GNU bug report logs - #77900
Unprivileged guix-daemon fails to build in Docker/relocatable pack

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Date: Fri, 18 Apr 2025 14:25:11 UTC

Severity: normal

Full log

View this message in rfc822 format

From: David Elsing <david.elsing <at> posteo.net>
To: Ludovic Courtès <ludovic.courtes <at> inria.fr>
Cc: 77900 <at> debbugs.gnu.org, Reepca Russelstein <reepca <at> russelstein.xyz>
Subject: bug#77900: Unprivileged guix-daemon fails to build in Docker/relocatable pack
Date: Fri, 11 Jul 2025 14:12:39 +0000

Hi,

Ludovic Courtès <ludovic.courtes <at> inria.fr> writes:

> But it’s unsatisfactory: I would hope the unprivileged daemon would
> allow us to address that shortcoming.

Yes it does, as long as the needed syscalls are not restricted. I'm not
sure when this will change with Docker [1].

>> I don't think the isolated build environment is possible when
>> `unshare' is not allowed and the UID is not 0 (except by using
>> something like PRoot), right?
>
> What I meant is that there’s only one ‘unshare’ call, which is necessary
> from a security viewpoint but not from a functional viewpoint.  Offering
> an option to skip it in contexts where the tradeoff is acceptable could
> help maybe?

Ah sorry, I was conflating `unshare` and `clone`. The default Docker
seccomp profile [2] of course also blocks (among other flags)
CLONE_NEWUSER (0x10000000) for the `clone` syscall without
CAP_SYS_ADMIN, using SCMP_CMP_MASKED_EQ. This also leads to EPERM being
returned.

Best,
David

[1] https://github.com/moby/moby/issues/42441
[2] https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
This bug report was last modified 30 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.