guix_mirror_bot pushed a commit to branch master
in repository guix.
commit d1910384d3581dcbc564353a098089d1a52c08d6
Author: Ludovic Courtès <[email protected]>
AuthorDate: Thu Jun 26 12:12:29 2025 +0200
daemon: Export as little as needed from libutil/spawn.cc.
* nix/libutil/spawn.cc (reset_writeToStderrAction, restoreAffinityAction)
(setsidAction, earlyIOSetupAction, dropAmbientCapabilitiesAction)
(chrootAction, chdirAction, closeMostFDsAction, setPersonalityAction)
(oomSacrificeAction, setIDsAction, setNoNewPrivsAction)
(addSeccompFilterAction, restoreSIGPIPEAction, setupSuccessAction)
(usernsInitSyncAction, usernsSetIDsAction, initLoopbackAction)
(setHostAndDomainAction, makeFilesystemsPrivateAction)
(makeChrootSeparateFilesystemAction, bindMount)
(mountIntoChroot, mountIntoChrootAction, mountProcAction)
(mountDevshmAction, mountDevptsAction, pivotRootAction)
(idMapToIdentityMap, lockMountsAction, runChildSetupEntry): Add ‘static’
qualifier.
* nix/libutil/spawn.hh: Remove the corresponding ‘extern’ declarations.
Change-Id: I3156d72d866f22fa31aa9a843f116771763ccb61
---
nix/libutil/spawn.cc | 70 ++++++++++++++++++++++++++--------------------------
nix/libutil/spawn.hh | 43 ++------------------------------
2 files changed, 37 insertions(+), 76 deletions(-)
diff --git a/nix/libutil/spawn.cc b/nix/libutil/spawn.cc
index d3f4e5bf19..7855275494 100644
--- a/nix/libutil/spawn.cc
+++ b/nix/libutil/spawn.cc
@@ -144,19 +144,19 @@ void replacePhase(Phases & phases, string replaceLabel,
Action newAction)
/* A curated selection of predefined actions */
-void reset_writeToStderrAction(SpawnContext & ctx)
+static void reset_writeToStderrAction(SpawnContext & ctx)
{
_writeToStderr = 0;
}
-void restoreAffinityAction(SpawnContext & ctx)
+static void restoreAffinityAction(SpawnContext & ctx)
{
restoreAffinity();
}
-void setsidAction(SpawnContext & ctx)
+static void setsidAction(SpawnContext & ctx)
{
/* Puts the current process in a separate session, which implies a
separate process group, so it doesn't receive group-directed signals
@@ -168,7 +168,7 @@ void setsidAction(SpawnContext & ctx)
}
-void earlyIOSetupAction(SpawnContext & ctx)
+static void earlyIOSetupAction(SpawnContext & ctx)
{
for(auto i = ctx.earlyCloseFDs.begin(); i != ctx.earlyCloseFDs.end(); i++)
if(close(*i) == -1)
@@ -198,7 +198,7 @@ void earlyIOSetupAction(SpawnContext & ctx)
}
-void dropAmbientCapabilitiesAction(SpawnContext & ctx)
+static void dropAmbientCapabilitiesAction(SpawnContext & ctx)
{
/* Drop ambient capabilities such as CAP_CHOWN that might have been granted
when starting guix-daemon. */
@@ -211,7 +211,7 @@ void dropAmbientCapabilitiesAction(SpawnContext & ctx)
}
-void chrootAction(SpawnContext & ctx)
+static void chrootAction(SpawnContext & ctx)
{
if(ctx.doChroot)
#if HAVE_CHROOT
@@ -223,7 +223,7 @@ void chrootAction(SpawnContext & ctx)
}
-void chdirAction(SpawnContext & ctx)
+static void chdirAction(SpawnContext & ctx)
{
if(ctx.setcwd)
if(chdir(ctx.cwd.c_str()) == -1)
@@ -231,7 +231,7 @@ void chdirAction(SpawnContext & ctx)
}
-void closeMostFDsAction(SpawnContext & ctx)
+static void closeMostFDsAction(SpawnContext & ctx)
{
if(ctx.closeMostFDs) closeMostFDs(ctx.preserveFDs);
for(auto i = ctx.preserveFDs.begin(); i != ctx.preserveFDs.end(); i++)
@@ -239,7 +239,7 @@ void closeMostFDsAction(SpawnContext & ctx)
}
-void setPersonalityAction(SpawnContext & ctx)
+static void setPersonalityAction(SpawnContext & ctx)
{
if(ctx.setPersona)
#ifdef __linux__
@@ -251,7 +251,7 @@ void setPersonalityAction(SpawnContext & ctx)
}
-void oomSacrificeAction(SpawnContext & ctx)
+static void oomSacrificeAction(SpawnContext & ctx)
{
#ifdef __linux__
if(ctx.oomSacrifice)
@@ -265,7 +265,7 @@ void oomSacrificeAction(SpawnContext & ctx)
}
-void setIDsAction(SpawnContext & ctx)
+static void setIDsAction(SpawnContext & ctx)
{
if(ctx.setSupplementaryGroups)
if(setgroups(ctx.supplementaryGroups.size(),
