CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-04 16:10:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

sanity: check for working user namespaces

Browse Source 
If user namespaces are not available (typically because AppArmor is
blocking them), alert the user.

We consider network isolation sufficiently important that this is a fatal
error, and the user will need to configure AppArmor to allow bitbake to
create a user namespace.

[ YOCTO #15592 ]

(From OE-Core rev: a069b9f9ee6708022e12970d53262d966ee806ba)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b6af956fe6e876957a49d4abf425e8c789bf0459)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Ross Burton 2024-09-12 17:57:36 +01:00 committed by Steve Sakoman
parent da007b8f01
commit 016ca6a8a8
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
meta/classes/sanity.bbclass
View File

@ -469,6 +469,29 @@ def check_wsl(d):
bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
return None
def check_userns():
"""
Check that user namespaces are functional, as they're used for network isolation.
"""
# There is a known failure case with AppAmrmor where the unshare() call
# succeeds (at which point the uid is nobody) but writing to the uid_map
# fails (so the uid isn't reset back to the user's uid). We can detect this.
parentuid = os.getuid()
pid = os.fork()
if not pid:
try:
bb.utils.disable_network()
except:
pass
os._exit(parentuid != os.getuid())
ret = os.waitpid(pid, 0)[1]
if ret:
bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
"See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
# Require at least gcc version 7.5.
#
# This can be fixed on CentOS-7 with devtoolset-6+
@ -634,6 +657,7 @@ def check_sanity_version_change(status, d):
status.addresult(check_git_version(d))
status.addresult(check_perl_modules(d))
status.addresult(check_wsl(d))
status.addresult(check_userns())
missing = ""