public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #11779 from abbradar/fhs-root

Browse Source 
chroot-user: don't create new user namespace if we are root
This commit is contained in:
Nikolay Amiantov 2016-01-12 14:40:45 +03:00
commit 9124e9584b
2 changed files with 31 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pkgs/build-support/build-fhs-chrootenv/env.nix
View File

@ -56,7 +56,7 @@ let
export PS1='${name}-chrootenv:\u@\h:\w\$ ' export PS1='${name}-chrootenv:\u@\h:\w\$ '
export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive' export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive'
export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32' export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32'
export PATH='/usr/bin:/usr/sbin' export PATH='/var/setuid-wrappers:/usr/bin:/usr/sbin'
${profile} ${profile}
''; '';
@ -81,6 +81,11 @@ let
ln -s /host-etc/resolv.conf resolv.conf ln -s /host-etc/resolv.conf resolv.conf
ln -s /host-etc/nsswitch.conf nsswitch.conf ln -s /host-etc/nsswitch.conf nsswitch.conf
# symlink sudo and su stuff
ln -s /host-etc/login.defs login.defs
ln -s /host-etc/sudoers sudoers
ln -s /host-etc/sudoers.d sudoers.d
# symlink other core stuff # symlink other core stuff
ln -s /host-etc/localtime localtime ln -s /host-etc/localtime localtime
ln -s /host-etc/machine-id machine-id ln -s /host-etc/machine-id machine-id

11
pkgs/build-support/build-fhs-userenv/chroot-user.rb
View File

@ -53,6 +53,7 @@ $unshare = make_fcall 'unshare', [Fiddle::TYPE_INT], Fiddle::TYPE_INT
MS_BIND = 0x1000 MS_BIND = 0x1000
MS_REC = 0x4000 MS_REC = 0x4000
MS_SLAVE = 0x80000
$mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP, $mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP,
Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP,
Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP,
@ -92,6 +93,13 @@ root = Dir.mktmpdir 'chrootenv'
# we don't use threads at all. # we don't use threads at all.
$cpid = $fork.call $cpid = $fork.call
if $cpid == 0 if $cpid == 0
# If we are root, no need to create new user namespace.
if Process.uid == 0
$unshare.call CLONE_NEWNS
# Mark all mounted filesystems as slave so changes
# don't propagate to the parent mount namespace.
$mount.call nil, '/', nil, MS_REC | MS_SLAVE, nil
else
# Save user UID and GID # Save user UID and GID
uid = Process.uid uid = Process.uid
gid = Process.gid gid = Process.gid
@ -109,6 +117,7 @@ if $cpid == 0
end end
write_file '/proc/self/uid_map', "#{uid} #{uid} 1" write_file '/proc/self/uid_map', "#{uid} #{uid} 1"
write_file '/proc/self/gid_map', "#{gid} #{gid} 1" write_file '/proc/self/gid_map', "#{gid} #{gid} 1"
end
# Do rbind mounts. # Do rbind mounts.
mounts.each do |from, rto| mounts.each do |from, rto|
@ -117,6 +126,8 @@ if $cpid == 0
$mount.call from, to, nil, MS_BIND | MS_REC, nil $mount.call from, to, nil, MS_BIND | MS_REC, nil
end end
# Don't make root private so privilege drops inside chroot are possible
File.chmod(0755, root)
# Chroot! # Chroot!
Dir.chroot root Dir.chroot root
Dir.chdir '/' Dir.chdir '/'