GNU bug report logs - #75560
[PATCH] linux-container: Ignore EPERM when attempting to mount /sys.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Tue, 14 Jan 2025 17:05:03 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: 75560 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [bug#75560] [PATCH] linux-container: Ignore EPERM when attempting to mount /sys.
Date: Tue, 14 Jan 2025 18:03:47 +0100

Fixes <https://issues.guix.gnu.org/61690>.

Until now, this would work:

  guix shell --no-cwd -CWP  -- guix shell -C coreutils -- ls -R /home

… but this would not:

  $ guix shell --no-cwd -CWPN  -- guix shell -C coreutils -- ls -R /home
  guix shell: error: mount: mount "none" on "/tmp/guix-directory.Wnc2OI/sys": Operation not permitted

This is annoying and hardly understandable.  Since we already disable
/sys mounts when sharing the global network namespace is asked (as in
‘guix shell -CN‘), for the very same reason, we can just as well disable
/sys mounts anytime it fails with EPERM.

* gnu/build/linux-container.scm (mount-file-systems): Silently ignore
EPERM when attempting to mount /sys.

Change-Id: If85b1d703ab58a98ea9873f4f8fed71a06b7aa63
---
 gnu/build/linux-container.scm | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index dee6885400..5c303da8c8 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -109,8 +109,14 @@ (define* (mount-file-systems root mounts #:key mount-/sys? mount-/proc?)
   ;; A sysfs mount requires the user to have the CAP_SYS_ADMIN capability in
   ;; the current network namespace.
   (when mount-/sys?
-    (mount* "none" (scope "/sys") "sysfs"
-            (logior MS_NOEXEC MS_NOSUID MS_NODEV MS_RDONLY)))
+    (catch 'system-error
+      (lambda ()
+        (mount* "none" (scope "/sys") "sysfs"
+                (logior MS_NOEXEC MS_NOSUID MS_NODEV MS_RDONLY)))
+      (lambda args
+        ;; EPERM means that CAP_SYS_ADMIN is missing.  Ignore.
+        (unless (= EPERM (system-error-errno args))
+          (apply throw args)))))
 
   (mount* "none" (scope "/dev") "tmpfs"
           (logior MS_NOEXEC MS_STRICTATIME)

base-commit: d804997897d2a531e0e3186e64df798a7e2e0d1a
-- 
2.47.1
This bug report was last modified 177 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.