nix-super/src/libutil/namespaces.cc

#if __linux__

#include "namespaces.hh"
#include "util.hh"
#include "finally.hh"

#include <sys/mount.h>

namespace nix {

bool userNamespacesSupported()
{
    static auto res = [&]() -> bool
    {
        if (!pathExists("/proc/self/ns/user")) {
            debug("'/proc/self/ns/user' does not exist; your kernel was likely built without CONFIG_USER_NS=y");
            return false;
        }

        Path maxUserNamespaces = "/proc/sys/user/max_user_namespaces";
        if (!pathExists(maxUserNamespaces) ||
            trim(readFile(maxUserNamespaces)) == "0")
        {
            debug("user namespaces appear to be disabled; check '/proc/sys/user/max_user_namespaces'");
            return false;
        }

        Path procSysKernelUnprivilegedUsernsClone = "/proc/sys/kernel/unprivileged_userns_clone";
        if (pathExists(procSysKernelUnprivilegedUsernsClone)
            && trim(readFile(procSysKernelUnprivilegedUsernsClone)) == "0")
        {
            debug("user namespaces appear to be disabled; check '/proc/sys/kernel/unprivileged_userns_clone'");
            return false;
        }

        try {
            Pid pid = startProcess([&]()
            {
                _exit(0);
            }, {
                .cloneFlags = CLONE_NEWUSER
            });

            auto r = pid.wait();
            assert(!r);
        } catch (SysError & e) {
            debug("user namespaces do not work on this system: %s", e.msg());
            return false;
        }

        return true;
    }();
    return res;
}

bool mountAndPidNamespacesSupported()
{
    static auto res = [&]() -> bool
    {
        try {

            Pid pid = startProcess([&]()
            {
                /* Make sure we don't remount the parent's /proc. */
                if (mount(0, "/", 0, MS_PRIVATE | MS_REC, 0) == -1)
                    _exit(1);

                /* Test whether we can remount /proc. The kernel disallows
                   this if /proc is not fully visible, i.e. if there are
                   filesystems mounted on top of files inside /proc.  See
                   https://lore.kernel.org/lkml/87tvsrjai0.fsf@xmission.com/T/. */
                if (mount("none", "/proc", "proc", 0, 0) == -1)
                    _exit(2);

                _exit(0);
            }, {
                .cloneFlags = CLONE_NEWNS | CLONE_NEWPID | (userNamespacesSupported() ? CLONE_NEWUSER : 0)
            });

            if (pid.wait()) {
                debug("PID namespaces do not work on this system: cannot remount /proc");
                return false;
            }

        } catch (SysError & e) {
            debug("mount namespaces do not work on this system: %s", e.msg());
            return false;
        }

        return true;
    }();
    return res;
}

}

#endif
Fix macOS build 2023-01-27 17:52:01 +02:00			`#if __linux__`

Fix auto-uid-allocation in Docker containers This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13). 2023-01-25 18:31:27 +02:00			`#include "namespaces.hh"`
			`#include "util.hh"`
Check whether we can use PID namespaces In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible. 2023-01-27 16:25:56 +02:00			`#include "finally.hh"`

Simplify the PID namespace check: just try to mount /proc Fixes #7783. 2023-02-10 15:38:14 +02:00			`#include <sys/mount.h>`
Fix auto-uid-allocation in Docker containers This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13). 2023-01-25 18:31:27 +02:00
			`namespace nix {`

			`bool userNamespacesSupported()`
			`{`
Check whether we can use PID namespaces In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible. 2023-01-27 16:25:56 +02:00			`static auto res = [&]() -> bool`
Fix auto-uid-allocation in Docker containers This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13). 2023-01-25 18:31:27 +02:00			`{`
			`if (!pathExists("/proc/self/ns/user")) {`
Check whether we can use PID namespaces In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible. 2023-01-27 16:25:56 +02:00			`debug("'/proc/self/ns/user' does not exist; your kernel was likely built without CONFIG_USER_NS=y");`
Fix auto-uid-allocation in Docker containers This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13). 2023-01-25 18:31:27 +02:00			`return false;`
			`}`

