nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-12-03 07:31:00 +01:00
Code Activity

Restore parent mount namespace in restoreProcessContext

Browse source 
This ensures any started processes can't write to /nix/store (except
during builds). This partially reverts 01d07b1e, which happened because
of #2646.

The problem was only happening after nix downloads anything, causing
me to suspect the download thread. The problem turns out to be:
"A  process  can't  join a new mount namespace if it is sharing
filesystem-related attributes with another process", in this case this
process is the curl thread.

Ideally, we might kill it before spawning the shell process, but it's
inside a static variable in the getFileTransfer() function. So
instead, stop it from sharing FS state using unshare(). A strategy
such as the one from #5057 (single-threaded chroot helper binary) is
also very much on the table.

Fixes #4337.
This commit is contained in:
Yorick van Pelt 2021-10-15 16:25:49 +02:00
parent 130284b850
commit fcb8af550f
No known key found for this signature in database
GPG key ID: D8D3CC6D951384DE
4 changed files with 44 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/libstore/local-store.cc
View file

@ -495,6 +495,7 @@ void LocalStore::makeStoreWritable()
throw SysError("getting info about the Nix store mount point");
if (stat.f_flag & ST_RDONLY) {
saveMountNamespace();
if (unshare(CLONE_NEWNS) == -1)
throw SysError("setting up a private mount namespace");