From 73da0e3a2396cabbeafa12b31f37ada05a95e762 Mon Sep 17 00:00:00 2001 From: Caleb Ristvedt Date: Thu, 12 Dec 2019 07:04:07 -0600 Subject: gnu: linux-container: Make it more suitable for derivation-building. * gnu/build/linux-container.scm (mount-file-systems): First remount all filesystems in the current mount namespace as private (by mounting / with MS_PRIVATE and MS_REC), so that the set of mounts cannot increase except from within the container. Also, the tmpfs mounted over the chroot directory now inherits the chroot directory's permissions (p11-kit, for example, has a test that assumes that the root directory is not writable for the current user, and tmpfs is by default 1777 when created). * guix/build/syscalls.scm (MS_PRIVATE, MS_REC): new variables. --- gnu/build/linux-container.scm | 9 ++++++++- guix/build/syscalls.scm | 4 ++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 87695c98fd..adfcc32d2c 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -99,7 +99,14 @@ for the process." ;; The container's file system is completely ephemeral, sans directories ;; bind-mounted from the host. - (mount "none" root "tmpfs") + ;; Make this private in the container namespace so everything mounted under + ;; it is local to this namespace. + (mount "none" "/" "none" (logior MS_REC MS_PRIVATE)) + (let ((current-perms (stat:perms (stat root)))) + (mount "none" root "tmpfs" 0 (string-append "mode=" + (number->string current-perms + 8)))) + ;; A proc mount requires a new pid namespace. (when mount-/proc? diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm index 0938ec0ff1..b9d19380ca 100644 --- a/guix/build/syscalls.scm +++ b/guix/build/syscalls.scm @@ -45,6 +45,8 @@ MS_MOVE MS_STRICTATIME MS_LAZYTIME + MS_PRIVATE + MS_REC MNT_FORCE MNT_DETACH MNT_EXPIRE @@ -452,6 +454,8 @@ the returned procedure is called." (define MS_NOATIME 1024) (define MS_BIND 4096) (define MS_MOVE 8192) +(define MS_REC 16384) +(define MS_PRIVATE 262144) (define MS_STRICTATIME 16777216) (define MS_LAZYTIME 33554432) -- cgit 1.4.1