diff options
author | aszlig <aszlig@nix.build> | 2020-09-11 20:06:43 +0200 |
---|---|---|
committer | aszlig <aszlig@nix.build> | 2020-09-11 20:09:17 +0200 |
commit | 214968cbe4ec9b2705c0d3e402dca043c0847cc8 (patch) | |
tree | e59f711136e7ef8d76905019e7785db09b95bc65 /tests/sandbox.nix | |
parent | 877fb29635370f3ebbdfd0211460bc66347269ea (diff) |
sandbox: Only mount new procfs instance for PID ns
If we don't have a PID namespace, we're not allowed to mount a new procfs instance and subsequently get an error (EPERM). To cope with this, we're now bind-mounting /proc just like the other pseudo file systems IFF we're not using the CLONE_NEWPID flag. Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'tests/sandbox.nix')
-rw-r--r-- | tests/sandbox.nix | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/tests/sandbox.nix b/tests/sandbox.nix index b9f087a0..b3ad80d1 100644 --- a/tests/sandbox.nix +++ b/tests/sandbox.nix @@ -135,6 +135,11 @@ echo hello network | ${pkgs.netcat-openbsd}/bin/nc -N 127.0.0.1 3000 \ || echo netcat has failed '') { namespaces.net = true; }) + + (pkgs.vuizvui.buildSandbox (pkgs.writeScriptBin "test-sandbox4" '' + #!${pkgs.stdenv.shell} + test $$ -gt 5 && echo no pid namespace + '') { namespaces.pid = false; }) ]; users.users.foo.isNormalUser = true; }; @@ -162,5 +167,7 @@ machine.succeed('test "$(su -c test-sandbox3 foo)" = "netcat has failed"') machine.fail('grep -F "hello network" /tmp/netns.log') machine.succeed('grep -F "root netns" /tmp/netns.log') + + machine.succeed('test "$(su -c test-sandbox4 foo)" = "no pid namespace"') ''; } |