From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id iPF/ODfs1mOKPwAAbAwnHQ (envelope-from ) for ; Sun, 29 Jan 2023 22:59:20 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id KBKYNzfs1mPPLwEAG6o9tA (envelope-from ) for ; Sun, 29 Jan 2023 22:59:19 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 437561E4B6 for ; Sun, 29 Jan 2023 22:59:19 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pMFhX-0007jn-OK; Sun, 29 Jan 2023 16:59:03 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pMFhW-0007je-Bk for bug-guix@gnu.org; Sun, 29 Jan 2023 16:59:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pMFhW-0007X2-3U for bug-guix@gnu.org; Sun, 29 Jan 2023 16:59:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pMFhV-0003fd-QL for bug-guix@gnu.org; Sun, 29 Jan 2023 16:59:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#61156: =?UTF-8?Q?=E2=80=98guix?= container =?UTF-8?Q?exec=E2=80=99?= does not actually change PID namespaces Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 29 Jan 2023 21:59:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 61156 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 61156@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.167502953914098 (code B ref -1); Sun, 29 Jan 2023 21:59:01 +0000 Received: (at submit) by debbugs.gnu.org; 29 Jan 2023 21:58:59 +0000 Received: from localhost ([127.0.0.1]:45495 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pMFhT-0003fK-EC for submit@debbugs.gnu.org; Sun, 29 Jan 2023 16:58:59 -0500 Received: from lists.gnu.org ([209.51.188.17]:38036) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pMFhR-0003fC-NR for submit@debbugs.gnu.org; Sun, 29 Jan 2023 16:58:58 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pMFhR-0007jQ-CR for bug-guix@gnu.org; Sun, 29 Jan 2023 16:58:57 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pMFhR-0007Vt-3k for bug-guix@gnu.org; Sun, 29 Jan 2023 16:58:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=0SDqQJO8/CXOjGgIcpXlfp4VA4Q36S9sw4QvIoBupjU=; b=VICZyfF/NxsOfR KvaIuNgXTRDSdAsC6BlA/sBIYMd8Jd2srzKaiFOFMgBaRsrWM3xG8kiBXE4UUNiQeVk+5trYNHVRO aEAsqwTSDksvxvKjm+LQsc5grud4ytNjntapzY9+9yOH7iwL+KKThmf9+hhaS0jxQss6jjSgiJwjw 5N9cqvcU69tP4xfH6m7fLLG58azXGY4qzUYSt8rN/MY4UWLQo5vBap7gIGJiQYnyy4FUU6ARMxICo tXxGc3bpVDhiKDOqbA+bD37K9chqFnjohAwDRv0zFDsYA/VP2fe/Ktb5aK2S3lOTFjQjaark3B9uL 3cC5MzI0hppBWTF5Zafw==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pMFhQ-0006PS-Ey for bug-guix@gnu.org; Sun, 29 Jan 2023 16:58:56 -0500 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: =?UTF-8?Q?D=C3=A9cadi?= 10 =?UTF-8?Q?Pluvi=C3=B4se?= an 231 de la =?UTF-8?Q?R=C3=A9volution,?= jour de la =?UTF-8?Q?Cogn=C3=A9e?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sun, 29 Jan 2023 22:58:54 +0100 Message-ID: <87edrd2eap.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1675029559; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=0SDqQJO8/CXOjGgIcpXlfp4VA4Q36S9sw4QvIoBupjU=; b=m+biq2nKxKOXaygIrwsxeJKCwcsdJJDTK8KV0F9mICVJRi4yQLxilyDq9zpeAXYP4Fn4wl i7i9cHmtkxLfrS4H5S2MY4SCqYnMz2Ytm5efvOJJQNLVvt53dX2L7kNBXYSVFhs7X6zorU EgvNe1KAmBvc/fpFgMiDZhe7RyCE1XBWYVCiezlsLeOhnzleqtMFijXb3RWQNKX5jIa08O 5WyLD7KReLAVwnRRGX8oqzlUlQJ2NI8g6Iv31XcGs6UfnTMdkJlio7r2kafdxxbnp7NTiM tm6WDJlCLYL9MMcpviswoemWiEO2Y/Cj4tRKSCPfHSIm6ltjN7Hg5TQRKSjZFQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b="VICZyfF/"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1675029559; a=rsa-sha256; cv=none; b=RuktJ4wTZVqtYJGUdwSJeY1bJ6Kbd/WMxrYg0sMta4MytqPmoedaTxowtzZrJ2DK0z/teh 0kWhWQah+Kd2+gTG3vapQ73Qx3D6bKP8BEElbPalal4p4J7D6DK/6iDmX8hC9it/3qnxI3 45zN40Qq61Mx3pFdfTvrMK52u82g/+6jmFaEt9BKyD8pHVIMHWem0o25kAFOt8ktPsUzJ/ oIch35LEugHqwVzPnMcO/10AgYXJZBAQgr+GE9j8qnIiav2puy5l7nsBqhptC6BauZnMr8 10PH/vddWvQk7lcP4MLRDhHXy5AOEZhGF96bkzsnLdCwvmrM7lBJgfigQID85A== X-Spam-Score: -3.98 X-Migadu-Spam-Score: -3.98 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b="VICZyfF/"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 437561E4B6 X-Migadu-Scanner: scn1.migadu.com X-TUID: iKvJsaOVUCmZ Currently, when a Guix program runs in separate user, mount, and PID namespaces (for example via (guix least-authority)), =E2=80=98guix container exec=E2=80=99 fails badly: guix container exec 10652 /gnu/store/720rj90bch716isd8z7lcwrnvz28ap4y-bas= h-static-5.1.8/bin/sh guix container: error: process terminated with signal 11 or, similarly: nsenter --preserve-credentials -U -m -t 10652 -m -U -p -F /gnu/store/720= rj90bch716isd8z7lcwrnvz28ap4y-bash-static-5.1.8/bin/sh Segmentation fault Stracing reveals that the child process segfaults immediately after attempting to read /proc/self/exe: 14111 readlink("/proc/self/exe", 0x7ffccefa29c0, 4096) =3D -1 ENOENT (No = such file or directory) 14111 --- SIGSEGV {si_signo=3DSIGSEGV, si_code=3DSEGV_MAPERR, si_addr=3D0= xffffffffffffffff} --- The segfault is due to . But why isn=E2=80=99t /proc visible in the first place? It *is* definitely mounted within that process=E2=80=99s namespace, as confirmed here: $ ls -ld /proc/10652/root/proc dr-xr-xr-x 326 root root 0 Jan 29 21:55 /proc/10652/root/proc/ The reason is that calling setns(2) on a PID namespace =E2=80=9Cchanges onl= y the PID namespace that subsequently created child processes of the caller will be placed in; it does not change the PID namespace of the caller itself.=E2=80=9D This is why removing =E2=80=98-F=E2=80=99 in the =E2=80=98nsenter=E2=80=99 = command line above solves the problem. Conclusion: =E2=80=99container-excursion=E2=80=99 should fork so that the P= ID namespace change takes effect. Ludo=E2=80=99.