Make /etc writability conditional on uid-range feature

This commit is contained in:
Yorick van Pelt 2023-02-14 13:29:30 +01:00
parent ad1f61c39b
commit 49fd72a903
No known key found for this signature in database
GPG key ID: A36E70F9DC014A15
2 changed files with 4 additions and 2 deletions

View file

@ -670,6 +670,8 @@ void LocalDerivationGoal::startBuilder()
nobody account. The latter is kind of a hack to support nobody account. The latter is kind of a hack to support
Samba-in-QEMU. */ Samba-in-QEMU. */
createDirs(chrootRootDir + "/etc"); createDirs(chrootRootDir + "/etc");
if (parsedDrv->useUidRange())
chownToBuilder(chrootRootDir + "/etc");
if (parsedDrv->useUidRange() && (!buildUser || buildUser->getUIDCount() < 65536)) if (parsedDrv->useUidRange() && (!buildUser || buildUser->getUIDCount() < 65536))
throw Error("feature 'uid-range' requires the setting '%s' to be enabled", settings.autoAllocateUids.name); throw Error("feature 'uid-range' requires the setting '%s' to be enabled", settings.autoAllocateUids.name);
@ -970,6 +972,7 @@ void LocalDerivationGoal::startBuilder()
sandboxUid(), sandboxGid(), settings.sandboxBuildDir)); sandboxUid(), sandboxGid(), settings.sandboxBuildDir));
/* Make /etc unwritable */ /* Make /etc unwritable */
if (!parsedDrv->useUidRange())
chmod_(chrootRootDir + "/etc", 0555); chmod_(chrootRootDir + "/etc", 0555);
/* Save the mount- and user namespace of the child. We have to do this /* Save the mount- and user namespace of the child. We have to do this

View file

@ -56,7 +56,6 @@ runCommand "test"
# Make /run a tmpfs to shut up a systemd warning. # Make /run a tmpfs to shut up a systemd warning.
mkdir /run mkdir /run
mount -t tmpfs none /run mount -t tmpfs none /run
chmod 0700 /run
mount -t cgroup2 none /sys/fs/cgroup mount -t cgroup2 none /sys/fs/cgroup