wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-02 21:51:50 +02:00
Code Activity

Restore parent mount namespace before executing a child process

Browse source 
This ensures that they can't write to /nix/store. Fixes #2535.
This commit is contained in:
Eelco Dolstra 2018-11-13 16:15:30 +01:00
parent 56f6e382be
commit a0ef21262f
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
8 changed files with 48 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/libstore/local-store.cc
View file

@ -366,6 +366,8 @@ void LocalStore::makeStoreWritable()
throw SysError("getting info about the Nix store mount point");
if (stat.f_flag & ST_RDONLY) {
saveMountNamespace();
if (unshare(CLONE_NEWNS) == -1)
throw SysError("setting up a private mount namespace");

3
src/libstore/ssh.cc
View file

@ -1,4 +1,5 @@
#include "ssh.hh"
#include "affinity.hh"
namespace nix {
@ -34,7 +35,9 @@ std::unique_ptr<SSHMaster::Connection> SSHMaster::startCommand(const std::string
auto conn = std::make_unique<Connection>();
conn->sshPid = startProcess([&]() {
restoreAffinity();
restoreSignals();
restoreMountNamespace();
close(in.writeSide.get());
close(out.readSide.get());