aboutsummaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorLudovic Courtès <ludovic.courtes@inria.fr>2019-03-14 17:02:53 +0100
committerLudovic Courtès <ludo@gnu.org>2019-03-15 23:27:59 +0100
commit99aec37a78e7be6a591d0e5b7439896d669a75d1 (patch)
tree0187d4cf990037f7f2782f6b5dca650a8bb7eaaa /gnu
parentc9b3a72b6792c8195b0cdd8e5d7809db29419c7d (diff)
downloadguix-99aec37a78e7be6a591d0e5b7439896d669a75d1.tar
guix-99aec37a78e7be6a591d0e5b7439896d669a75d1.tar.gz
pack: "-RR" produces PRoot-enabled relocatable binaries.
* gnu/packages/aux-files/run-in-namespace.c (exec_with_proot): New function. (main): When 'clone' fails, call 'rm_rf'. [PROOT_PROGRAM]: When 'clone' fails, call 'exec_with_proot'. * guix/scripts/pack.scm (wrapped-package): Add #:proot?. [proot]: New procedure. [build]: Compile with -DPROOT_PROGRAM when PROOT? is true. * guix/scripts/pack.scm (%options): Set the 'relocatable?' value to 'proot when "-R" is passed several times. (guix-pack): Pass #:proot? to 'wrapped-package'. * tests/guix-pack-relocatable.sh: Use "-RR" on Intel systems that lack user namespace support. * doc/guix.texi (Invoking guix pack): Document -RR.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/packages/aux-files/run-in-namespace.c47
1 files changed, 46 insertions, 1 deletions
diff --git a/gnu/packages/aux-files/run-in-namespace.c b/gnu/packages/aux-files/run-in-namespace.c
index f0cff88552..551f4db88a 100644
--- a/gnu/packages/aux-files/run-in-namespace.c
+++ b/gnu/packages/aux-files/run-in-namespace.c
@@ -1,5 +1,5 @@
/* GNU Guix --- Functional package management for GNU
- Copyright (C) 2018 Ludovic Courtès <ludo@gnu.org>
+ Copyright (C) 2018, 2019 Ludovic Courtès <ludo@gnu.org>
This file is part of GNU Guix.
@@ -212,6 +212,46 @@ disallow_setgroups (pid_t pid)
}
+#ifdef PROOT_PROGRAM
+
+/* Execute the wrapped program with PRoot, passing it ARGC and ARGV, and
+ "bind-mounting" STORE in the right place. */
+static void
+exec_with_proot (const char *store, int argc, char *argv[])
+{
+ int proot_specific_argc = 4;
+ int proot_argc = argc + proot_specific_argc;
+ char *proot_argv[proot_argc], *proot;
+ char bind_spec[strlen (store) + 1 + sizeof "@STORE_DIRECTORY@"];
+
+ strcpy (bind_spec, store);
+ strcat (bind_spec, ":");
+ strcat (bind_spec, "@STORE_DIRECTORY@");
+
+ proot = concat (store, PROOT_PROGRAM);
+
+ proot_argv[0] = proot;
+ proot_argv[1] = "-b";
+ proot_argv[2] = bind_spec;
+ proot_argv[3] = "@WRAPPED_PROGRAM@";
+
+ for (int i = 0; i < argc; i++)
+ proot_argv[i + proot_specific_argc] = argv[i + 1];
+
+ proot_argv[proot_argc] = NULL;
+
+ /* Seccomp support seems to invariably lead to segfaults; disable it by
+ default. */
+ setenv ("PROOT_NO_SECCOMP", "1", 0);
+
+ int err = execv (proot, proot_argv);
+ if (err < 0)
+ assert_perror (errno);
+}
+
+#endif
+
+
int
main (int argc, char *argv[])
{
@@ -274,6 +314,10 @@ main (int argc, char *argv[])
break;
case -1:
+ rm_rf (new_root);
+#ifdef PROOT_PROGRAM
+ exec_with_proot (store, argc, argv);
+#else
fprintf (stderr, "%s: error: 'clone' failed: %m\n", argv[0]);
fprintf (stderr, "\
This may be because \"user namespaces\" are not supported on this system.\n\
@@ -281,6 +325,7 @@ Consequently, we cannot run '@WRAPPED_PROGRAM@',\n\
unless you move it to the '@STORE_DIRECTORY@' directory.\n\
\n\
Please refer to the 'guix pack' documentation for more information.\n");
+#endif
return EXIT_FAILURE;
default: