Only mount /sys in uid-range builds

Maybe this should be a separate system feature... /sys exposes a lot
of impure info about the host system.
This commit is contained in:
Eelco Dolstra 2020-05-20 11:57:33 +02:00
parent 8c4cce553c
commit 7349f257da
2 changed files with 7 additions and 6 deletions

View file

@ -3173,11 +3173,12 @@ void DerivationGoal::runChild()
if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) == -1)
throw SysError("mounting /proc");
/* Mount sysfs on /sys. FIXME: only in user namespace
builds. */
createDirs(chrootRootDir + "/sys");
if (mount("none", (chrootRootDir + "/sys").c_str(), "sysfs", 0, 0) == -1)
throw SysError("mounting /sys");
/* Mount sysfs on /sys. */
if (useUidRange) {
createDirs(chrootRootDir + "/sys");
if (mount("none", (chrootRootDir + "/sys").c_str(), "sysfs", 0, 0) == -1)
throw SysError("mounting /sys");
}
/* Mount a new tmpfs on /dev/shm to ensure that whatever
the builder puts in /dev/shm is cleaned up automatically. */

View file

@ -122,7 +122,7 @@ struct CgroupUserLock : UserLock
return uid;
}
std::vector<gid_t> getSupplementaryGIDs() override { return {}; } // FIXME
std::vector<gid_t> getSupplementaryGIDs() override { return {}; }
static std::unique_ptr<UserLock> acquire()
{