From da0cee27550ee5c23401d3be0824fe7a0975480f Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Tue, 12 Mar 2019 11:49:20 +0100 Subject: [PATCH] sandbox: Optionally disable pivot_root This is required for running the sandbox in a privileged container. --- doc/manual/command-ref/conf-file.xml | 14 ++++++++++++++ src/libstore/build.cc | 20 ++++++++++++-------- src/libstore/globals.hh | 3 +++ 3 files changed, 29 insertions(+), 8 deletions(-) diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index f0da1f612fe..2028f2a0c33 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -700,6 +700,20 @@ password my-password + + sandbox-use-pivot_root + + Whether to use the pivot_root + system call, which is safer than plain chroot when + establishing the sandbox. + This option has the safe default true, + but needs to be set to false when running the + sandbox inside a container. + + + + + secret-key-files A whitespace-separated list of files containing diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 47ee8b48f4b..0319c1e64b9 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2720,20 +2720,24 @@ void DerivationGoal::runChild() if (chdir(chrootRootDir.c_str()) == -1) throw SysError(format("cannot change directory to '%1%'") % chrootRootDir); - if (mkdir("real-root", 0) == -1) - throw SysError("cannot create real-root directory"); + if (settings.sandboxUsePivotRoot) { + if (mkdir("real-root", 0) == -1) + throw SysError("cannot create real-root directory"); - if (pivot_root(".", "real-root") == -1) - throw SysError(format("cannot pivot old root directory onto '%1%'") % (chrootRootDir + "/real-root")); + if (pivot_root(".", "real-root") == -1) + throw SysError(format("cannot pivot old root directory onto '%1%'") % (chrootRootDir + "/real-root")); + } if (chroot(".") == -1) throw SysError(format("cannot change root directory to '%1%'") % chrootRootDir); - if (umount2("real-root", MNT_DETACH) == -1) - throw SysError("cannot unmount real root filesystem"); + if (settings.sandboxUsePivotRoot) { + if (umount2("real-root", MNT_DETACH) == -1) + throw SysError("cannot unmount real root filesystem"); - if (rmdir("real-root") == -1) - throw SysError("cannot remove real-root directory"); + if (rmdir("real-root") == -1) + throw SysError("cannot remove real-root directory"); + } /* Switch to the sandbox uid/gid in the user namespace, which corresponds to the build user or calling user in diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 53efc6a90fb..8787222d376 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -205,6 +205,9 @@ public: "Whether to enable sandboxed builds. Can be \"true\", \"false\" or \"relaxed\".", {"build-use-chroot", "build-use-sandbox"}}; + Setting sandboxUsePivotRoot{this, true, "sandbox-use-pivot_root", + "Whether to use pivot_root when sandboxing is enabled. This is safer than plain chroot, but not supported when running the sandbox in a container."}; + Setting sandboxPaths{this, {}, "sandbox-paths", "The paths to make available inside the build sandbox.", {"build-chroot-dirs", "build-sandbox-paths"}};