@@ -285,7 +285,7 @@ void setIDsAction(SpawnContext & ctx)
throw SysError("setuid failed");
}
-void setNoNewPrivsAction(SpawnContext & ctx)
+static void setNoNewPrivsAction(SpawnContext & ctx)
{
if(ctx.setNoNewPrivs)
#if __linux__ && defined(PR_SET_NO_NEW_PRIVS)
@@ -296,7 +296,7 @@ void setNoNewPrivsAction(SpawnContext & ctx)
#endif
}
-void addSeccompFilterAction(SpawnContext & ctx)
+static void addSeccompFilterAction(SpawnContext & ctx)
{
if(ctx.addSeccompFilter) {
#if __linux__ && defined(PR_SET_SECCOMP) && defined(SECCOMP_MODE_FILTER)
@@ -316,7 +316,7 @@ void addSeccompFilterAction(SpawnContext & ctx)
}
-void restoreSIGPIPEAction(SpawnContext & ctx)
+static void restoreSIGPIPEAction(SpawnContext & ctx)
{
/* Restore default handling of SIGPIPE, otherwise some programs will
randomly say "Broken pipe". */
@@ -328,14 +328,14 @@ void restoreSIGPIPEAction(SpawnContext & ctx)
}
-void setupSuccessAction(SpawnContext & ctx)
+static void setupSuccessAction(SpawnContext & ctx)
{
if(ctx.signalSetupSuccess)
writeFull(STDERR_FILENO, "\n");
}
-void execAction(SpawnContext & ctx)
+void execAction(SpawnContext & ctx) // kept public for use in 'build.cc'
{
Strings envStrs;
std::vector<char *> envPtrs;
@@ -378,7 +378,7 @@ Phases getBasicSpawnPhases()
}
-void usernsInitSyncAction(SpawnContext & sctx)
+static void usernsInitSyncAction(SpawnContext & sctx)
{
#if CLONE_ENABLED
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -397,7 +397,7 @@ void usernsInitSyncAction(SpawnContext & sctx)
}
-void usernsSetIDsAction(SpawnContext & sctx)
+static void usernsSetIDsAction(SpawnContext & sctx)
{
#if CLONE_ENABLED
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -420,7 +420,7 @@ void usernsSetIDsAction(SpawnContext & sctx)
}
-void initLoopbackAction(SpawnContext & sctx)
+static void initLoopbackAction(SpawnContext & sctx)
{
#if CLONE_ENABLED
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -440,7 +440,7 @@ void initLoopbackAction(SpawnContext & sctx)
}
-void setHostAndDomainAction(SpawnContext & sctx)
+static void setHostAndDomainAction(SpawnContext & sctx)
{
#if CLONE_ENABLED
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -456,7 +456,7 @@ void setHostAndDomainAction(SpawnContext & sctx)
}
-void makeFilesystemsPrivateAction(SpawnContext & sctx)
+static void makeFilesystemsPrivateAction(SpawnContext & sctx)
{
#if CLONE_ENABLED && HAVE_SYS_MOUNT_H && defined(MS_REC) && defined(MS_PRIVATE)
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -468,7 +468,7 @@ void makeFilesystemsPrivateAction(SpawnContext & sctx)
}
-void makeChrootSeparateFilesystemAction(SpawnContext & sctx)
+static void makeChrootSeparateFilesystemAction(SpawnContext & sctx)
{
#if CLONE_ENABLED && HAVE_SYS_MOUNT_H && defined(MS_BIND)
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -521,7 +521,7 @@ static int statfsToMountFlags(int f_flags)
}
-void bindMount(Path source, Path target, bool readOnly)
+static void bindMount(Path source, Path target, bool readOnly)
{
#if HAVE_SYS_MOUNT_H && defined(MS_BIND)
struct stat st;
@@ -595,9 +595,9 @@ void bindMount(Path source, Path target, bool readOnly)
}
-void mountIntoChroot(std::map<Path, Path> filesInChroot,
- set<Path> readOnlyFiles,
- Path chrootRootDir)
+static void mountIntoChroot(std::map<Path, Path> filesInChroot,
+ set<Path> readOnlyFiles,
+ Path chrootRootDir)
{
#if HAVE_SYS_MOUNT_H && defined(MS_BIND)
for(auto i = filesInChroot.begin(); i != filesInChroot.end(); i++) {
@@ -612,7 +612,7 @@ void mountIntoChroot(std::map<Path, Path> filesInChroot,
}
-void mountIntoChrootAction(SpawnContext & sctx)
+static void mountIntoChrootAction(SpawnContext & sctx)
{
#if CLONE_ENABLED && HAVE_SYS_MOUNT_H && defined(MS_BIND)
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -623,7 +623,7 @@ void mountIntoChrootAction(SpawnContext & sctx)
}
-void mountProcAction(SpawnContext & sctx)
+static void mountProcAction(SpawnContext & sctx)
{
#if CLONE_ENABLED && HAVE_SYS_MOUNT_H
