forked from lix-project/lix
Always attempt setgroups but allow failure to be ignored.
This commit is contained in:
parent
25b20b4ad2
commit
07dabcc90e
3 changed files with 11 additions and 8 deletions
|
@ -909,9 +909,12 @@ void LocalDerivationGoal::startBuilder()
|
||||||
|
|
||||||
/* Drop additional groups here because we can't do it
|
/* Drop additional groups here because we can't do it
|
||||||
after we've created the new user namespace. */
|
after we've created the new user namespace. */
|
||||||
if (settings.dropSupplementaryGroups)
|
if (setgroups(0, 0) == -1) {
|
||||||
if (setgroups(0, 0) == -1)
|
if (errno != EPERM)
|
||||||
throw SysError("setgroups failed. Set the drop-supplementary-groups option to false to skip this step.");
|
throw SysError("setgroups failed");
|
||||||
|
if (settings.requireDropSupplementaryGroups)
|
||||||
|
throw Error("setgroups failed. Set the require-drop-supplementary-groups option to false to skip this step.");
|
||||||
|
}
|
||||||
|
|
||||||
ProcessOptions options;
|
ProcessOptions options;
|
||||||
options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;
|
options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;
|
||||||
|
|
|
@ -524,7 +524,7 @@ public:
|
||||||
Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
|
Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
|
||||||
"Whether to disable sandboxing when the kernel doesn't allow it."};
|
"Whether to disable sandboxing when the kernel doesn't allow it."};
|
||||||
|
|
||||||
Setting<bool> dropSupplementaryGroups{this, getuid() == 0, "drop-supplementary-groups",
|
Setting<bool> requireDropSupplementaryGroups{this, true, "require-drop-supplementary-groups",
|
||||||
R"(
|
R"(
|
||||||
Whether to drop supplementary groups when building with sandboxing.
|
Whether to drop supplementary groups when building with sandboxing.
|
||||||
This is normally a good idea if we are root and have the capability to
|
This is normally a good idea if we are root and have the capability to
|
||||||
|
|
|
@ -20,14 +20,14 @@ unshare --mount --map-root-user bash <<EOF
|
||||||
setLocalStore store1
|
setLocalStore store1
|
||||||
expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
|
expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
|
||||||
|
|
||||||
# Fails with `drop-supplementary-groups`
|
# Fails with `require-drop-supplementary-groups`
|
||||||
# TODO better error
|
# TODO better error
|
||||||
setLocalStore store2
|
setLocalStore store2
|
||||||
NIX_CONFIG='drop-supplementary-groups = true' \
|
NIX_CONFIG='require-drop-supplementary-groups = true' \
|
||||||
expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
|
expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
|
||||||
|
|
||||||
# Works without `drop-supplementary-groups`
|
# Works without `require-drop-supplementary-groups`
|
||||||
setLocalStore store3
|
setLocalStore store3
|
||||||
NIX_CONFIG='drop-supplementary-groups = false' \
|
NIX_CONFIG='require-drop-supplementary-groups = false' \
|
||||||
"\${cmd[@]}"
|
"\${cmd[@]}"
|
||||||
EOF
|
EOF
|
||||||
|
|
Loading…
Reference in a new issue