Merge branch 'fix-writable-shell' of https://github.com/yorickvP/nix

2025-06-27 00:11:17 +02:00 · 2021-11-08 21:12:51 +01:00 · 2021-11-08 21:12:51 +01:00 · 7a71621b7c
commit 7a71621b7c
parent 6c2af1f201 fcb8af550f
4 changed files with 44 additions and 3 deletions
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@ -1631,10 +1631,34 @@ void setStackSize(size_t stackSize)
    }
    #endif
 }
+static AutoCloseFD fdSavedMountNamespace;

-void restoreProcessContext()
+void saveMountNamespace()
+{
+#if __linux__
+    static std::once_flag done;
+    std::call_once(done, []() {
+        fdSavedMountNamespace = open("/proc/self/ns/mnt", O_RDONLY);
+        if (!fdSavedMountNamespace)
+            throw SysError("saving parent mount namespace");
+    });
+#endif
+}
+
+void restoreMountNamespace()
+{
+#if __linux__
+    if (fdSavedMountNamespace && setns(fdSavedMountNamespace.get(), CLONE_NEWNS) == -1)
+        throw SysError("restoring parent mount namespace");
+#endif
+}
+
+void restoreProcessContext(bool restoreMounts)
 {
    restoreSignals();
+    if (restoreMounts) {
+        restoreMountNamespace();
+    }

    restoreAffinity();

@ -1774,7 +1798,7 @@ void commonChildInit(Pipe & logPipe)
    logger = makeSimpleLogger();

    const static string pathNullDevice = "/dev/null";
-    restoreProcessContext();
+    restoreProcessContext(false);

    /* Put the child in a separate session (and thus a separate
       process group) so that it has no controlling terminal (meaning