Simplify remouting with MS_PRIVATE in sandbox build

also fix race condition if mounts are added after mountinfo is read.
author: Jörg Thalheim <joerg@higgsboson.tk> 2016-11-25 00:08:34 +0100
committer: Jörg Thalheim <joerg@higgsboson.tk> 2016-11-25 00:15:39 +0100
commit: 855abd85d8ec27411aa4ad3be2b7f90d17b5693d (patch)
tree: d6cbbbef951084f7d03709da665f1b027c1b49b7 /src
parent: 7ee43df8622cc0589d54248fb44cebe1c1d991d2 (diff)
1 files changed, 2 insertions, 6 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index ba51f8591..ee266b7d3 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2283,12 +2283,8 @@ void DerivationGoal::runChild()
                outside of the namespace.  Making a subtree private is
                local to the namespace, though, so setting MS_PRIVATE
                does not affect the outside world. */
-            Strings mounts = tokenizeString<Strings>(readFile("/proc/self/mountinfo", true), "\n");
-            for (auto & i : mounts) {
-                vector<string> fields = tokenizeString<vector<string> >(i, " ");
-                string fs = decodeOctalEscaped(fields.at(4));
-                if (mount(0, fs.c_str(), 0, MS_PRIVATE, 0) == -1)
-                    throw SysError(format("unable to make filesystem ‘%1%’ private") % fs);
+            if (mount(0, "/", 0, MS_REC|MS_PRIVATE, 0) == -1) {
+                throw SysError("unable to make ‘/’ private mount");
             }
 
             /* Bind-mount chroot directory to itself, to treat it as a
author	Jörg Thalheim <joerg@higgsboson.tk>	2016-11-25 00:08:34 +0100
committer	Jörg Thalheim <joerg@higgsboson.tk>	2016-11-25 00:15:39 +0100
commit	855abd85d8ec27411aa4ad3be2b7f90d17b5693d (patch)
tree	d6cbbbef951084f7d03709da665f1b027c1b49b7 /src
parent	7ee43df8622cc0589d54248fb44cebe1c1d991d2 (diff)