pkgs/sandbox: Add flag to bind-mount read-only

While the Nix store should be read-only by default, we can't guarantee this as the Nix store could be mounted read-write (for example on non-NixOS systems). For paths other than store directories, I took a conservative approach here where only /etc is mounted read-only, for all the pseudo- filesystems such as /proc, /sys or /dev write access might still be needed, for example to write to a hardware device exposed via /dev (eg. a gamepad with rumble support). Signed-off-by: aszlig <aszlig@nix.build>
author: aszlig <aszlig@nix.build> 2018-07-02 03:42:45 +0200
committer: aszlig <aszlig@nix.build> 2018-07-02 03:42:45 +0200
commit: cd8bde1c98543236ec0ceb4375c03eb55aa8e56d (patch)
tree: 3d7dd314c3e2caeef580938e2db8d2a0c657d5de /pkgs/build-support/build-sandbox/default.nix
parent: 72abbc69b13dcf40bac429147dc18a8b8c8bae7b (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/pkgs/build-support/build-sandbox/default.nix b/pkgs/build-support/build-sandbox/default.nix
index ba4f3625..a52be5c9 100644
--- a/pkgs/build-support/build-sandbox/default.nix
+++ b/pkgs/build-support/build-sandbox/default.nix
@@ -49,7 +49,8 @@ in stdenv.mkDerivation ({
     echo 'bool setup_app_paths(void) {' >> params.c
 
     for dep in $runtimeDeps; do
-      echo 'if (!bind_mount("'"$dep"'", true, true)) return false;' >> params.c
+      echo 'if (!bind_mount("'"$dep"'", true, true, true)) return false;' \
+        >> params.c
     done
 
     ${mkExtraMountParams true  pathsRequired}
author	aszlig <aszlig@nix.build>	2018-07-02 03:42:45 +0200
committer	aszlig <aszlig@nix.build>	2018-07-02 03:42:45 +0200
commit	cd8bde1c98543236ec0ceb4375c03eb55aa8e56d (patch)
tree	3d7dd314c3e2caeef580938e2db8d2a0c657d5de /pkgs/build-support/build-sandbox/default.nix
parent	72abbc69b13dcf40bac429147dc18a8b8c8bae7b (diff)