diff options
| -rw-r--r-- | gnu/build/linux-container.scm | 11 | ||||
| -rw-r--r-- | guix/scripts/environment.scm | 15 | ||||
| -rw-r--r-- | guix/scripts/home.scm | 10 |
3 files changed, 21 insertions, 15 deletions
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 3e5158c2fd..b6f8563f7d 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -30,6 +30,7 @@ unprivileged-user-namespace-supported? setgroups-supported? %namespaces + %writable-/tmp run-container call-with-container container-excursion @@ -387,6 +388,16 @@ if there are no child processes left." (+ 128 (or (status:term-sig status) (status:stop-sig status))))) +(define %writable-/tmp + ;; Writable and volatile /tmp. + (file-system + (device "none") + (mount-point "/tmp") + (type "tmpfs") + (flags '(no-suid no-dev)) + (options "mode=755,size=10%") + (check? #f))) + (define* (call-with-container mounts thunk #:key (namespaces %namespaces) (host-uids 1) (guest-uid 0) (guest-gid 0) (lock-mounts? #t) diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm index 429a5a296f..41353e3305 100644 --- a/guix/scripts/environment.scm +++ b/guix/scripts/environment.scm @@ -40,6 +40,7 @@ #:autoload (ice-9 ftw) (scandir) #:autoload (gnu build install) (evaluate-populate-directive) #:autoload (gnu build linux-container) (call-with-container %namespaces + %writable-/tmp user-namespace-supported? unprivileged-user-namespace-supported? setgroups-supported?) @@ -771,13 +772,6 @@ added to the container. Preserve environment variables whose name matches the one of the regexps in WHILE-LIST." - (define tmpfs - (file-system - (device "none") - (mount-point "/tmp") - (type "tmpfs") - (check? #f))) - (define (optional-mapping->fs mapping) (and (file-exists? (file-system-mapping-source mapping)) (file-system-mapping->bind-mount mapping))) @@ -875,9 +869,12 @@ WHILE-LIST." (writable? #f))) reqs))) (file-systems (append %container-file-systems - (list tmpfs ; RW /tmp + (list %writable-/tmp (file-system ; RW /run - (inherit tmpfs) + (device "none") + (type "tmpfs") + (options "size=10%,mode=700") + (check? #f) (mount-point (string-append "/run/user/" (number->string uid)))) diff --git a/guix/scripts/home.scm b/guix/scripts/home.scm index a4b8cc01e7..ae003816f9 100644 --- a/guix/scripts/home.scm +++ b/guix/scripts/home.scm @@ -38,7 +38,9 @@ group-entry write-passwd write-group) - #:autoload (gnu build linux-container) (call-with-container %namespaces) + #:autoload (gnu build linux-container) (call-with-container + %namespaces + %writable-/tmp) #:use-module ((gnu system) #:select (operating-system? operating-system-user-services)) #:autoload (gnu system linux-container) (eval/container) @@ -353,11 +355,7 @@ immediately. Return the exit status of the process in the container." #:namespaces (if network? (delq 'net %namespaces) ; share host network %namespaces) - #:mounts (list (file-system ;writable /tmp - (device "none") - (mount-point "/tmp") - (type "tmpfs") - (check? #f)) + #:mounts (list %writable-/tmp (file-system (device "none") (mount-point |