From a0ef21262f4d5652bfb65cfacaec01d89c475a93 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Tue, 13 Nov 2018 16:15:30 +0100
Subject: Restore parent mount namespace before executing a child process

This ensures that they can't write to /nix/store. Fixes #2535.
---
 src/nix-build/nix-build.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/nix-build')

diff --git a/src/nix-build/nix-build.cc b/src/nix-build/nix-build.cc
index 618895d387d4..11ea3b1f7ae1 100755
--- a/src/nix-build/nix-build.cc
+++ b/src/nix-build/nix-build.cc
@@ -401,8 +401,6 @@ static void _main(int argc, char * * argv)
             } else
                 env[var.first] = var.second;
 
-        restoreAffinity();
-
         /* Run a shell using the derivation's environment.  For
            convenience, source $stdenv/setup to setup additional
            environment variables and shell functions.  Also don't
@@ -446,7 +444,9 @@ static void _main(int argc, char * * argv)
 
         auto argPtrs = stringsToCharPtrs(args);
 
+        restoreAffinity();
         restoreSignals();
+        restoreMountNamespace();
 
         execvp(shell.c_str(), argPtrs.data());
 
-- 
cgit 1.4.1