maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Restore parent mount namespace before executing a child process

Browse source 
This ensures that they can't write to /nix/store. Fixes #2535.
This commit is contained in:
Eelco Dolstra 2018-11-13 16:15:30 +01:00
parent 56f6e382be
commit a0ef21262f
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
8 changed files with 48 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/nix/repl.cc
View file

@ -285,6 +285,8 @@ static int runProgram(const string & program, const Strings & args)
if (pid == -1) throw SysError("forking");
if (pid == 0) {
restoreAffinity();
restoreSignals();
restoreMountNamespace();
execvp(program.c_str(), stringsToCharPtrs(args2).data());
_exit(1);
}