nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-16 23:42:43 +01:00
Code Activity

Check whether we can use PID namespaces

Browse source 
In unprivileged podman containers, /proc is not fully visible (there
are other filesystems mounted on subdirectories of /proc). Therefore
we can't mount a new /proc in the sandbox that matches the PID
namespace of the sandbox. So this commit automatically disables
sandboxing if /proc is not fully visible.
This commit is contained in:
Eelco Dolstra 2023-01-27 15:25:56 +01:00
parent fb2f7f5dcc
commit bc1d9fd8b5
3 changed files with 37 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/libstore/build/local-derivation-goal.cc
View file

@ -209,10 +209,10 @@ void LocalDerivationGoal::tryLocalBuild()
#if __linux__
if (useChroot) {
if (!mountNamespacesSupported()) {
if (!mountNamespacesSupported() || !pidNamespacesSupported()) {
if (!settings.sandboxFallback)
throw Error("this system does not support mount namespaces, which are required for sandboxing");
debug("auto-disabling sandboxing because mount namespaces are not available");
throw Error("this system does not support the kernel namespaces that are required for sandboxing");
debug("auto-disabling sandboxing because the prerequisite namespaces are not available");
useChroot = false;
}
}