aboutsummaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2016-10-18 23:22:03 +0200
committerLudovic Courtès <ludo@gnu.org>2016-10-19 15:54:10 +0200
commit7fee5b53973fb4fe049aa0bc5db58093727bdf30 (patch)
treeb392d7b204098a4dfa3113c7d7fa7f801de11546 /gnu
parent99df12cd1921dd497bb4fcdd96ee40e358d71e6d (diff)
downloadguix-7fee5b53973fb4fe049aa0bc5db58093727bdf30.tar
guix-7fee5b53973fb4fe049aa0bc5db58093727bdf30.tar.gz
container: Allow 'container-excursion' to the same namespaces.
Before that, 'container-excursion' would call 'setns' even when the target namespace is the one the caller is already in, which would fail. * gnu/build/linux-container.scm (container-excursion): Introduce 'source' and 'target'. Compare the result of 'readlink' on these instead of comparing file descriptors to decide whether to call 'setns'. * tests/containers.scm ("container-excursion, same namespace"): New test.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/build/linux-container.scm20
1 files changed, 11 insertions, 9 deletions
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index 91996d06ca..3fccc9addb 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -291,15 +291,17 @@ return the exit status."
(call-with-clean-exit
(lambda ()
(for-each (lambda (ns)
- (call-with-input-file (namespace-file (getpid) ns)
- (lambda (current-ns-port)
- (call-with-input-file (namespace-file pid ns)
- (lambda (new-ns-port)
- ;; Joining the namespace that the process
- ;; already belongs to would throw an error.
- (unless (= (port->fdes current-ns-port)
- (port->fdes new-ns-port))
- (setns (port->fdes new-ns-port) 0)))))))
+ (let ((source (namespace-file (getpid) ns))
+ (target (namespace-file pid ns)))
+ ;; Joining the namespace that the process already
+ ;; belongs to would throw an error so avoid that.
+ ;; XXX: This /proc interface leads to TOCTTOU.
+ (unless (string=? (readlink source) (readlink target))
+ (call-with-input-file source
+ (lambda (current-ns-port)
+ (call-with-input-file target
+ (lambda (new-ns-port)
+ (setns (fileno new-ns-port) 0))))))))
;; It's important that the user namespace is joined first,
;; so that the user will have the privileges to join the
;; other namespaces. Furthermore, it's important that the