Restore parent mount namespace in restoreProcessContext

This ensures any started processes can't write to /nix/store (except during builds). This partially reverts 01d07b1e, which happened because of #2646. The problem was only happening after nix downloads anything, causing me to suspect the download thread. The problem turns out to be: "A process can't join a new mount namespace if it is sharing filesystem-related attributes with another process", in this case this process is the curl thread. Ideally, we might kill it before spawning the shell process, but it's inside a static variable in the getFileTransfer() function. So instead, stop it from sharing FS state using unshare(). A strategy such as the one from #5057 (single-threaded chroot helper binary) is also very much on the table. Fixes #4337.
2025-07-07 01:51:47 +02:00 · 2021-10-15 16:25:49 +02:00 · 2021-10-15 16:25:49 +02:00 · fcb8af550f
commit fcb8af550f
parent 130284b850
4 changed files with 44 additions and 3 deletions
--- a/src/libstore/filetransfer.cc
+++ b/src/libstore/filetransfer.cc
@ -544,6 +544,14 @@ struct curlFileTransfer : public FileTransfer
            stopWorkerThread();
        });

+#ifdef __linux__
+        /* Cause this thread to not share any FS attributes with the main thread,
+           because this causes setns() in restoreMountNamespace() to fail.
+           Ideally, this would happen in the std::thread() constructor. */
+        if (unshare(CLONE_FS) != 0)
+            throw SysError("unsharing filesystem state in download thread");
+#endif
+
        std::map<CURL *, std::shared_ptr<TransferItem>> items;

        bool quit = false;