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -637,7 +637,7 @@ void mountProcAction(SpawnContext & sctx)
}
-void mountDevshmAction(SpawnContext & sctx)
+static void mountDevshmAction(SpawnContext & sctx)
{
#if CLONE_ENABLED && HAVE_SYS_MOUNT_H
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -651,7 +651,7 @@ void mountDevshmAction(SpawnContext & sctx)
}
-void mountDevptsAction(SpawnContext & sctx)
+static void mountDevptsAction(SpawnContext & sctx)
{
#if CLONE_ENABLED && HAVE_SYS_MOUNT_H
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -673,7 +673,7 @@ void mountDevptsAction(SpawnContext & sctx)
}
-void pivotRootAction(SpawnContext & sctx)
+static void pivotRootAction(SpawnContext & sctx)
{
#if CLONE_ENABLED && HAVE_SYS_MOUNT_H
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -700,7 +700,7 @@ void pivotRootAction(SpawnContext & sctx)
}
-string idMapToIdentityMap(const string & map)
+static string idMapToIdentityMap(const string & map)
{
std::vector<string> mapLines =
tokenizeString<std::vector<string> >(map, "\n");
@@ -720,7 +720,7 @@ string idMapToIdentityMap(const string & map)
* processes in it after unshare is called. So fork a child and have it do
* the initialization. */
void unshareAndInitUserns(int flags, const string & uidMap,
- const string & gidMap, bool allowSetgroups)
+ const string & gidMap, bool allowSetgroups)
{
#if CLONE_ENABLED
pid_t pid_ = getpid();
@@ -767,7 +767,7 @@ void unshareAndInitUserns(int flags, const string & uidMap,
}
-void lockMountsAction(SpawnContext & sctx)
+static void lockMountsAction(SpawnContext & sctx)
{
#if CLONE_ENABLED && HAVE_SYS_MOUNT_H
CloneSpawnContext & ctx = (CloneSpawnContext &) sctx;
@@ -868,7 +868,7 @@ void runChildSetup(SpawnContext & ctx)
}
-int runChildSetupEntry(void *data)
+static int runChildSetupEntry(void *data)
{
runChildSetup(* (SpawnContext *)data);
return 1;
diff --git a/nix/libutil/spawn.hh b/nix/libutil/spawn.hh
index 5e75bcfb09..ac6f0d1c41 100644
--- a/nix/libutil/spawn.hh
+++ b/nix/libutil/spawn.hh
@@ -115,48 +115,13 @@ void deletePhase(Phases & phases, string delLabel);
void replacePhase(Phases & phases, string replaceLabel, Action newAction);
-Action reset_writeToStderrAction;
-Action restoreAffinityAction;
-Action setsidAction;
-Action earlyIOSetupAction;
-Action dropAmbientCapabilitiesAction;
-Action chrootAction;
-Action chdirAction;
-Action closeMostFDsAction;
-Action setPersonalityAction;
-Action oomSacrificeAction;
-Action setIDsAction;
-Action setNoNewPrivsAction;
-Action addSeccompFilterAction;
-Action restoreSIGPIPEAction;
-Action setupSuccessAction;
-Action execAction;
+Action execAction; // used from 'build.cc'
Phases getBasicSpawnPhases();
-
-void bindMount(Path source, Path target, bool readOnly);
-
-void mountIntoChroot(std::map<Path, Path> filesInChroot,
- set<Path> readOnlyFiles,
- Path chrootRootDir);
-
-Action usernsInitSyncAction;
-Action usernsSetIDsAction;
-Action initLoopbackAction;
-Action setHostAndDomainAction;
-Action makeFilesystemsPrivateAction;
-Action makeChrootSeparateFilesystemAction;
-Action mountIntoChrootAction;
-Action mountProcAction;
-Action mountDevshmAction;
-Action mountDevptsAction;
-Action pivotRootAction;
-Action lockMountsAction;
-
Phases getCloneSpawnPhases();
/* Helpers */
-string idMapToIdentityMap(const string & map);
+
void unshareAndInitUserns(int flags, const string & uidMap,
const string & gidMap, bool allowSetgroups);
@@ -164,10 +129,6 @@ void unshareAndInitUserns(int flags, const string & uidMap,
* exiting in all cases. */
void runChildSetup(SpawnContext & ctx);
-/* Helper to call runChildSetup that can be passed to the variant of clone
- * that expects a callback. */
-int runChildSetupEntry(void *data);
-
/* Create a new process using clone that will immediately call runChildSetup
* with the provided CloneSpawnContext. Return the pid of the new process. */
int cloneChild(CloneSpawnContext & ctx);