From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id GJ6zMS8j0V7FeQAA0tVLHw (envelope-from ) for ; Fri, 29 May 2020 14:58:55 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id yH9xLS8j0V42PQAAbx9fmQ (envelope-from ) for ; Fri, 29 May 2020 14:58:55 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 30606940276 for ; Fri, 29 May 2020 14:58:55 +0000 (UTC) Received: from localhost ([::1]:58902 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jegTE-0003zY-O6 for larch@yhetil.org; Fri, 29 May 2020 10:58:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40124) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jegRS-0001qc-6s for bug-guix@gnu.org; Fri, 29 May 2020 10:57:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:44221) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jegRR-0000AH-Sd for bug-guix@gnu.org; Fri, 29 May 2020 10:57:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jegRR-0003c1-Qc for bug-guix@gnu.org; Fri, 29 May 2020 10:57:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#41499: /proc/filesystems impurity in build environment Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 29 May 2020 14:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41499 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Chris Marusich Received: via spool by 41499-submit@debbugs.gnu.org id=B41499.159076421713876 (code B ref 41499); Fri, 29 May 2020 14:57:01 +0000 Received: (at 41499) by debbugs.gnu.org; 29 May 2020 14:56:57 +0000 Received: from localhost ([127.0.0.1]:55767 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jegRN-0003bj-A2 for submit@debbugs.gnu.org; Fri, 29 May 2020 10:56:57 -0400 Received: from eggs.gnu.org ([209.51.188.92]:60894) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jegRM-0003bX-Ek for 41499@debbugs.gnu.org; Fri, 29 May 2020 10:56:56 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:40468) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jegRH-00082a-3u; Fri, 29 May 2020 10:56:51 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=44026 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jegRG-0008GE-1t; Fri, 29 May 2020 10:56:50 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87v9klravp.fsf@gmail.com> Date: Fri, 29 May 2020 16:56:47 +0200 In-Reply-To: <87v9klravp.fsf@gmail.com> (Chris Marusich's message of "Sun, 24 May 2020 01:32:42 -0700") Message-ID: <87imge3i34.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 41499@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: 0.49 X-TUID: CxKiYajC2RtV Hi Chris, Chris Marusich skribis: > The Linux kernel's /proc/filesystems is an impurity in the Guix build > environment. Its contents can cause the same derivation to behave > differently on different systems. > > For example, the default kernel on Fedora systems uses SELinux, so > /proc/filesystems contains "selinuxfs". However, the default kernel on > Guix System does not use SELinux, so /proc/filesystems does not contain > "selinuxfs". This causes the sed derivation to fail when run on Fedora, > but not on Guix System: > > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D41498 > > Can we avoid this problem somehow? For example, is there a way to > normalize /proc/filesystems in the build environment? > > We have the --impersonate-linux-2.6 option as a way to eliminate a > similar kind of impurity, but that option doesn't actually change the > contents of /proc/filesystems at all. I tried it. The daemon mounts /proc in the build environment (see libstore/build.cc): /* Bind a new instance of procfs on /proc to reflect our private PID namespace. */ createDirs(chrootRootDir + "/proc"); if (mount("none", (chrootRootDir + "/proc").c_str(), "proc", 0, 0) =3D= =3D -1) throw SysError("mounting /proc"); /proc is needed for many things on GNU/Linux. For example, libc=E2=80=99s loader relies on /proc/self/exe to implement $ORIGIN, =E2=80=98getlogin_r= =E2=80=99 relies on /proc/self/loginuid, =E2=80=98ttyname=E2=80=99 uses /proc/self/fd= , =E2=80=98sysconf=E2=80=99 uses /proc/sys/kernel, etc. So we have to have /proc in there. The problem is that /proc appears to be all-or-nothing. What we could do maybe is bind-mount our own statically-defined =E2=80=98filesystems=E2=80=99 file on top of the procfs mount above. There would still be many leaks in /proc anyway, so perhaps a better approach is to patch =E2=80=98sed=E2=80=99 to not refer to it. Thoughts? Ludo=E2=80=99.