			`Path maxUserNamespaces = "/proc/sys/user/max_user_namespaces";`
			`if (!pathExists(maxUserNamespaces) \|\|`
			`trim(readFile(maxUserNamespaces)) == "0")`
			`{`
Check whether we can use PID namespaces In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible. 2023-01-27 16:25:56 +02:00			`debug("user namespaces appear to be disabled; check '/proc/sys/user/max_user_namespaces'");`
Fix auto-uid-allocation in Docker containers This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13). 2023-01-25 18:31:27 +02:00			`return false;`
			`}`

			`Path procSysKernelUnprivilegedUsernsClone = "/proc/sys/kernel/unprivileged_userns_clone";`
			`if (pathExists(procSysKernelUnprivilegedUsernsClone)`
			`&& trim(readFile(procSysKernelUnprivilegedUsernsClone)) == "0")`
			`{`
Check whether we can use PID namespaces In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible. 2023-01-27 16:25:56 +02:00			`debug("user namespaces appear to be disabled; check '/proc/sys/kernel/unprivileged_userns_clone'");`
Fix auto-uid-allocation in Docker containers This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13). 2023-01-25 18:31:27 +02:00			`return false;`
			`}`

Simplify the PID namespace check: just try to mount /proc Fixes #7783. 2023-02-10 15:38:14 +02:00			`try {`
			`Pid pid = startProcess([&]()`
			`{`
			`_exit(0);`
			`}, {`
			`.cloneFlags = CLONE_NEWUSER`
			`});`

			`auto r = pid.wait();`
			`assert(!r);`
			`} catch (SysError & e) {`
			`debug("user namespaces do not work on this system: %s", e.msg());`
			`return false;`
			`}`
Print debug message if a namespace test fails 2023-02-08 00:01:39 +02:00
Simplify the PID namespace check: just try to mount /proc Fixes #7783. 2023-02-10 15:38:14 +02:00			`return true;`
Fix auto-uid-allocation in Docker containers This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13). 2023-01-25 18:31:27 +02:00			`}();`
			`return res;`
			`}`

Simplify the PID namespace check: just try to mount /proc Fixes #7783. 2023-02-10 15:38:14 +02:00			`bool mountAndPidNamespacesSupported()`
Check whether we can use PID namespaces In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible. 2023-01-27 16:25:56 +02:00			`{`
			`static auto res = [&]() -> bool`
			`{`
Simplify the PID namespace check: just try to mount /proc Fixes #7783. 2023-02-10 15:38:14 +02:00			`try {`

			`Pid pid = startProcess([&]()`
			`{`
			`/* Make sure we don't remount the parent's /proc. */`
			`if (mount(0, "/", 0, MS_PRIVATE \| MS_REC, 0) == -1)`
			`_exit(1);`

			`/* Test whether we can remount /proc. The kernel disallows`
			`this if /proc is not fully visible, i.e. if there are`
			`filesystems mounted on top of files inside /proc. See`
			`https://lore.kernel.org/lkml/87tvsrjai0.fsf@xmission.com/T/. */`
			`if (mount("none", "/proc", "proc", 0, 0) == -1)`
			`_exit(2);`

			`_exit(0);`
			`}, {`
			`.cloneFlags = CLONE_NEWNS \| CLONE_NEWPID \| (userNamespacesSupported() ? CLONE_NEWUSER : 0)`
			`});`

			`if (pid.wait()) {`
			`debug("PID namespaces do not work on this system: cannot remount /proc");`
Check whether we can use PID namespaces In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible. 2023-01-27 16:25:56 +02:00			`return false;`
			`}`

Simplify the PID namespace check: just try to mount /proc Fixes #7783. 2023-02-10 15:38:14 +02:00			`} catch (SysError & e) {`
			`debug("mount namespaces do not work on this system: %s", e.msg());`
			`return false;`
			`}`

Check whether we can use PID namespaces In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible. 2023-01-27 16:25:56 +02:00			`return true;`
			`}();`
			`return res;`
			`}`

Fix auto-uid-allocation in Docker containers This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13). 2023-01-25 18:31:27 +02:00			`}`

			`#endif`