diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2021-06-05 18:03:11 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-05 18:03:11 +0200 |
commit | 8b5175012b250955b52e52883d45b15324b74421 (patch) | |
tree | a12863c354d82dcdf9ad7f34b497cd474fb306ad | |
parent | a95f4166abb329f5a5117bb47bec2b9678962336 (diff) | |
parent | 43908f4c1d8489ca284c47fb835ec3fa348016b0 (diff) | |
download | nixlib-8b5175012b250955b52e52883d45b15324b74421.tar nixlib-8b5175012b250955b52e52883d45b15324b74421.tar.gz nixlib-8b5175012b250955b52e52883d45b15324b74421.tar.bz2 nixlib-8b5175012b250955b52e52883d45b15324b74421.tar.lz nixlib-8b5175012b250955b52e52883d45b15324b74421.tar.xz nixlib-8b5175012b250955b52e52883d45b15324b74421.tar.zst nixlib-8b5175012b250955b52e52883d45b15324b74421.zip |
Merge pull request #125804 from Mic92/build-fhs-userenv
buildFhsUserenv: don't leak mounts to other processes
-rw-r--r-- | pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c b/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c index a438b80e1829..27e70e3fe5c4 100644 --- a/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c +++ b/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c @@ -43,7 +43,6 @@ const gchar *create_tmpdir() { void pivot_host(const gchar *guest) { g_autofree gchar *point = g_build_filename(guest, "host", NULL); fail_if(g_mkdir(point, 0755)); - fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0)); fail_if(pivot_root(guest, point)); } @@ -122,6 +121,9 @@ int main(gint argc, gchar **argv) { fail("unshare", unshare_errno); } + // hide all mounts we do from the parent + fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0)); + if (uid != 0) { spit("/proc/self/setgroups", "deny"); spit("/proc/self/uid_map", "%d %d 1", uid, uid); |