From 3da41fdb829c2b2085cf9c9ae268f3bee5d5594f Mon Sep 17 00:00:00 2001 From: Winter Date: Fri, 19 Jul 2024 14:36:10 -0400 Subject: [PATCH] Fix namespace warning being emitted if sandbox is disabled If useChroot = false, and user namespaces aren't available for some reason (e.g. within a Docker container), this fixes a pointless warning being emitted, as we would never attempt to use them even if they were available. Change-Id: Ibcee91c088edd2cd19e70218d5a5802bff8f537b --- src/libstore/build/local-derivation-goal.cc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index 5ca8eac95..660512e49 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -221,12 +221,12 @@ void LocalDerivationGoal::tryLocalBuild() } #if __linux__ - // FIXME: should user namespaces being unsupported also require - // sandbox-fallback to be allowed? I don't think so, since they aren't a - // huge security win to have enabled. - usingUserNamespace = userNamespacesSupported(); - if (useChroot) { + // FIXME: should user namespaces being unsupported also require + // sandbox-fallback to be allowed? I don't think so, since they aren't a + // huge security win to have enabled. + usingUserNamespace = userNamespacesSupported(); + if (!mountAndPidNamespacesSupported()) { if (!settings.sandboxFallback) throw Error("this system does not support the kernel namespaces that are required for sandboxing; use '--no-sandbox' to disable sandboxing. Pass --debug for diagnostics on what is broken.");