amaharaneko/guix-mirrors
1
1
Fork 0
mirror of https://codeberg.org/guix/guix.git synced 2025-10-02 02:15:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

daemon: Remount inputs as read-only.

Browse source 
* nix/libstore/build.cc (DerivationGoal::runChild): Remount ‘target’ as
read-only.

Reported-by: Reepca Russelstein <reepca@russelstein.xyz>
Change-Id: Ib7201bcf4363be566f205d23d17fe2f55d3ad666
This commit is contained in:
Ludovic Courtès 2025-01-27 23:19:48 +01:00
parent 550ca89744
commit 93474f9288
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
nix/libstore/build.cc
View file

@ -2107,8 +2107,15 @@ void DerivationGoal::runChild()
createDirs(dirOf(target));
writeFile(target, "");
}
/* Extra flags passed with MS_BIND are ignored, hence the
extra MS_REMOUNT. */
if (mount(source.c_str(), target.c_str(), "", MS_BIND, 0) == -1)
throw SysError(format("bind mount from `%1%' to `%2%' failed") % source % target);
if (source.compare(0, settings.nixStore.length(), settings.nixStore) == 0) {
if (mount(source.c_str(), target.c_str(), "", MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1)
throw SysError(format("read-only remount of `%1%' failed") % target);
}
}
/* Bind a new instance of procfs on /proc to reflect our