diff mbox series

[bug#70494,02/23] gnu: linux-container: Make it more suitable for derivation-building.

Message ID 01702a23fe5bb7ae3b5d800b69e8d6bc59c488f2.1713692561.git.mail@cbaines.net
State New
Headers show
Series Groundwork for the Guile guix-daemon | expand

Commit Message

Christopher Baines April 21, 2024, 9:42 a.m. UTC 
From: Caleb Ristvedt <caleb.ristvedt@cune.org>

* gnu/build/linux-container.scm (mount-file-systems): First remount all
filesystems in the current mount namespace as private (by mounting / with
MS_PRIVATE and MS_REC), so that the set of mounts cannot increase except from
within the container.  Also, the tmpfs mounted over the chroot directory now
inherits the chroot directory's permissions (p11-kit, for example, has a test
that assumes that the root directory is not writable for the current user, and
tmpfs is by default 1777 when created).
* guix/build/syscalls.scm (MS_PRIVATE, MS_REC): new variables.

Signed-off-by: Christopher Baines <mail@cbaines.net>
Change-Id: Ie26e3ac4a12bbf9087180c56ab775a0f75c40100
---
 gnu/build/linux-container.scm | 9 ++++++++-
 guix/build/syscalls.scm       | 3 +++
 2 files changed, 11 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index dee6885400..2e4e0d3bf3 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -99,7 +99,14 @@  (define* (mount-file-systems root mounts #:key mount-/sys? mount-/proc?)
 
   ;; The container's file system is completely ephemeral, sans directories
   ;; bind-mounted from the host.
-  (mount "none" root "tmpfs")
+  ;; Make this private in the container namespace so everything mounted under
+  ;; it is local to this namespace.
+  (mount "none" "/" "none" (logior MS_REC MS_PRIVATE))
+  (let ((current-perms (stat:perms (stat root))))
+    (mount "none" root "tmpfs" 0 (string-append "mode="
+                                                (number->string current-perms
+                                                                8))))
+
 
   ;; A proc mount requires a new pid namespace.
   (when mount-/proc?
diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm
index 39bcffd516..92f2bb21fc 100644
--- a/guix/build/syscalls.scm
+++ b/guix/build/syscalls.scm
@@ -54,6 +54,8 @@  (define-module (guix build syscalls)
             MS_REC
             MS_SHARED
             MS_LAZYTIME
+            MS_PRIVATE
+            MS_REC
             MNT_FORCE
             MNT_DETACH
             MNT_EXPIRE
@@ -551,6 +553,7 @@  (define MS_MOVE            8192)
 (define MS_REC            16384)
 (define MS_SHARED       1048576)
 (define MS_RELATIME     2097152)
+(define MS_PRIVATE       262144)
 (define MS_STRICTATIME 16777216)
 (define MS_LAZYTIME    33554432)