Restore parent mount namespace before executing a child process

This ensures that they can't write to /nix/store. Fixes #2535.
author: Eelco Dolstra <edolstra@gmail.com> 2018-11-13 16:15:30 +0100
committer: Eelco Dolstra <edolstra@gmail.com> 2018-11-13 16:15:30 +0100
commit: a0ef21262f4d5652bfb65cfacaec01d89c475a93 (patch)
tree: 6fd2c483dde9bb6f56ff989b6724d2a49679d74a /src/nix/run.cc
parent: 56f6e382be03b587c1f7260e16fce6622329d1a4 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/nix/run.cc b/src/nix/run.cc
index 35b763345..129707298 100644
--- a/src/nix/run.cc
+++ b/src/nix/run.cc
@@ -153,9 +153,9 @@ struct CmdRun : InstallablesCommand
 
         stopProgressBar();
 
-        restoreSignals();
-
         restoreAffinity();
+        restoreSignals();
+        restoreMountNamespace();
 
         /* If this is a diverted store (i.e. its "logical" location
            (typically /nix/store) differs from its "physical" location
author	Eelco Dolstra <edolstra@gmail.com>	2018-11-13 16:15:30 +0100
committer	Eelco Dolstra <edolstra@gmail.com>	2018-11-13 16:15:30 +0100
commit	a0ef21262f4d5652bfb65cfacaec01d89c475a93 (patch)
tree	6fd2c483dde9bb6f56ff989b6724d2a49679d74a /src/nix/run.cc
parent	56f6e382be03b587c1f7260e16fce6622329d1a4 (diff)