about summary refs log tree commit diff
path: root/src/nix-build
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2018-11-13T15·15+0100
committerEelco Dolstra <edolstra@gmail.com>2018-11-13T15·15+0100
commita0ef21262f4d5652bfb65cfacaec01d89c475a93 (patch)
tree6fd2c483dde9bb6f56ff989b6724d2a49679d74a /src/nix-build
parent56f6e382be03b587c1f7260e16fce6622329d1a4 (diff)
Restore parent mount namespace before executing a child process
This ensures that they can't write to /nix/store. Fixes #2535.
Diffstat (limited to 'src/nix-build')
-rwxr-xr-xsrc/nix-build/nix-build.cc4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/nix-build/nix-build.cc b/src/nix-build/nix-build.cc
index 618895d387d4..11ea3b1f7ae1 100755
--- a/src/nix-build/nix-build.cc
+++ b/src/nix-build/nix-build.cc
@@ -401,8 +401,6 @@ static void _main(int argc, char * * argv)
             } else
                 env[var.first] = var.second;
 
-        restoreAffinity();
-
         /* Run a shell using the derivation's environment.  For
            convenience, source $stdenv/setup to setup additional
            environment variables and shell functions.  Also don't
@@ -446,7 +444,9 @@ static void _main(int argc, char * * argv)
 
         auto argPtrs = stringsToCharPtrs(args);
 
+        restoreAffinity();
         restoreSignals();
+        restoreMountNamespace();
 
         execvp(shell.c_str(), argPtrs.data());