From 214968cbe4ec9b2705c0d3e402dca043c0847cc8 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@nix.build>
Date: Fri, 11 Sep 2020 20:06:43 +0200
Subject: sandbox: Only mount new procfs instance for PID ns

If we don't have a PID namespace, we're not allowed to mount a new
procfs instance and subsequently get an error (EPERM).

To cope with this, we're now bind-mounting /proc just like the other
pseudo file systems IFF we're not using the CLONE_NEWPID flag.

Signed-off-by: aszlig <aszlig@nix.build>
---
 pkgs/build-support/build-sandbox/src/setup.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

(limited to 'pkgs/build-support')

diff --git a/pkgs/build-support/build-sandbox/src/setup.c b/pkgs/build-support/build-sandbox/src/setup.c
index dc8bbf14..63b72773 100644
--- a/pkgs/build-support/build-sandbox/src/setup.c
+++ b/pkgs/build-support/build-sandbox/src/setup.c
@@ -769,13 +769,18 @@ static bool setup_chroot(void)
     if (!bind_mount("/dev", false, false, false))
         return false;
 
-    if (!makedirs(FS_ROOT_DIR "/proc", false))
-        return false;
+#if (EXTRA_NS_FLAGS) & CLONE_NEWPID
+        if (!makedirs(FS_ROOT_DIR "/proc", false))
+            return false;
 
-    if (mount("none", FS_ROOT_DIR "/proc", "proc", 0, NULL) == -1) {
-        perror("mount /proc");
-        return false;
-    }
+        if (mount("none", FS_ROOT_DIR "/proc", "proc", 0, NULL) == -1) {
+            perror("mount /proc");
+            return false;
+        }
+#else
+        if (!bind_mount("/proc", false, false, false))
+            return false;
+#endif
 
     if (!bind_mount("/sys", false, false, false))
         return false;
-- 
cgit 1.4.1