From cafbc5f39084cff62879206d69a3890fce54dc27 Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe Date: Wed, 9 Sep 2020 09:24:49 +0200 Subject: installer: final: Introduce call-with-mnt-container. * gnu/installer/final.scm (call-with-mnt-container): New procedure, (install-system): use it instead of call-with-container, to make sure that the container is not jailed. --- gnu/installer/final.scm | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'gnu') diff --git a/gnu/installer/final.scm b/gnu/installer/final.scm index 11143b2adbe..fc0b7803fa7 100644 --- a/gnu/installer/final.scm +++ b/gnu/installer/final.scm @@ -135,6 +135,20 @@ USERS." (_ #f)))))) pids))) +(define (call-with-mnt-container thunk) + "This is a variant of call-with-container. Run THUNK in a new container +process, within a separate MNT namespace. The container is not jailed so that +it can interact with the rest of the system." + (let ((pid (run-container "/" '() '(mnt) 1 thunk))) + ;; Catch SIGINT and kill the container process. + (sigaction SIGINT + (lambda (signum) + (false-if-exception + (kill pid SIGKILL)))) + + (match (waitpid pid) + ((_ . status) status)))) + (define* (install-system locale #:key (users '())) "Create /etc/shadow and /etc/passwd on the installation target for USERS. Start COW-STORE service on target directory and launch guix install command in @@ -181,7 +195,7 @@ or #f. Return #t on success and #f on failure." ;; To avoid this situation, mount the store overlay inside a container, ;; and run the installation from within that container. (zero? - (call-with-container '() + (call-with-mnt-container (lambda () (dynamic-wind (lambda () @@ -218,5 +232,4 @@ or #f. Return #t on success and #f on failure." ;; Finally umount the cow-store and exit the container. (unmount-cow-store (%installer-target-dir) backing-directory) - (assert-exit ret)))) - #:namespaces '(mnt))))) + (assert-exit ret)))))))) -- cgit v1.2.3