From bca7075edcc2afa2186795e4ba9a84e70bec796d Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 14 Feb 2023 13:29:30 +0100 Subject: [PATCH] Make /etc writability conditional on uid-range feature (cherry picked from commit 49fd72a903b7bc2fdc4735111ca5569122cf55ee) --- src/libstore/build/local-derivation-goal.cc | 5 ++++- tests/systemd-nspawn.nix | 1 - 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index 7ae00b20a..ad67be1e4 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -663,6 +663,8 @@ void LocalDerivationGoal::startBuilder() nobody account. The latter is kind of a hack to support Samba-in-QEMU. */ createDirs(chrootRootDir + "/etc"); + if (parsedDrv->useUidRange()) + chownToBuilder(chrootRootDir + "/etc"); if (parsedDrv->useUidRange() && (!buildUser || buildUser->getUIDCount() < 65536)) throw Error("feature 'uid-range' requires the setting '%s' to be enabled", settings.autoAllocateUids.name); @@ -1023,7 +1025,8 @@ void LocalDerivationGoal::startBuilder() sandboxUid(), sandboxGid(), settings.sandboxBuildDir)); /* Make /etc unwritable */ - chmod_(chrootRootDir + "/etc", 0555); + if (!parsedDrv->useUidRange()) + chmod_(chrootRootDir + "/etc", 0555); /* Save the mount- and user namespace of the child. We have to do this *before* the child does a chroot. */ diff --git a/tests/systemd-nspawn.nix b/tests/systemd-nspawn.nix index 457af6064..f54f32f2a 100644 --- a/tests/systemd-nspawn.nix +++ b/tests/systemd-nspawn.nix @@ -56,7 +56,6 @@ runCommand "test" # Make /run a tmpfs to shut up a systemd warning. mkdir /run mount -t tmpfs none /run - chmod 0700 /run mount -t cgroup2 none /sys/fs/cgroup