GNU bug report logs - #77638
[PATCH 0/8] Harden 'call-with-container'

Previous Next

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: 77638 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [bug#77638] [PATCH 1/8] linux-container: Add #:mounts to ‘eval/container’.
Date: Tue,  8 Apr 2025 14:24:41 +0200

* gnu/system/linux-container.scm (eval/container): Add #:mounts
parameter and honor it.

Change-Id: I1d5970f53a3d67db93e937e392f9bf36e75d1573
---
 gnu/system/linux-container.scm | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index c1705f491c..3622328500 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015 David Thompson <davet <at> gnu.org>
-;;; Copyright © 2016-2017, 2019-2023 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2016-2017, 2019-2023, 2025 Ludovic Courtès <ludo <at> gnu.org>
 ;;; Copyright © 2019 Arun Isaac <arunisaac <at> systemreboot.net>
 ;;; Copyright © 2020 Efraim Flashner <efraim <at> flashner.co.il>
 ;;; Copyright © 2020 Google LLC
@@ -319,13 +319,14 @@ (define* (container-script os #:key (mappings '()) shared-network?)
 (define* (eval/container exp
                          #:key
                          (mappings '())
+                         (mounts '())
                          (namespaces %namespaces)
                          (guest-uid 0) (guest-gid 0))
   "Evaluate EXP, a gexp, in a new process executing in separate namespaces as
-listed in NAMESPACES.  Add MAPPINGS, a list of <file-system-mapping>, to the
-set of directories visible in the process's mount namespace.  Inside the
-namespaces, run code as GUEST-UID and GUEST-GID.  Return the process' exit
-status as a monadic value.
+listed in NAMESPACES.  Add MOUNTS, a list of <file-system>, and MAPPINGS, a
+list of <file-system-mapping>, to the set of directories visible in the
+process's mount namespace.  Inside the namespaces, run code as GUEST-UID and
+GUEST-GID.  Return the process' exit status as a monadic value.
 
 This is useful to implement processes that, unlike derivations, are not
 entirely pure and need to access the outside world or to perform side
@@ -342,13 +343,14 @@ (define* (eval/container exp
     (mbegin %store-monad
       (built-derivations inputs)
       (mlet %store-monad ((closure ((store-lift requisites) items)))
-        (return (call-with-container (map file-system-mapping->bind-mount
-                                          (append (map (lambda (item)
-                                                         (file-system-mapping
-                                                          (source item)
-                                                          (target source)))
-                                                       closure)
-                                                  mappings))
+        (return (call-with-container (append mounts
+                                             (map file-system-mapping->bind-mount
+                                                  (append (map (lambda (item)
+                                                                 (file-system-mapping
+                                                                  (source item)
+                                                                  (target source)))
+                                                               closure)
+                                                          mappings)))
                   (lambda ()
                     (apply execl
                            (string-append (derivation-input-output-path
-- 
2.49.0

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.