Only unshare FS state if we've saved the mount namespace

Attempted fix for NixOS#5777.

doc/manual/src/installation/installing-docker.md

@@ -16,7 +16,7 @@ nix (Nix) 2.3.12
 35ca4ada6e96:/# exit
 ```
 
-# What is included in Nix' Docker image?
+# What is included in Nix's Docker image?
 
 The official Docker image is created using `pkgs.dockerTools.buildLayeredImage`
 (and not with `Dockerfile` as it is usual with Docker images). You can still
@@ -54,6 +54,6 @@ You can also build a Docker image from source yourself:
 
 ```console
 $ nix build ./\#hydraJobs.dockerImage.x86_64-linux
-$ docker load -i ./result
+$ docker load -i ./result/image.tar.gz
 $ docker run -ti nix:2.5pre20211105
 ```

src/libstore/filetransfer.cc

@@ -544,13 +544,7 @@ struct curlFileTransfer : public FileTransfer
             stopWorkerThread();
         });
 
-#ifdef __linux__
-        /* Cause this thread to not share any FS attributes with the main thread,
-           because this causes setns() in restoreMountNamespace() to fail.
-           Ideally, this would happen in the std::thread() constructor. */
-        if (unshare(CLONE_FS) != 0)
-            throw SysError("unsharing filesystem state in download thread");
-#endif
+        unshareFilesystem();
 
         std::map<CURL *, std::shared_ptr<TransferItem>> items;
 

src/libutil/util.cc

@@ -1660,6 +1660,14 @@ void restoreMountNamespace()
 #endif
 }
 
+void unshareFilesystem()
+{
+#ifdef __linux__
+    if (fdSavedMountNamespace && unshare(CLONE_FS) != 0)
+        throw SysError("unsharing filesystem state in download thread");
+#endif
+}
+
 void restoreProcessContext(bool restoreMounts)
 {
     restoreSignals();

src/libutil/util.hh

@@ -311,6 +311,11 @@ void saveMountNamespace();
    if saveMountNamespace() was never called. */
 void restoreMountNamespace();
 
+/* Cause this thread to not share any FS attributes with the main
+   thread, because this causes setns() in restoreMountNamespace() to
+   fail. */
+void unshareFilesystem();
+
 
 class ExecError : public Error
 {