mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-27 07:14:52 +00:00
11ca4dcbb8
/proc/self/exe is a "fake" symlink. When it's opened, it always opens the actual file that was execve()d in this process, even if the file was deleted or renamed; if the file is no longer accessible from the current chroot/mount namespace it will at the very worst fail and never open the wrong file. Thus, we can make a much simpler argument that we're reading capabilities off the correct file after this change (and that argument doesn't rely on things such as protected_hardlinks being enabled, or no users being able to write to /run/wrappers, or the verification that the path readlink returns starts with /run/wrappers/). |
||
|---|---|---|
| .. | ||
| default.nix | ||
| wrapper.c | ||
| wrapper.nix | ||