lix-project/lix
18
38
Fork 14
Code Issues 288 Code Review (Gerrit) Projects 1 Releases Wiki Activity

Merge "Actually try making a userns before assuming they don't work" into main

Browse source
This commit is contained in:
jade 2024-05-05 03:58:44 +00:00 committed by Gerrit Code Review
parent fb5d6f325b e3b702fa22
commit 47fb494676
1 changed files with 23 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
src/libutil/namespaces.cc
View file

@ -8,31 +8,31 @@
namespace nix { namespace nix {
static void diagnoseUserNamespaces()
{
if (!pathExists("/proc/self/ns/user")) {
warn("'/proc/self/ns/user' does not exist; your kernel was likely built without CONFIG_USER_NS=y");
}
Path maxUserNamespaces = "/proc/sys/user/max_user_namespaces";
if (!pathExists(maxUserNamespaces) ||
trim(readFile(maxUserNamespaces)) == "0")
{
warn("user namespaces appear to be disabled; check '/proc/sys/user/max_user_namespaces'");
}
Path procSysKernelUnprivilegedUsernsClone = "/proc/sys/kernel/unprivileged_userns_clone";
if (pathExists(procSysKernelUnprivilegedUsernsClone)
&& trim(readFile(procSysKernelUnprivilegedUsernsClone)) == "0")
{
warn("user namespaces appear to be disabled for unprivileged users; check '/proc/sys/kernel/unprivileged_userns_clone'");
}
}
bool userNamespacesSupported() bool userNamespacesSupported()
{ {
static auto res = [&]() -> bool static auto res = [&]() -> bool
{ {
if (!pathExists("/proc/self/ns/user")) {
debug("'/proc/self/ns/user' does not exist; your kernel was likely built without CONFIG_USER_NS=y");
return false;
}
Path maxUserNamespaces = "/proc/sys/user/max_user_namespaces";
if (!pathExists(maxUserNamespaces) ||
trim(readFile(maxUserNamespaces)) == "0")
{
debug("user namespaces appear to be disabled; check '/proc/sys/user/max_user_namespaces'");
return false;
}
Path procSysKernelUnprivilegedUsernsClone = "/proc/sys/kernel/unprivileged_userns_clone";
if (pathExists(procSysKernelUnprivilegedUsernsClone)
&& trim(readFile(procSysKernelUnprivilegedUsernsClone)) == "0")
{
debug("user namespaces appear to be disabled; check '/proc/sys/kernel/unprivileged_userns_clone'");
return false;
}
try { try {
Pid pid = startProcess([&]() Pid pid = startProcess([&]()
{ {
@ -44,7 +44,8 @@ bool userNamespacesSupported()
auto r = pid.wait(); auto r = pid.wait();
assert(!r); assert(!r);
} catch (SysError & e) { } catch (SysError & e) {
debug("user namespaces do not work on this system: %s", e.msg()); warn("user namespaces do not work on this system: %s", e.msg());
diagnoseUserNamespaces();
return false; return false;
} }