diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2025-10-14 15:13:25 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2025-10-16 15:14:37 +0200 |
| commit | a92d98a7fa7d6a7f3c11643d2f725b618d05643f (patch) | |
| tree | d9595e46454ce7c6dcc391df373f85c1a032bc76 /tests/store.scm | |
| parent | d1910384d3581dcbc564353a098089d1a52c08d6 (diff) | |
daemon: Attempt to map the “kvm” group inside the build user namespace.
Fixes <https://issues.guix.gnu.org/77862>.
Previously, the ‘guix-daemon’ account (for unprivileged execution) would
typically have “kvm” as a supplementary group, but that group would not
be mapped in the build user namespace. Consequently, attempts to
‘chown’ a file to that supplementary group would fail with EINVAL.
The test suites of Coreutils, Python, and Go (among others) exercise
this chown-to-supplementary-group behavior, so they would all fail when
started by the unprivileged ‘guix-daemon’ even though they succeed when
started by ‘guix-daemon’ running as root.
Thanks to keinflue <keinflue@posteo.net> and Reepca Russelstein
<reepca@russelstein.xyz> for helping out.
* nix/libstore/build.cc (initializeUserNamespace): Add ‘extraGIDs’ and
‘haveCapSetGID’ parameters. Invoke ‘newgidmap’ when ‘extraGIDs’ is
non-empty and ‘haveCapSetGID’ is false. Honor ‘extraGIDs’ when
‘haveCapSetGID’ is true.
(maxGroups, guestKVMGID): New variables.
(kvmGIDMapping): New function.
(DerivationGoal::startBuilder): Set ‘ctx.lockMountsMapAll’ in the
CLONE_NEWUSER case. Pass ‘extraGIDs’ to ‘initializeUserNamespace’.
* tests/store.scm ("kvm GID is mapped"): New test.
Change-Id: I10ba710fc1b9ca1e3cd3122be1ec8ede5df18b40
Diffstat (limited to 'tests/store.scm')
| -rw-r--r-- | tests/store.scm | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/tests/store.scm b/tests/store.scm index 16dcbf2396d..82fb7a96cea 100644 --- a/tests/store.scm +++ b/tests/store.scm @@ -476,6 +476,29 @@ (build-derivations %store (list d)) (call-with-input-file (derivation->output-path d) read))) +(unless (and (unprivileged-user-namespace-supported?) + (false-if-exception + (= (stat:gid (stat "/dev/kvm")) + (group:gid (getgrnam "kvm")))) + (= 1 (status:exit-val (system* "newgidmap")))) + (test-skip 1)) +(test-assert "kvm GID is mapped" + ;; Ensure that the "kvm" GID is mapped into the build user namespace such + ;; that chown'ing a file to that GID works as expected. See + ;; <https://issues.guix.gnu.org/77862>. + (let ((d (build-expression->derivation + %store "chown-to-supplementary-group" + `(let ((st (stat "/dev/kvm"))) + ',(gettimeofday) + (pk 'supplementary-groups (getgroups)) + (pk 'kvm-group (stat:gid st)) + (unless (member (stat:gid st) (vector->list (getgroups))) + (error "supplementary groups lack 'kvm' GID")) + (mkdir "test") + (chown "test" (getuid) (stat:gid st)) + (mkdir %output))))) + (build-derivations %store (list d)))) + (unless (unprivileged-user-namespace-supported?) (test-skip 1)) (test-equal "inputs are read-only" |