local-derivation-goal.cc: warn if failing due to max_user_namespaces==0

This commit uses `warn()` to notify the user if sandbox setup fails with errno==EPERM and /proc/sys/user/max_user_namespaces is missing or zero, since that is at least part of the reason why sandbox setup failed. Note that `echo -n 0 > /proc/sys/user/max_user_namespaces` or equivalent at boot time has been the recommended mitigation for several Linux LPE vulnerabilities over the past few years. Many users have applied this mitigation and then forgotten that they have done so.
2022-07-16 19:28:13 -07:00 · 2022-07-16 19:28:13 -07:00 · 90830b1074
parent 8ea3a911aa
commit 90830b1074
1 changed files with 2 additions and 0 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -859,6 +859,8 @@ void LocalDerivationGoal::startBuilder()
                           to true (the default). */
                        if (settings.sandboxFallback)
                            _exit(1);
+                        if (!userNamespacesEnabled && errno==EPERM)
+                            warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/user/max_user_namespaces");
                        /* Mention sandbox-fallback in the error message so the user
                           knows that having it disabled contributed to the
                           unrecoverability of this failure */