GNU bug report logs - #77638
[PATCH 0/8] Harden 'call-with-container'

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Tue, 8 Apr 2025 12:23:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #14 received at 77638 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 77638 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH 2/8] guix home: ‘container’ explicitly mounts $HOME and /run/user/1000.
Date: Tue,  8 Apr 2025 14:24:42 +0200

* guix/scripts/home.scm (spawn-home-container): Pass #:mounts to
‘eval/container’.

Change-Id: I1986c1411711cebaf623f97897d91436d8167037
---
 guix/scripts/home.scm | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/guix/scripts/home.scm b/guix/scripts/home.scm
index b4c82d275f..56a4b7c7d4 100644
--- a/guix/scripts/home.scm
+++ b/guix/scripts/home.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2021 Xinglu Chen <public <at> yoctocell.xyz>
 ;;; Copyright © 2021 Pierre Langlois <pierre.langlois <at> gmx.com>
 ;;; Copyright © 2021 Oleg Pykhalov <go.wigust <at> gmail.com>
-;;; Copyright © 2022-2023 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2022-2023, 2025 Ludovic Courtès <ludo <at> gnu.org>
 ;;; Copyright © 2022 Arun Isaac <arunisaac <at> systemreboot.net>
 ;;; Copyright © 2022 Antero Mejr <antero <at> mailbox.org>
 ;;;
@@ -36,7 +36,8 @@ (define-module (guix scripts home)
   #:autoload   (guix modules) (source-module-closure)
   #:autoload   (gnu build linux-container) (call-with-container %namespaces)
   #:autoload   (gnu system linux-container) (eval/container)
-  #:autoload   (gnu system file-systems) (file-system-mapping
+  #:autoload   (gnu system file-systems) (file-system
+                                          file-system-mapping
                                           file-system-mapping-source
                                           file-system-mapping->bind-mount
                                           specification->file-system-mapping
@@ -361,6 +362,18 @@ (define* (spawn-home-container home
    #:namespaces (if network?
                     (delq 'net %namespaces)       ; share host network
                     %namespaces)
+   #:mounts (list (file-system
+                    (device "none")
+                    (mount-point
+                     (in-vicinity "/run/user"     ;for shepherd & co.
+                                  (number->string uid)))
+                    (type "tmpfs")
+                    (check? #f))
+                  (file-system                    ;writable home
+                    (device "none")
+                    (mount-point home-directory)
+                    (type "tmpfs")
+                    (check? #f)))
    #:mappings (append network-mappings mappings)
    #:guest-uid uid
    #:guest-gid gid))
-- 
2.49.0
This bug report was last modified 64 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.