Merge pull request #125804 from Mic92/build-fhs-userenv

buildFhsUserenv: don't leak mounts to other processes

1 files changed, 3 insertions, 1 deletions

diff --git a/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c b/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c
index a438b80e1829..27e70e3fe5c4 100644
--- a/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c
+++ b/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c
@@ -43,7 +43,6 @@ const gchar *create_tmpdir() {
 void pivot_host(const gchar *guest) {
   g_autofree gchar *point = g_build_filename(guest, "host", NULL);
   fail_if(g_mkdir(point, 0755));
-  fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0));
   fail_if(pivot_root(guest, point));
 }
 
@@ -122,6 +121,9 @@ int main(gint argc, gchar **argv) {
       fail("unshare", unshare_errno);
     }
 
+    // hide all mounts we do from the parent
+    fail_if(mount(0, "/", 0, MS_PRIVATE | MS_REC, 0));
+
     if (uid != 0) {
       spit("/proc/self/setgroups", "deny");
       spit("/proc/self/uid_map", "%d %d 1", uid, uid);