mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-29 17:16:15 +02:00
Make /etc writability conditional on uid-range feature
This commit is contained in:
parent
ad1f61c39b
commit
49fd72a903
2 changed files with 4 additions and 2 deletions
|
@ -670,6 +670,8 @@ void LocalDerivationGoal::startBuilder()
|
||||||
nobody account. The latter is kind of a hack to support
|
nobody account. The latter is kind of a hack to support
|
||||||
Samba-in-QEMU. */
|
Samba-in-QEMU. */
|
||||||
createDirs(chrootRootDir + "/etc");
|
createDirs(chrootRootDir + "/etc");
|
||||||
|
if (parsedDrv->useUidRange())
|
||||||
|
chownToBuilder(chrootRootDir + "/etc");
|
||||||
|
|
||||||
if (parsedDrv->useUidRange() && (!buildUser || buildUser->getUIDCount() < 65536))
|
if (parsedDrv->useUidRange() && (!buildUser || buildUser->getUIDCount() < 65536))
|
||||||
throw Error("feature 'uid-range' requires the setting '%s' to be enabled", settings.autoAllocateUids.name);
|
throw Error("feature 'uid-range' requires the setting '%s' to be enabled", settings.autoAllocateUids.name);
|
||||||
|
@ -970,6 +972,7 @@ void LocalDerivationGoal::startBuilder()
|
||||||
sandboxUid(), sandboxGid(), settings.sandboxBuildDir));
|
sandboxUid(), sandboxGid(), settings.sandboxBuildDir));
|
||||||
|
|
||||||
/* Make /etc unwritable */
|
/* Make /etc unwritable */
|
||||||
|
if (!parsedDrv->useUidRange())
|
||||||
chmod_(chrootRootDir + "/etc", 0555);
|
chmod_(chrootRootDir + "/etc", 0555);
|
||||||
|
|
||||||
/* Save the mount- and user namespace of the child. We have to do this
|
/* Save the mount- and user namespace of the child. We have to do this
|
||||||
|
|
|
@ -56,7 +56,6 @@ runCommand "test"
|
||||||
# Make /run a tmpfs to shut up a systemd warning.
|
# Make /run a tmpfs to shut up a systemd warning.
|
||||||
mkdir /run
|
mkdir /run
|
||||||
mount -t tmpfs none /run
|
mount -t tmpfs none /run
|
||||||
chmod 0700 /run
|
|
||||||
|
|
||||||
mount -t cgroup2 none /sys/fs/cgroup
|
mount -t cgroup2 none /sys/fs/cgroup
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue