From 90830b1074cd09b58adde859fb1741a33390412f Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Sat, 16 Jul 2022 19:28:13 -0700
Subject: [PATCH] local-derivation-goal.cc: warn if failing due to
 max_user_namespaces==0

This commit uses `warn()` to notify the user if sandbox setup fails
with errno==EPERM and /proc/sys/user/max_user_namespaces is missing or
zero, since that is at least part of the reason why sandbox setup
failed.

Note that `echo -n 0 > /proc/sys/user/max_user_namespaces` or
equivalent at boot time has been the recommended mitigation for
several Linux LPE vulnerabilities over the past few years.  Many users
have applied this mitigation and then forgotten that they have done
so.
---
 src/libstore/build/local-derivation-goal.cc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 86a59e427..674b2eaa3 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -859,6 +859,8 @@ void LocalDerivationGoal::startBuilder()
                            to true (the default). */
                         if (settings.sandboxFallback)
                             _exit(1);
+                        if (!userNamespacesEnabled && errno==EPERM)
+                            warn("user namespaces appear to be disabled; they are required for sandboxing; check /proc/sys/user/max_user_namespaces");
                         /* Mention sandbox-fallback in the error message so the user
                            knows that having it disabled contributed to the
                            unrecoverability of this failure */