mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-27 16:16:16 +02:00
Only mount /sys in uid-range builds
Maybe this should be a separate system feature... /sys exposes a lot of impure info about the host system.
This commit is contained in:
parent
8c4cce553c
commit
7349f257da
2 changed files with 7 additions and 6 deletions
|
@ -3173,11 +3173,12 @@ void DerivationGoal::runChild()
|
|||
if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) == -1)
|
||||
throw SysError("mounting /proc");
|
||||
|
||||
/* Mount sysfs on /sys. FIXME: only in user namespace
|
||||
builds. */
|
||||
createDirs(chrootRootDir + "/sys");
|
||||
if (mount("none", (chrootRootDir + "/sys").c_str(), "sysfs", 0, 0) == -1)
|
||||
throw SysError("mounting /sys");
|
||||
/* Mount sysfs on /sys. */
|
||||
if (useUidRange) {
|
||||
createDirs(chrootRootDir + "/sys");
|
||||
if (mount("none", (chrootRootDir + "/sys").c_str(), "sysfs", 0, 0) == -1)
|
||||
throw SysError("mounting /sys");
|
||||
}
|
||||
|
||||
/* Mount a new tmpfs on /dev/shm to ensure that whatever
|
||||
the builder puts in /dev/shm is cleaned up automatically. */
|
||||
|
|
|
@ -122,7 +122,7 @@ struct CgroupUserLock : UserLock
|
|||
return uid;
|
||||
}
|
||||
|
||||
std::vector<gid_t> getSupplementaryGIDs() override { return {}; } // FIXME
|
||||
std::vector<gid_t> getSupplementaryGIDs() override { return {}; }
|
||||
|
||||
static std::unique_ptr<UserLock> acquire()
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue