diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2018-11-13T15·15+0100 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2018-11-13T15·15+0100 |
commit | a0ef21262f4d5652bfb65cfacaec01d89c475a93 (patch) | |
tree | 6fd2c483dde9bb6f56ff989b6724d2a49679d74a /src/libstore/ssh.cc | |
parent | 56f6e382be03b587c1f7260e16fce6622329d1a4 (diff) |
Restore parent mount namespace before executing a child process
This ensures that they can't write to /nix/store. Fixes #2535.
Diffstat (limited to 'src/libstore/ssh.cc')
-rw-r--r-- | src/libstore/ssh.cc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/libstore/ssh.cc b/src/libstore/ssh.cc index 5e0e44935cca..cf133b57cb20 100644 --- a/src/libstore/ssh.cc +++ b/src/libstore/ssh.cc @@ -1,4 +1,5 @@ #include "ssh.hh" +#include "affinity.hh" namespace nix { @@ -34,7 +35,9 @@ std::unique_ptr<SSHMaster::Connection> SSHMaster::startCommand(const std::string auto conn = std::make_unique<Connection>(); conn->sshPid = startProcess([&]() { + restoreAffinity(); restoreSignals(); + restoreMountNamespace(); close(in.writeSide.get()); close(out.readSide.get()); |