From fcb8af550f5fca37458da0d9042a2b59523eb304 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 15 Oct 2021 16:25:49 +0200 Subject: Restore parent mount namespace in restoreProcessContext This ensures any started processes can't write to /nix/store (except during builds). This partially reverts 01d07b1e, which happened because of #2646. The problem was only happening after nix downloads anything, causing me to suspect the download thread. The problem turns out to be: "A process can't join a new mount namespace if it is sharing filesystem-related attributes with another process", in this case this process is the curl thread. Ideally, we might kill it before spawning the shell process, but it's inside a static variable in the getFileTransfer() function. So instead, stop it from sharing FS state using unshare(). A strategy such as the one from #5057 (single-threaded chroot helper binary) is also very much on the table. Fixes #4337. --- src/libutil/util.hh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'src/libutil/util.hh') diff --git a/src/libutil/util.hh b/src/libutil/util.hh index 29232453f..ef3430689 100644 --- a/src/libutil/util.hh +++ b/src/libutil/util.hh @@ -300,7 +300,15 @@ void setStackSize(size_t stackSize); /* Restore the original inherited Unix process context (such as signal masks, stack size, CPU affinity). */ -void restoreProcessContext(); +void restoreProcessContext(bool restoreMounts = true); + +/* Save the current mount namespace. Ignored if called more than + once. */ +void saveMountNamespace(); + +/* Restore the mount namespace saved by saveMountNamespace(). Ignored + if saveMountNamespace() was never called. */ +void restoreMountNamespace(); class ExecError : public Error -- cgit v1.2.3