sandbox: Only mount new procfs instance for PID ns

If we don't have a PID namespace, we're not allowed to mount a new procfs instance and subsequently get an error (EPERM). To cope with this, we're now bind-mounting /proc just like the other pseudo file systems IFF we're not using the CLONE_NEWPID flag. Signed-off-by: aszlig <aszlig@nix.build>
author: aszlig <aszlig@nix.build> 2020-09-11 20:06:43 +0200
committer: aszlig <aszlig@nix.build> 2020-09-11 20:09:17 +0200
commit: 214968cbe4ec9b2705c0d3e402dca043c0847cc8 (patch)
tree: e59f711136e7ef8d76905019e7785db09b95bc65 /pkgs/build-support
parent: 877fb29635370f3ebbdfd0211460bc66347269ea (diff)
1 files changed, 11 insertions, 6 deletions
diff --git a/pkgs/build-support/build-sandbox/src/setup.c b/pkgs/build-support/build-sandbox/src/setup.c
index dc8bbf14..63b72773 100644
--- a/pkgs/build-support/build-sandbox/src/setup.c
+++ b/pkgs/build-support/build-sandbox/src/setup.c
@@ -769,13 +769,18 @@ static bool setup_chroot(void)
     if (!bind_mount("/dev", false, false, false))
         return false;
 
-    if (!makedirs(FS_ROOT_DIR "/proc", false))
-        return false;
+#if (EXTRA_NS_FLAGS) & CLONE_NEWPID
+        if (!makedirs(FS_ROOT_DIR "/proc", false))
+            return false;
 
-    if (mount("none", FS_ROOT_DIR "/proc", "proc", 0, NULL) == -1) {
-        perror("mount /proc");
-        return false;
-    }
+        if (mount("none", FS_ROOT_DIR "/proc", "proc", 0, NULL) == -1) {
+            perror("mount /proc");
+            return false;
+        }
+#else
+        if (!bind_mount("/proc", false, false, false))
+            return false;
+#endif
 
     if (!bind_mount("/sys", false, false, false))
         return false;
author	aszlig <aszlig@nix.build>	2020-09-11 20:06:43 +0200
committer	aszlig <aszlig@nix.build>	2020-09-11 20:09:17 +0200
commit	214968cbe4ec9b2705c0d3e402dca043c0847cc8 (patch)
tree	e59f711136e7ef8d76905019e7785db09b95bc65 /pkgs/build-support
parent	877fb29635370f3ebbdfd0211460bc66347269ea (diff)