mirror of
https://codeberg.org/guix/guix.git
synced 2026-01-25 03:55:08 -06:00
a92d98a7fa
Fixes <https://issues.guix.gnu.org/77862>. Previously, the ‘guix-daemon’ account (for unprivileged execution) would typically have “kvm” as a supplementary group, but that group would not be mapped in the build user namespace. Consequently, attempts to ‘chown’ a file to that supplementary group would fail with EINVAL. The test suites of Coreutils, Python, and Go (among others) exercise this chown-to-supplementary-group behavior, so they would all fail when started by the unprivileged ‘guix-daemon’ even though they succeed when started by ‘guix-daemon’ running as root. Thanks to keinflue <keinflue@posteo.net> and Reepca Russelstein <reepca@russelstein.xyz> for helping out. * nix/libstore/build.cc (initializeUserNamespace): Add ‘extraGIDs’ and ‘haveCapSetGID’ parameters. Invoke ‘newgidmap’ when ‘extraGIDs’ is non-empty and ‘haveCapSetGID’ is false. Honor ‘extraGIDs’ when ‘haveCapSetGID’ is true. (maxGroups, guestKVMGID): New variables. (kvmGIDMapping): New function. (DerivationGoal::startBuilder): Set ‘ctx.lockMountsMapAll’ in the CLONE_NEWUSER case. Pass ‘extraGIDs’ to ‘initializeUserNamespace’. * tests/store.scm ("kvm GID is mapped"): New test. Change-Id: I10ba710fc1b9ca1e3cd3122be1ec8ede5df18b40 |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| build.cc | ||
| builtins.cc | ||
| builtins.hh | ||
| derivations.cc | ||
| derivations.hh | ||
| gc.cc | ||
| globals.cc | ||
| globals.hh | ||
| local-store.cc | ||
| local-store.hh | ||
| misc.cc | ||
| misc.hh | ||
| optimise-store.cc | ||
| pathlocks.cc | ||
| pathlocks.hh | ||
| references.cc | ||
| references.hh | ||
| sqlite.cc | ||
| sqlite.hh | ||
| store-api.cc | ||
| store-api.hh | ||
| worker-protocol.hh | ||