From fcb8af550f5fca37458da0d9042a2b59523eb304 Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Fri, 15 Oct 2021 16:25:49 +0200
Subject: Restore parent mount namespace in restoreProcessContext

This ensures any started processes can't write to /nix/store (except
during builds). This partially reverts 01d07b1e, which happened because
of #2646.

The problem was only happening after nix downloads anything, causing
me to suspect the download thread. The problem turns out to be:
"A  process  can't  join a new mount namespace if it is sharing
filesystem-related attributes with another process", in this case this
process is the curl thread.

Ideally, we might kill it before spawning the shell process, but it's
inside a static variable in the getFileTransfer() function. So
instead, stop it from sharing FS state using unshare(). A strategy
such as the one from #5057 (single-threaded chroot helper binary) is
also very much on the table.

Fixes #4337.
---
 src/libutil/util.cc | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

(limited to 'src/libutil/util.cc')

diff --git a/src/libutil/util.cc b/src/libutil/util.cc
index 563a72c12..a5e961c1e 100644
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@@ -1629,10 +1629,34 @@ void setStackSize(size_t stackSize)
     }
     #endif
 }
+static AutoCloseFD fdSavedMountNamespace;
 
-void restoreProcessContext()
+void saveMountNamespace()
+{
+#if __linux__
+    static std::once_flag done;
+    std::call_once(done, []() {
+        fdSavedMountNamespace = open("/proc/self/ns/mnt", O_RDONLY);
+        if (!fdSavedMountNamespace)
+            throw SysError("saving parent mount namespace");
+    });
+#endif
+}
+
+void restoreMountNamespace()
+{
+#if __linux__
+    if (fdSavedMountNamespace && setns(fdSavedMountNamespace.get(), CLONE_NEWNS) == -1)
+        throw SysError("restoring parent mount namespace");
+#endif
+}
+
+void restoreProcessContext(bool restoreMounts)
 {
     restoreSignals();
+    if (restoreMounts) {
+        restoreMountNamespace();
+    }
 
     restoreAffinity();
 
@@ -1766,7 +1790,7 @@ void commonChildInit(Pipe & logPipe)
     logger = makeSimpleLogger();
 
     const static string pathNullDevice = "/dev/null";
-    restoreProcessContext();
+    restoreProcessContext(false);
 
     /* Put the child in a separate session (and thus a separate
        process group) so that it has no controlling terminal (meaning
-- 
cgit v1.2.3