about summary refs log tree commit diff
path: root/pkgs/build-support
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/build-support')
-rw-r--r--pkgs/build-support/build-sandbox/default.nix4
-rw-r--r--pkgs/build-support/build-sandbox/src/setup.c23
2 files changed, 23 insertions, 4 deletions
diff --git a/pkgs/build-support/build-sandbox/default.nix b/pkgs/build-support/build-sandbox/default.nix
index a52be5c9..4265d30d 100644
--- a/pkgs/build-support/build-sandbox/default.nix
+++ b/pkgs/build-support/build-sandbox/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, pkgconfig, nix }:
+{ stdenv, lib, pkgconfig, nix, boost }:
 
 drv: { paths ? {}, ... }@attrs:
 
@@ -78,7 +78,7 @@ in stdenv.mkDerivation ({
   '';
 
   nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ nix ];
+  buildInputs = [ nix boost ];
   makeFlags = [ "BINDIR=${drv}/bin" ];
 
 } // removeAttrs attrs [ "paths" ])
diff --git a/pkgs/build-support/build-sandbox/src/setup.c b/pkgs/build-support/build-sandbox/src/setup.c
index d95927dc..cf73d3e8 100644
--- a/pkgs/build-support/build-sandbox/src/setup.c
+++ b/pkgs/build-support/build-sandbox/src/setup.c
@@ -747,9 +747,14 @@ static bool setup_chroot(void)
     if (!bind_mount("/dev", false, false, false))
         return false;
 
-    if (!bind_mount("/proc", false, false, false))
+    if (!makedirs(FS_ROOT_DIR "/proc", false))
         return false;
 
+    if (mount("none", FS_ROOT_DIR "/proc", "proc", 0, NULL) == -1) {
+        perror("mount /proc");
+        return false;
+    }
+
     if (!bind_mount("/sys", false, false, false))
         return false;
 
@@ -815,7 +820,8 @@ bool setup_sandbox(void)
             close(sync_pipe[0]);
             _exit(write_maps(parent_pid) ? 0 : 1);
         default:
-            if (unshare(CLONE_NEWNS | CLONE_NEWUSER) == -1) {
+            if (unshare(CLONE_NEWNS | CLONE_NEWUSER | CLONE_NEWPID |
+                        CLONE_NEWUTS | CLONE_NEWIPC) == -1) {
                 perror("unshare");
                 if (write(sync_pipe[1], "X", 1) == -1)
                     perror("signal child exit");
@@ -830,6 +836,19 @@ bool setup_sandbox(void)
             return false;
     }
 
+    if ((pid = fork()) == -1) {
+        perror("fork PID namespace");
+        return false;
+    }
+
+    /* Just wait in the parent until the child exits. We need to fork because
+     * otherwise we can't mount /proc in the right PID namespace.
+     */
+    if (pid > 0) {
+        waitpid(pid, NULL, 0);
+        _exit(1);
+    }
+
     cached_paths = new_path_cache();
 
     if (!setup_chroot()) {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-09-08 17:56:09 +0000