diff options
| author | Yegor Timoshenko <yegortimoshenko@gmail.com> | 2017-12-20 03:02:17 +0000 |
|---|---|---|
| committer | Yegor Timoshenko <yegortimoshenko@gmail.com> | 2017-12-22 18:56:13 +0300 |
| commit | ef1accae91e490fc7c371f0d0ef50c57f385b232 (patch) | |
| tree | 9e2ac77ef75d4dca0d8511cb23465998a72ca3a3 /pkgs | |
| parent | c082544a52084326db6eeb36e2f1cddfbf89a7d3 (diff) | |
| download | nixlib-ef1accae91e490fc7c371f0d0ef50c57f385b232.tar nixlib-ef1accae91e490fc7c371f0d0ef50c57f385b232.tar.gz nixlib-ef1accae91e490fc7c371f0d0ef50c57f385b232.tar.bz2 nixlib-ef1accae91e490fc7c371f0d0ef50c57f385b232.tar.lz nixlib-ef1accae91e490fc7c371f0d0ef50c57f385b232.tar.xz nixlib-ef1accae91e490fc7c371f0d0ef50c57f385b232.tar.zst nixlib-ef1accae91e490fc7c371f0d0ef50c57f385b232.zip | |
chrootenv: print sysctl command for Debian users, fixes #32876
Diffstat (limited to 'pkgs')
| -rw-r--r-- | pkgs/build-support/build-fhs-userenv/chrootenv.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/pkgs/build-support/build-fhs-userenv/chrootenv.c b/pkgs/build-support/build-fhs-userenv/chrootenv.c index 8d6c98959cc9..97e69b7d0b22 100644 --- a/pkgs/build-support/build-fhs-userenv/chrootenv.c +++ b/pkgs/build-support/build-fhs-userenv/chrootenv.c @@ -98,10 +98,12 @@ int nftw_rm(const char *path, const struct stat *sb, int type, #define LEN(x) sizeof(x) / sizeof(*x) +#define REQUIREMENTS "Linux version >= 3.19 built with CONFIG_USER_NS option" + int main(int argc, char *argv[]) { if (argc < 2) { fprintf(stderr, "Usage: %s command [arguments...]\n" - "Requires Linux kernel >= 3.19 with CONFIG_USER_NS.\n", + "Requires " REQUIREMENTS ".\n", argv[0]); exit(EX_USAGE); } @@ -128,7 +130,7 @@ int main(int argc, char *argv[]) { // If we are root, no need to create new user namespace. if (uid == 0) { if (unshare(CLONE_NEWNS) < 0) - errorf(EX_OSERR, "unshare() failed: You may have an old kernel or have CLONE_NEWUSER disabled by your distribution security settings."); + errorf(EX_OSERR, "unshare: requires " REQUIREMENTS); // Mark all mounted filesystems as slave so changes // don't propagate to the parent mount namespace. if (mount(NULL, "/", NULL, MS_REC | MS_SLAVE, NULL) < 0) @@ -136,8 +138,13 @@ int main(int argc, char *argv[]) { } else { // Create new mount and user namespaces. CLONE_NEWUSER // requires a program to be non-threaded. - if (unshare(CLONE_NEWNS | CLONE_NEWUSER) < 0) - errorf(EX_OSERR, "unshare"); + if (unshare(CLONE_NEWNS | CLONE_NEWUSER) < 0) { + if (access("/tmp/proc/sys/kernel/unprivileged_userns_clone", F_OK) < 0) + errorf(EX_OSERR, "unshare: requires " REQUIREMENTS); + else + errorf(EX_OSERR, "unshare: run `sudo sysctl -w " + "kernel.unprivileged_userns_clone=1`"); + } // Map users and groups to the parent namespace. // setgroups is only available since Linux 3.19: @@ -170,7 +177,8 @@ int main(int argc, char *argv[]) { if (waitpid(cpid, &status, 0) < 0) errorf(EX_OSERR, "waitpid"); - if (nftw(root, nftw_rm, getdtablesize(), FTW_DEPTH | FTW_MOUNT | FTW_PHYS) < 0) + if (nftw(root, nftw_rm, getdtablesize(), FTW_DEPTH | FTW_MOUNT | FTW_PHYS) < + 0) errorf(EX_IOERR, "nftw"); if (WIFEXITED(status)) |