diff mbox series

[bug#77288,1/6] syscalls: Add ‘unshare’.

Message ID	cebcab1f748134ca795992b946fff23cbe66cecc.1743007256.git.ludo@gnu.org
State	New
Headers	Subject: [bug#77288] [PATCH 1/6] syscalls: Add =?utf-8?b?4oCYdW5zaGFyZQ==?= =?utf-8?b?4oCZLg==?= Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 26 Mar 2025 16:52:01 +0000 Resent-Message-ID: <handler.77288.B77288.17430078942181@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Date: Wed, 26 Mar 2025 17:51:02 +0100 Message-ID: <cebcab1f748134ca795992b946fff23cbe66cecc.1743007256.git.ludo@gnu.org> In-Reply-To: <cover.1743007256.git.ludo@gnu.org> References: <cover.1743007256.git.ludo@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches
Series	Rootless guix-daemon on Guix System \| [bug#77288,0/6] Rootless guix-daemon on Guix System [bug#77288,1/6] syscalls: Add ‘unshare’. [bug#77288,2/6] services: account: Create /var/guix/profiles/per-user/$USER. [bug#77288,3/6] tests: guix-daemon: Send system log output to /dev/console. [bug#77288,4/6] tests: guix-daemon: Wait for the ‘guix-daemon’ service to be up. [bug#77288,5/6] services: guix: Allow ‘guix-daemon’ to run without root privileges. [bug#77288,6/6] DRAFT news: Add entry about unprivileged guix-daemon on Guix System.

Commit Message

Ludovic Courtès March 26, 2025, 4:51 p.m. UTC

  * guix/build/syscalls.scm (unshare): New procedure.

Change-Id: I344273b8bdeaa9366334e6e20ee7efc37eb6c8f7
---
 guix/build/syscalls.scm | 18 ++++++++++++++++++
 tests/syscalls.scm      |  9 +++++++++
 2 files changed, 27 insertions(+)

diff mbox series

Patch

diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm
index 42232fc7f1..cf09cae3a4 100644
--- a/guix/build/syscalls.scm
+++ b/guix/build/syscalls.scm
@@ -145,6 +145,7 @@  (define-module (guix build syscalls)
             CLONE_NEWPID
             CLONE_NEWNET
             clone
+            unshare
             setns
 
             kexec-load-file
@@ -1213,6 +1214,23 @@  (define clone
                    (list err))
             ret)))))
 
+(define unshare
+  (let ((proc (syscall->procedure int "unshare" (list int))))
+    (lambda (flags)
+      "Disassociate the current process from parts of its execution context
+according to FLAGS, which must be a logical or of CLONE_NEW* constants.
+
+Note that CLONE_NEWUSER requires that the calling process be single-threaded,
+which is possible if and only if libgc is running a single marker thread; this
+can be achieved by setting the GC_MARKERS environment variable to 1.  If the
+calling process is multi-threaded, this throws to 'system-error' with EINVAL."
+      (let-values (((ret err)
+                    (without-automatic-finalization (proc flags))))
+        (unless (zero? ret)
+          (throw 'system-error "unshare" "~a: ~A"
+                 (list flags (strerror err))
+                 (list err)))))))
+
 (define setns
   ;; Some systems may be using an old (pre-2.14) version of glibc where there
   ;; is no 'setns' function available.
diff --git a/tests/syscalls.scm b/tests/syscalls.scm
index d2848879d7..879c3e4f25 100644
--- a/tests/syscalls.scm
+++ b/tests/syscalls.scm
@@ -149,6 +149,15 @@  (define perform-container-tests?
             ((_ . status)
              (= 42 (status:exit-val status))))))))
 
+(test-equal "unshare"
+  EPERM
+  ;; Unless running as root, (unshare CLONE_NEWNS) returns EPERM.
+  (catch 'system-error
+    (lambda ()
+      (unshare CLONE_NEWNS))
+    (lambda args
+      (system-error-errno args))))
+
 (unless perform-container-tests?
   (test-skip 1))
 (test-assert "setns"