Only mount /sys in uid-range builds

Maybe this should be a separate system feature... /sys exposes a lot of impure info about the host system.
NixOS · Jul 6, 2020 · 7349f25 · 7349f25
1 parent 8c4cce5
commit 7349f25
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
@@ -3173,11 +3173,12 @@ void DerivationGoal::runChild()
             if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) == -1)
                 throw SysError("mounting /proc");
 
-            /* Mount sysfs on /sys. FIXME: only in user namespace
-               builds. */
-            createDirs(chrootRootDir + "/sys");
-            if (mount("none", (chrootRootDir + "/sys").c_str(), "sysfs", 0, 0) == -1)
-                throw SysError("mounting /sys");
+            /* Mount sysfs on /sys. */
+            if (useUidRange) {
+                createDirs(chrootRootDir + "/sys");
+                if (mount("none", (chrootRootDir + "/sys").c_str(), "sysfs", 0, 0) == -1)
+                    throw SysError("mounting /sys");
+            }
 
             /* Mount a new tmpfs on /dev/shm to ensure that whatever
                the builder puts in /dev/shm is cleaned up automatically. */

diff --git a/src/libstore/user-lock.cc b/src/libstore/user-lock.cc
@@ -122,7 +122,7 @@ struct CgroupUserLock : UserLock
         return uid;
     }
 
-    std::vector<gid_t> getSupplementaryGIDs() override { return {}; } // FIXME
+    std::vector<gid_t> getSupplementaryGIDs() override { return {}; }
 
     static std::unique_ptr<UserLock> acquire()
     {