Merge pull request #7802 from edolstra/fix-7783

Fix PID namespace support check
2025-11-16 23:42:43 +01:00 · 2023-02-10 20:41:13 +01:00 · 2023-02-10 20:41:13 +01:00 · 67451d8ed7
commit 67451d8ed7
parent 9ebbe35817 a21405a4e8
6 changed files with 83 additions and 65 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -209,7 +209,7 @@ void LocalDerivationGoal::tryLocalBuild()

    #if __linux__
    if (useChroot) {
-        if (!mountNamespacesSupported() || !pidNamespacesSupported()) {
+        if (!mountAndPidNamespacesSupported()) {
            if (!settings.sandboxFallback)
                throw Error("this system does not support the kernel namespaces that are required for sandboxing; use '--no-sandbox' to disable sandboxing");
            debug("auto-disabling sandboxing because the prerequisite namespaces are not available");
@ -385,12 +385,6 @@ void LocalDerivationGoal::cleanupPostOutputsRegisteredModeNonCheck()
 }


-int childEntry(void * arg)
-{
-    ((LocalDerivationGoal *) arg)->runChild();
-    return 1;
-}
-
 #if __linux__
 static void linkOrCopy(const Path & from, const Path & to)
 {
@ -916,21 +910,15 @@ void LocalDerivationGoal::startBuilder()
            if (getuid() == 0 && setgroups(0, 0) == -1)
                throw SysError("setgroups failed");

-            size_t stackSize = 1 * 1024 * 1024;
-            char * stack = (char *) mmap(0, stackSize,
-                PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
-            if (stack == MAP_FAILED) throw SysError("allocating stack");
-
-            int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;
+            ProcessOptions options;
+            options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;
            if (privateNetwork)
-                flags |= CLONE_NEWNET;
+                options.cloneFlags |= CLONE_NEWNET;
            if (usingUserNamespace)
-                flags |= CLONE_NEWUSER;
+                options.cloneFlags |= CLONE_NEWUSER;

-            pid_t child = clone(childEntry, stack + stackSize, flags, this);
+            pid_t child = startProcess([&]() { runChild(); }, options);

-            if (child == -1)
-                throw SysError("creating sandboxed builder process using clone()");
            writeFull(builderOut.writeSide.get(),
                fmt("%d %d\n", usingUserNamespace, child));
            _exit(0);