~ruther/guix-local: daemon: Remount inputs as read-only.

93474f92886fac8a2e5eb0eb3b388654246d640d — Ludovic Courtès 1 year, 2 months ago 550ca89

daemon: Remount inputs as read-only.

* nix/libstore/build.cc (DerivationGoal::runChild): Remount ‘target’ as
read-only.

Reported-by: Reepca Russelstein <reepca@russelstein.xyz>
Change-Id: Ib7201bcf4363be566f205d23d17fe2f55d3ad666

patch browse .tar.gz

1 files changed, 7 insertions(+), 0 deletions(-)

M nix/libstore/build.cc

M nix/libstore/build.cc => nix/libstore/build.cc +7 -0

@@ 2107,8 2107,15 @@ void DerivationGoal::runChild()
                     createDirs(dirOf(target));
                     writeFile(target, "");
                 }
+
+		/* Extra flags passed with MS_BIND are ignored, hence the
+		   extra MS_REMOUNT.  */
                 if (mount(source.c_str(), target.c_str(), "", MS_BIND, 0) == -1)
                     throw SysError(format("bind mount from `%1%' to `%2%' failed") % source % target);
+		if (source.compare(0, settings.nixStore.length(), settings.nixStore) == 0) {
+		     if (mount(source.c_str(), target.c_str(), "", MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1)
+			  throw SysError(format("read-only remount of `%1%' failed") % target);
+		}
             }
 
             /* Bind a new instance of procfs on /proc to reflect our