diff options
| author | Linus Heckemann <git@sphalerite.org> | 2023-03-18 13:15:44 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-03-18 13:15:44 +0100 |
| commit | 1ba1b35d7f2e9362d1a524d0f354835e99b48e1e (patch) | |
| tree | c4b699ec7d3a751ebcdca042d90a1a4492229b2a /pkgs/build-support | |
| parent | a5f8184fb816a4fd5ae87136838c9981e0d22c67 (diff) | |
| parent | 42ef5ded06774d4b269a7c95e29e12ab64fc553a (diff) | |
Merge pull request #183874 from zhaofengli/bwrap-fhs-preserve-etc-symlink
build-fhs-userenv-bubblewrap: Preserve symlinks in /etc
Diffstat (limited to 'pkgs/build-support')
| -rw-r--r-- | pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix index 048233d728c47..76e68573faa82 100644 --- a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix +++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix @@ -26,7 +26,7 @@ let "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc" ]); - etcBindFlags = let + etcBindEntries = let files = [ # NixOS Compatibility "static" @@ -69,8 +69,7 @@ let "ca-certificates" "pki" ]; - in concatStringsSep "\n " - (map (file: "--ro-bind-try $(${coreutils}/bin/readlink -m /etc/${file}) /etc/${file}") files); + in map (path: "/etc/${path}") files; # Create this on the fly instead of linking from /nix # The container might have to modify it and re-run ldconfig if there are @@ -99,19 +98,20 @@ let ''; bwrapCmd = { initArgs ? "" }: '' - blacklist=(/nix /dev /proc /etc) + ignored=(/nix /dev /proc /etc) ro_mounts=() symlinks=() + etc_ignored=() for i in ${env}/*; do path="/''${i##*/}" if [[ $path == '/etc' ]]; then : elif [[ -L $i ]]; then symlinks+=(--symlink "$(${coreutils}/bin/readlink "$i")" "$path") - blacklist+=("$path") + ignored+=("$path") else ro_mounts+=(--ro-bind "$i" "$path") - blacklist+=("$path") + ignored+=("$path") fi done @@ -124,14 +124,26 @@ let continue fi ro_mounts+=(--ro-bind "$i" "/etc$path") + etc_ignored+=("/etc$path") done fi + for i in ${lib.escapeShellArgs etcBindEntries}; do + if [[ "''${etc_ignored[@]}" =~ "$i" ]]; then + continue + fi + if [[ -L $i ]]; then + symlinks+=(--symlink "$(${coreutils}/bin/readlink "$i")" "$i") + else + ro_mounts+=(--ro-bind-try "$i" "$i") + fi + done + declare -a auto_mounts # loop through all directories in the root for dir in /*; do - # if it is a directory and it is not in the blacklist - if [[ -d "$dir" ]] && [[ ! "''${blacklist[@]}" =~ "$dir" ]]; then + # if it is a directory and it is not ignored + if [[ -d "$dir" ]] && [[ ! "''${ignored[@]}" =~ "$dir" ]]; then # add it to the mount list auto_mounts+=(--bind "$dir" "$dir") fi @@ -179,7 +191,6 @@ let --symlink /etc/ld.so.cache ${pkgsi686Linux.glibc}/etc/ld.so.cache \ --ro-bind ${pkgsi686Linux.glibc}/etc/rpc ${pkgsi686Linux.glibc}/etc/rpc \ --remount-ro ${pkgsi686Linux.glibc}/etc \ - ${etcBindFlags} "''${ro_mounts[@]}" "''${symlinks[@]}" "''${auto_mounts[@]}" |