diff options
| author | Mark H Weaver <mhw@netris.org> | 2016-10-19 10:54:36 -0400 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2016-10-19 10:54:36 -0400 |
| commit | d2478b4cdd6f1db44f4725b39489aca89d3d9180 (patch) | |
| tree | bc4714453fd9b7a2e64fcd5f58c24d371dbb91d8 /gnu/build | |
| parent | c9a71c6fdab6914dd648b76c349c3af9018cad35 (diff) | |
| parent | 152ffe7cb6ba02915d8645102e0f6dfeb639090d (diff) | |
| download | guix-d2478b4cdd6f1db44f4725b39489aca89d3d9180.tar.gz | |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/build')
| -rw-r--r-- | gnu/build/linux-container.scm | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 91996d06ca..3fccc9addb 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -291,15 +291,17 @@ return the exit status." (call-with-clean-exit (lambda () (for-each (lambda (ns) - (call-with-input-file (namespace-file (getpid) ns) - (lambda (current-ns-port) - (call-with-input-file (namespace-file pid ns) - (lambda (new-ns-port) - ;; Joining the namespace that the process - ;; already belongs to would throw an error. - (unless (= (port->fdes current-ns-port) - (port->fdes new-ns-port)) - (setns (port->fdes new-ns-port) 0))))))) + (let ((source (namespace-file (getpid) ns)) + (target (namespace-file pid ns))) + ;; Joining the namespace that the process already + ;; belongs to would throw an error so avoid that. + ;; XXX: This /proc interface leads to TOCTTOU. + (unless (string=? (readlink source) (readlink target)) + (call-with-input-file source + (lambda (current-ns-port) + (call-with-input-file target + (lambda (new-ns-port) + (setns (fileno new-ns-port) 0)))))))) ;; It's important that the user namespace is joined first, ;; so that the user will have the privileges to join the ;; other namespaces. Furthermore, it's important that the |