Restore parent mount namespace before executing a child process

This ensures that they can't write to /nix/store. Fixes #2535.

src/nix/edit.cc

@@ -3,6 +3,7 @@
 #include "eval.hh"
 #include "attr-path.hh"
 #include "progress-bar.hh"
+#include "affinity.hh"
 
 #include <unistd.h>
 
@@ -72,6 +73,10 @@ struct CmdEdit : InstallableCommand
 
         stopProgressBar();
 
+        restoreAffinity();
+        restoreSignals();
+        restoreMountNamespace();
+
         execvp(args.front().c_str(), stringsToCharPtrs(args).data());
 
         throw SysError("cannot run editor '%s'", editor);

src/nix/repl.cc

@@ -285,6 +285,8 @@ static int runProgram(const string & program, const Strings & args)
     if (pid == -1) throw SysError("forking");
     if (pid == 0) {
         restoreAffinity();
+        restoreSignals();
+        restoreMountNamespace();
         execvp(program.c_str(), stringsToCharPtrs(args2).data());
         _exit(1);
     }

src/nix/run.cc

@@ -153,9 +153,9 @@ struct CmdRun : InstallablesCommand
 
         stopProgressBar();
 
-        restoreSignals();
-
         restoreAffinity();
+        restoreSignals();
+        restoreMountNamespace();
 
         /* If this is a diverted store (i.e. its "logical" location
            (typically /nix/store) differs from its "physical" location