From 214968cbe4ec9b2705c0d3e402dca043c0847cc8 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@nix.build>
Date: Fri, 11 Sep 2020 20:06:43 +0200
Subject: sandbox: Only mount new procfs instance for PID ns

If we don't have a PID namespace, we're not allowed to mount a new
procfs instance and subsequently get an error (EPERM).

To cope with this, we're now bind-mounting /proc just like the other
pseudo file systems IFF we're not using the CLONE_NEWPID flag.

Signed-off-by: aszlig <aszlig@nix.build>
---
 tests/sandbox.nix | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'tests')

diff --git a/tests/sandbox.nix b/tests/sandbox.nix
index b9f087a0..b3ad80d1 100644
--- a/tests/sandbox.nix
+++ b/tests/sandbox.nix
@@ -135,6 +135,11 @@
         echo hello network | ${pkgs.netcat-openbsd}/bin/nc -N 127.0.0.1 3000 \
           || echo netcat has failed
       '') { namespaces.net = true; })
+
+      (pkgs.vuizvui.buildSandbox (pkgs.writeScriptBin "test-sandbox4" ''
+        #!${pkgs.stdenv.shell}
+        test $$ -gt 5 && echo no pid namespace
+      '') { namespaces.pid = false; })
     ];
     users.users.foo.isNormalUser = true;
   };
@@ -162,5 +167,7 @@
     machine.succeed('test "$(su -c test-sandbox3 foo)" = "netcat has failed"')
     machine.fail('grep -F "hello network" /tmp/netns.log')
     machine.succeed('grep -F "root netns" /tmp/netns.log')
+
+    machine.succeed('test "$(su -c test-sandbox4 foo)" = "no pid namespace"')
   '';
 }
-- 
cgit 1.4.1