nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-26 17:03:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

buildFhsUserenv: don't leak mounts to other processes

Browse Source 
If run as root we were leaking mounts to the parent namespace,
which lead to an error when removing the temporary mountroot.
To fix this we remount the whole tree as private as soon as we created
the new mountenamespace.
This commit is contained in:
Jörg Thalheim 2021-06-05 16:45:10 +02:00
parent bdb89449af
commit 43908f4c1d
No known key found for this signature in database
GPG Key ID: B3F5D81B0C6967C4
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c
View File

@ -43,7 +43,6 @@ const gchar *create_tmpdir() {
void pivot_host(const gchar *guest) {
g_autofree gchar *point = g_build_filename(guest, "host", NULL);
fail_if(g_mkdir(point, 0755));
fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0));
fail_if(pivot_root(guest, point));
}
@ -122,6 +121,9 @@ int main(gint argc, gchar **argv) {
fail("unshare", unshare_errno);
}
// hide all mounts we do from the parent
fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0));
if (uid != 0) {
spit("/proc/self/setgroups", "deny");
spit("/proc/self/uid_map", "%d %d 1", uid, uid);