public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #125814 from NixOS/backport-125804-to-release-21.05 

[Backport release-21.05] buildFhsUserenv: don't leak mounts to other processes
This commit is contained in:
Artturi 2021-08-07 01:37:50 +03:00 committed by GitHub
parent 8bd8141ca9 1dfa9b73db
commit ae1773ad51
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c
View File

@ -43,7 +43,6 @@ const gchar *create_tmpdir() {
void pivot_host(const gchar *guest) {
g_autofree gchar *point = g_build_filename(guest, "host", NULL);
fail_if(g_mkdir(point, 0755));
fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0));
fail_if(pivot_root(guest, point));
}
@ -122,6 +121,9 @@ int main(gint argc, gchar **argv) {
fail("unshare", unshare_errno);
}
// hide all mounts we do from the parent
fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0));
if (uid != 0) {
spit("/proc/self/setgroups", "deny");
spit("/proc/self/uid_map", "%d %d 1", uid, uid);