Restore parent mount namespace before executing a child process

This ensures that they can't write to /nix/store. Fixes #2535.
author: Eelco Dolstra <edolstra@gmail.com> 2018-11-13T15·15+0100
committer: Eelco Dolstra <edolstra@gmail.com> 2018-11-13T15·15+0100
commit: a0ef21262f4d5652bfb65cfacaec01d89c475a93 (patch)
tree: 6fd2c483dde9bb6f56ff989b6724d2a49679d74a /src/libstore
parent: 56f6e382be03b587c1f7260e16fce6622329d1a4 (diff)
2 files changed, 5 insertions, 0 deletions
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index 216f3417c4a8..e1cb423d151f 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -366,6 +366,8 @@ void LocalStore::makeStoreWritable()
         throw SysError("getting info about the Nix store mount point");
 
     if (stat.f_flag & ST_RDONLY) {
+        saveMountNamespace();
+
         if (unshare(CLONE_NEWNS) == -1)
             throw SysError("setting up a private mount namespace");
 
diff --git a/src/libstore/ssh.cc b/src/libstore/ssh.cc
index 5e0e44935cca..cf133b57cb20 100644
--- a/src/libstore/ssh.cc
+++ b/src/libstore/ssh.cc
@@ -1,4 +1,5 @@
 #include "ssh.hh"
+#include "affinity.hh"
 
 namespace nix {
 
@@ -34,7 +35,9 @@ std::unique_ptr<SSHMaster::Connection> SSHMaster::startCommand(const std::string
 
     auto conn = std::make_unique<Connection>();
     conn->sshPid = startProcess([&]() {
+        restoreAffinity();
         restoreSignals();
+        restoreMountNamespace();
 
         close(in.writeSide.get());
         close(out.readSide.get());
author	Eelco Dolstra <edolstra@gmail.com>	2018-11-13T15·15+0100
committer	Eelco Dolstra <edolstra@gmail.com>	2018-11-13T15·15+0100
commit	a0ef21262f4d5652bfb65cfacaec01d89c475a93 (patch)
tree	6fd2c483dde9bb6f56ff989b6724d2a49679d74a /src/libstore
parent	56f6e382be03b587c1f7260e16fce6622329d1a4 (diff)