diff options
author | aszlig <aszlig@nix.build> | 2018-07-02 03:42:45 +0200 |
---|---|---|
committer | aszlig <aszlig@nix.build> | 2018-07-02 03:42:45 +0200 |
commit | cd8bde1c98543236ec0ceb4375c03eb55aa8e56d (patch) | |
tree | 3d7dd314c3e2caeef580938e2db8d2a0c657d5de /pkgs/build-support/build-sandbox/default.nix | |
parent | 72abbc69b13dcf40bac429147dc18a8b8c8bae7b (diff) |
pkgs/sandbox: Add flag to bind-mount read-only
While the Nix store should be read-only by default, we can't guarantee this as the Nix store could be mounted read-write (for example on non-NixOS systems). For paths other than store directories, I took a conservative approach here where only /etc is mounted read-only, for all the pseudo- filesystems such as /proc, /sys or /dev write access might still be needed, for example to write to a hardware device exposed via /dev (eg. a gamepad with rumble support). Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'pkgs/build-support/build-sandbox/default.nix')
-rw-r--r-- | pkgs/build-support/build-sandbox/default.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/pkgs/build-support/build-sandbox/default.nix b/pkgs/build-support/build-sandbox/default.nix index ba4f3625..a52be5c9 100644 --- a/pkgs/build-support/build-sandbox/default.nix +++ b/pkgs/build-support/build-sandbox/default.nix @@ -49,7 +49,8 @@ in stdenv.mkDerivation ({ echo 'bool setup_app_paths(void) {' >> params.c for dep in $runtimeDeps; do - echo 'if (!bind_mount("'"$dep"'", true, true)) return false;' >> params.c + echo 'if (!bind_mount("'"$dep"'", true, true, true)) return false;' \ + >> params.c done ${mkExtraMountParams true pathsRequired} |