mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-28 00:26:15 +02:00
Only mount /sys in uid-range builds
Maybe this should be a separate system feature... /sys exposes a lot of impure info about the host system.
This commit is contained in:
parent
8c4cce553c
commit
7349f257da
2 changed files with 7 additions and 6 deletions
|
@ -3173,11 +3173,12 @@ void DerivationGoal::runChild()
|
||||||
if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) == -1)
|
if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) == -1)
|
||||||
throw SysError("mounting /proc");
|
throw SysError("mounting /proc");
|
||||||
|
|
||||||
/* Mount sysfs on /sys. FIXME: only in user namespace
|
/* Mount sysfs on /sys. */
|
||||||
builds. */
|
if (useUidRange) {
|
||||||
createDirs(chrootRootDir + "/sys");
|
createDirs(chrootRootDir + "/sys");
|
||||||
if (mount("none", (chrootRootDir + "/sys").c_str(), "sysfs", 0, 0) == -1)
|
if (mount("none", (chrootRootDir + "/sys").c_str(), "sysfs", 0, 0) == -1)
|
||||||
throw SysError("mounting /sys");
|
throw SysError("mounting /sys");
|
||||||
|
}
|
||||||
|
|
||||||
/* Mount a new tmpfs on /dev/shm to ensure that whatever
|
/* Mount a new tmpfs on /dev/shm to ensure that whatever
|
||||||
the builder puts in /dev/shm is cleaned up automatically. */
|
the builder puts in /dev/shm is cleaned up automatically. */
|
||||||
|
|
|
@ -122,7 +122,7 @@ struct CgroupUserLock : UserLock
|
||||||
return uid;
|
return uid;
|
||||||
}
|
}
|
||||||
|
|
||||||
std::vector<gid_t> getSupplementaryGIDs() override { return {}; } // FIXME
|
std::vector<gid_t> getSupplementaryGIDs() override { return {}; }
|
||||||
|
|
||||||
static std::unique_ptr<UserLock> acquire()
|
static std::unique_ptr<UserLock> acquire()
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue