public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

buildFhsUserenv: don't leak mounts to other processes 

If run as root we were leaking mounts to the parent namespace,
which lead to an error when removing the temporary mountroot.
To fix this we remount the whole tree as private as soon as we created
the new mountenamespace.

(cherry picked from commit 43908f4c1d8489ca284c47fb835ec3fa348016b0)
This commit is contained in:
Jörg Thalheim 2021-06-05 16:45:10 +02:00 committed by github-actions[bot]
parent db819f1626
commit 1dfa9b73db
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c
View File

@ -43,7 +43,6 @@ const gchar *create_tmpdir() {
void pivot_host(const gchar *guest) { void pivot_host(const gchar *guest) {
g_autofree gchar *point = g_build_filename(guest, "host", NULL); g_autofree gchar *point = g_build_filename(guest, "host", NULL);
fail_if(g_mkdir(point, 0755)); fail_if(g_mkdir(point, 0755));
fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0));
fail_if(pivot_root(guest, point)); fail_if(pivot_root(guest, point));
} }
@ -122,6 +121,9 @@ int main(gint argc, gchar **argv) {
fail("unshare", unshare_errno); fail("unshare", unshare_errno);
} }
// hide all mounts we do from the parent
fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0));
if (uid != 0) { if (uid != 0) {
spit("/proc/self/setgroups", "deny"); spit("/proc/self/setgroups", "deny");
spit("/proc/self/uid_map", "%d %d 1", uid, uid); spit("/proc/self/uid_map", "%d %d 1", uid, uid);