commit 9124e9584b3d952fdd6047bbdf610be0ef1ad45f · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #11779 from abbradar/fhs-root

chroot-user: don't create new user namespace if we are root

Nikolay Amiantov 10 years ago 9124e958 6fd00586

+31 -15

2 changed files

expand all

unified split

pkgs

build-support

build-fhs-chrootenv

env.nix

build-fhs-userenv

chroot-user.rb

+6 -1

pkgs/build-support/build-fhs-chrootenv/env.nix

··· 56 export PS1='${name}-chrootenv:\u@\h:\w\$ ' 57 export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive' 58 export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32' 59 - export PATH='/usr/bin:/usr/sbin' 60 ${profile} 61 ''; 62 ··· 80 ln -s /host-etc/hosts hosts 81 ln -s /host-etc/resolv.conf resolv.conf 82 ln -s /host-etc/nsswitch.conf nsswitch.conf 83 84 # symlink other core stuff 85 ln -s /host-etc/localtime localtime

··· 56 export PS1='${name}-chrootenv:\u@\h:\w\$ ' 57 export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive' 58 export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32' 59 + export PATH='/var/setuid-wrappers:/usr/bin:/usr/sbin' 60 ${profile} 61 ''; 62 ··· 80 ln -s /host-etc/hosts hosts 81 ln -s /host-etc/resolv.conf resolv.conf 82 ln -s /host-etc/nsswitch.conf nsswitch.conf 83 + 84 + # symlink sudo and su stuff 85 + ln -s /host-etc/login.defs login.defs 86 + ln -s /host-etc/sudoers sudoers 87 + ln -s /host-etc/sudoers.d sudoers.d 88 89 # symlink other core stuff 90 ln -s /host-etc/localtime localtime

+25 -14

pkgs/build-support/build-fhs-userenv/chroot-user.rb

··· 53 54 MS_BIND = 0x1000 55 MS_REC = 0x4000 56 $mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP, 57 Fiddle::TYPE_VOIDP, 58 Fiddle::TYPE_VOIDP, ··· 92 # we don't use threads at all. 93 $cpid = $fork.call 94 if $cpid == 0 95 - # Save user UID and GID 96 - uid = Process.uid 97 - gid = Process.gid 98 99 - # Create new mount and user namespaces 100 - # CLONE_NEWUSER requires a program to be non-threaded, hence 101 - # native fork above. 102 - $unshare.call CLONE_NEWNS | CLONE_NEWUSER 103 104 - # Map users and groups to the parent namespace 105 - begin 106 - # setgroups is only available since Linux 3.19 107 - write_file '/proc/self/setgroups', 'deny' 108 - rescue 109 end 110 - write_file '/proc/self/uid_map', "#{uid} #{uid} 1" 111 - write_file '/proc/self/gid_map', "#{gid} #{gid} 1" 112 113 # Do rbind mounts. 114 mounts.each do |from, rto| ··· 117 $mount.call from, to, nil, MS_BIND | MS_REC, nil 118 end 119 120 # Chroot! 121 Dir.chroot root 122 Dir.chdir '/'

··· 53 54 MS_BIND = 0x1000 55 MS_REC = 0x4000 56 + MS_SLAVE = 0x80000 57 $mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP, 58 Fiddle::TYPE_VOIDP, 59 Fiddle::TYPE_VOIDP, ··· 93 # we don't use threads at all. 94 $cpid = $fork.call 95 if $cpid == 0 96 + # If we are root, no need to create new user namespace. 97 + if Process.uid == 0 98 + $unshare.call CLONE_NEWNS 99 + # Mark all mounted filesystems as slave so changes 100 + # don't propagate to the parent mount namespace. 101 + $mount.call nil, '/', nil, MS_REC | MS_SLAVE, nil 102 + else 103 + # Save user UID and GID 104 + uid = Process.uid 105 + gid = Process.gid 106 107 + # Create new mount and user namespaces 108 + # CLONE_NEWUSER requires a program to be non-threaded, hence 109 + # native fork above. 110 + $unshare.call CLONE_NEWNS | CLONE_NEWUSER 111 112 + # Map users and groups to the parent namespace 113 + begin 114 + # setgroups is only available since Linux 3.19 115 + write_file '/proc/self/setgroups', 'deny' 116 + rescue 117 + end 118 + write_file '/proc/self/uid_map', "#{uid} #{uid} 1" 119 + write_file '/proc/self/gid_map', "#{gid} #{gid} 1" 120 end 121 122 # Do rbind mounts. 123 mounts.each do |from, rto| ··· 126 $mount.call from, to, nil, MS_BIND | MS_REC, nil 127 end 128 129 + # Don't make root private so privilege drops inside chroot are possible 130 + File.chmod(0755, root) 131 # Chroot! 132 Dir.chroot root 133 Dir.chdir '/'