Restore parent mount namespace before executing a child process

This ensures that they can't write to /nix/store. Fixes #2535.
2025-06-27 00:11:17 +02:00 · 2018-11-13 16:15:30 +01:00 · 2018-11-13 16:15:30 +01:00 · a0ef21262f
commit a0ef21262f
parent 56f6e382be
8 changed files with 48 additions and 4 deletions
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@ -936,6 +936,7 @@ pid_t startProcess(std::function<void()> fun, const ProcessOptions & options)
                throw SysError("setting death signal");
 #endif
            restoreAffinity();
+            restoreMountNamespace();
            fun();
        } catch (std::exception & e) {
            try {
@ -1504,4 +1505,26 @@ std::unique_ptr<InterruptCallback> createInterruptCallback(std::function<void()>
    return std::unique_ptr<InterruptCallback>(res.release());
 }

+static AutoCloseFD fdSavedMountNamespace;
+
+void saveMountNamespace()
+{
+#if __linux__
+    std::once_flag done;
+    std::call_once(done, []() {
+        fdSavedMountNamespace = open("/proc/self/ns/mnt", O_RDONLY);
+        if (!fdSavedMountNamespace)
+            throw SysError("saving parent mount namespace");
+    });
+#endif
+}
+
+void restoreMountNamespace()
+{
+#if __linux__
+    if (fdSavedMountNamespace && setns(fdSavedMountNamespace.get(), CLONE_NEWNS) == -1)
+        throw SysError("restoring parent mount namespace");
+#endif
+}
+
 }
--- a/src/libutil/util.hh
+++ b/src/libutil/util.hh
@ -514,4 +514,13 @@ typedef std::function<bool(const Path & path)> PathFilter;
 extern PathFilter defaultPathFilter;


+/* Save the current mount namespace. Ignored if called more than
+   once. */
+void saveMountNamespace();
+
+/* Restore the mount namespace saved by saveMountNamespace(). Ignored
+   if saveMountNamespace() was never called. */
+void restoreMountNamespace();
+
+
 }