From 3fd01b171a74d28dc8e48b9ee5f2d0e9a3915fb8 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 27 Feb 2014 23:17:53 +0100 Subject: Set up a minimal /dev in chroots Not bind-mounting the /dev from the host also solves the problem with /dev/shm being a symlink to something not in the chroot. --- src/libstore/build.cc | 25 ++++++++++++++++++++++--- src/libstore/gc.cc | 12 +++++------- src/libstore/globals.cc | 1 - src/libstore/local-store.cc | 3 +-- src/libutil/archive.cc | 3 +-- src/libutil/util.cc | 7 +++++++ src/libutil/util.hh | 3 +++ src/nix-env/profiles.cc | 3 +-- 8 files changed, 40 insertions(+), 17 deletions(-) diff --git a/src/libstore/build.cc b/src/libstore/build.cc index cec03fee42a4..7a78d55570b2 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2013,6 +2013,26 @@ void DerivationGoal::initChild() throw SysError(format("unable to make filesystem `%1%' private") % fs); } + /* Set up a nearly empty /dev, unless the user asked to + bind-mount the host /dev. */ + if (dirsInChroot.find("/dev") == dirsInChroot.end()) { + createDirs(chrootRootDir + "/dev/shm"); + Strings ss; + ss.push_back("/dev/full"); + ss.push_back("/dev/kvm"); + ss.push_back("/dev/null"); + ss.push_back("/dev/ptmx"); + ss.push_back("/dev/random"); + ss.push_back("/dev/tty"); + ss.push_back("/dev/urandom"); + ss.push_back("/dev/zero"); + foreach (Strings::iterator, i, ss) dirsInChroot[*i] = *i; + createSymlink("/proc/self/fd", chrootRootDir + "/dev/fd"); + createSymlink("/proc/self/fd/0", chrootRootDir + "/dev/stdin"); + createSymlink("/proc/self/fd/1", chrootRootDir + "/dev/stdout"); + createSymlink("/proc/self/fd/2", chrootRootDir + "/dev/stderr"); + } + /* Bind-mount all the directories from the "host" filesystem that we want in the chroot environment. */ @@ -2042,9 +2062,8 @@ void DerivationGoal::initChild() /* Mount a new tmpfs on /dev/shm to ensure that whatever the builder puts in /dev/shm is cleaned up automatically. */ - if (pathExists("/dev/shm")) - if (mount("none", (chrootRootDir + "/dev/shm").c_str(), "tmpfs", 0, 0) == -1) - throw SysError("mounting /dev/shm"); + if (pathExists("/dev/shm") && mount("none", (chrootRootDir + "/dev/shm").c_str(), "tmpfs", 0, 0) == -1) + throw SysError("mounting /dev/shm"); /* Do the chroot(). Below we do a chdir() to the temporary build directory to make sure the current diff --git a/src/libstore/gc.cc b/src/libstore/gc.cc index 79bd7d56b3fe..e855e8685442 100644 --- a/src/libstore/gc.cc +++ b/src/libstore/gc.cc @@ -53,7 +53,7 @@ int LocalStore::openGCLock(LockType lockType) } -void createSymlink(const Path & link, const Path & target) +static void makeSymlink(const Path & link, const Path & target) { /* Create directories up to `gcRoot'. */ createDirs(dirOf(link)); @@ -61,9 +61,7 @@ void createSymlink(const Path & link, const Path & target) /* Create the new symlink. */ Path tempLink = (format("%1%.tmp-%2%-%3%") % link % getpid() % rand()).str(); - if (symlink(target.c_str(), tempLink.c_str()) == -1) - throw SysError(format("symlinking `%1%' to `%2%'") - % tempLink % target); + createSymlink(target, tempLink); /* Atomically replace the old one. */ if (rename(tempLink.c_str(), link.c_str()) == -1) @@ -83,7 +81,7 @@ void LocalStore::addIndirectRoot(const Path & path) string hash = printHash32(hashString(htSHA1, path)); Path realRoot = canonPath((format("%1%/%2%/auto/%3%") % settings.nixStateDir % gcRootsDir % hash).str()); - createSymlink(realRoot, path); + makeSymlink(realRoot, path); } @@ -104,7 +102,7 @@ Path addPermRoot(StoreAPI & store, const Path & _storePath, point to the Nix store. */ if (pathExists(gcRoot) && (!isLink(gcRoot) || !isInStore(readLink(gcRoot)))) throw Error(format("cannot create symlink `%1%'; already exists") % gcRoot); - createSymlink(gcRoot, storePath); + makeSymlink(gcRoot, storePath); store.addIndirectRoot(gcRoot); } @@ -119,7 +117,7 @@ Path addPermRoot(StoreAPI & store, const Path & _storePath, % gcRoot % rootsDir); } - createSymlink(gcRoot, storePath); + makeSymlink(gcRoot, storePath); } /* Check that the root can be found by the garbage collector. diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc index ccf8d4cc5e65..af2fdfd57ace 100644 --- a/src/libstore/globals.cc +++ b/src/libstore/globals.cc @@ -42,7 +42,6 @@ Settings::Settings() useSubstitutes = true; useChroot = false; useSshSubstituter = false; - dirsInChroot.insert("/dev"); dirsInChroot.insert("/dev/pts"); impersonateLinux26 = false; keepLog = true; diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index aca98412ae16..1293a6e8f260 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -243,8 +243,7 @@ LocalStore::LocalStore(bool reserveSpace) Path gcRootsDir = settings.nixStateDir + "/gcroots"; if (!pathExists(gcRootsDir)) { createDirs(gcRootsDir); - if (symlink(profilesDir.c_str(), (gcRootsDir + "/profiles").c_str()) == -1) - throw SysError(format("creating symlink to `%1%'") % profilesDir); + createSymlink(profilesDir, gcRootsDir + "/profiles"); } checkStoreNotSymlink(); diff --git a/src/libutil/archive.cc b/src/libutil/archive.cc index b19ff4bf99a1..ab4cd47351b3 100644 --- a/src/libutil/archive.cc +++ b/src/libutil/archive.cc @@ -319,8 +319,7 @@ struct RestoreSink : ParseSink void createSymlink(const Path & path, const string & target) { Path p = dstPath + path; - if (symlink(target.c_str(), p.c_str()) == -1) - throw SysError(format("creating symlink `%1%'") % p); + nix::createSymlink(target, p); } }; diff --git a/src/libutil/util.cc b/src/libutil/util.cc index 740d767a4ea6..b264fc5f3d13 100644 --- a/src/libutil/util.cc +++ b/src/libutil/util.cc @@ -386,6 +386,13 @@ Paths createDirs(const Path & path) } +void createSymlink(const Path & target, const Path & link) +{ + if (symlink(target.c_str(), link.c_str())) + throw SysError(format("creating symlink from `%1%' to `%2%'") % link % target); +} + + LogType logType = ltPretty; Verbosity verbosity = lvlInfo; diff --git a/src/libutil/util.hh b/src/libutil/util.hh index 0351220c2a24..5d0408f9b528 100644 --- a/src/libutil/util.hh +++ b/src/libutil/util.hh @@ -93,6 +93,9 @@ Path createTempDir(const Path & tmpRoot = "", const Path & prefix = "nix", list of created directories, in order of creation. */ Paths createDirs(const Path & path); +/* Create a symlink. */ +void createSymlink(const Path & target, const Path & link); + template T singleton(const A & a) diff --git a/src/nix-env/profiles.cc b/src/nix-env/profiles.cc index c327993594e8..f7b306890d4c 100644 --- a/src/nix-env/profiles.cc +++ b/src/nix-env/profiles.cc @@ -118,8 +118,7 @@ void switchLink(Path link, Path target) if (dirOf(target) == dirOf(link)) target = baseNameOf(target); Path tmp = canonPath(dirOf(link) + "/.new_" + baseNameOf(link)); - if (symlink(target.c_str(), tmp.c_str()) != 0) - throw SysError(format("creating symlink `%1%'") % tmp); + createSymlink(target, tmp); /* The rename() system call is supposed to be essentially atomic on Unix. That is, if we have links `current -> X' and `new_current -> Y', and we rename new_current to current, a -- cgit 1.4.1