUserLock::acquire(nrIds, useUserNamespace);
else else
return SimpleUserLock::acquire(); return SimpleUserLock::acquire();
} }

View file

@ -31,7 +31,7 @@ struct UserLock
/* Acquire a user lock for a UID range of size `nrIds`. Note that this /* Acquire a user lock for a UID range of size `nrIds`. Note that this
may return nullptr if no user is available. */ may return nullptr if no user is available. */
std::unique_ptr<UserLock> acquireUserLock(uid_t nrIds, bool useChroot); std::unique_ptr<UserLock> acquireUserLock(uid_t nrIds, bool useUserNamespace);
bool useBuildUsers(); bool useBuildUsers();