diff options
author | aszlig <aszlig@nix.build> | 2018-07-02 03:42:45 +0200 |
---|---|---|
committer | aszlig <aszlig@nix.build> | 2018-07-02 03:42:45 +0200 |
commit | cd8bde1c98543236ec0ceb4375c03eb55aa8e56d (patch) | |
tree | 3d7dd314c3e2caeef580938e2db8d2a0c657d5de /pkgs/build-support/build-sandbox/src/setup.c | |
parent | 72abbc69b13dcf40bac429147dc18a8b8c8bae7b (diff) |
pkgs/sandbox: Add flag to bind-mount read-only
While the Nix store should be read-only by default, we can't guarantee this as the Nix store could be mounted read-write (for example on non-NixOS systems). For paths other than store directories, I took a conservative approach here where only /etc is mounted read-only, for all the pseudo- filesystems such as /proc, /sys or /dev write access might still be needed, for example to write to a hardware device exposed via /dev (eg. a gamepad with rumble support). Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'pkgs/build-support/build-sandbox/src/setup.c')
-rw-r--r-- | pkgs/build-support/build-sandbox/src/setup.c | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/pkgs/build-support/build-sandbox/src/setup.c b/pkgs/build-support/build-sandbox/src/setup.c index da6c65c7..ffab2c26 100644 --- a/pkgs/build-support/build-sandbox/src/setup.c +++ b/pkgs/build-support/build-sandbox/src/setup.c @@ -245,11 +245,14 @@ recurse: return result; } -bool bind_mount(const char *path, bool restricted, bool resolve) +bool bind_mount(const char *path, bool rdonly, bool restricted, bool resolve) { int mflags = MS_BIND | MS_REC; char src[PATH_MAX], *target; + if (rdonly) + mflags |= MS_RDONLY; + if (restricted) mflags |= MS_NOSUID | MS_NODEV | MS_NOATIME; @@ -537,7 +540,7 @@ bool extra_mount(const char *path, bool is_required) if (is_required && !makedirs(expanded, false)) return false; - if (!bind_mount(expanded, true, true)) { + if (!bind_mount(expanded, false, true, true)) { free(expanded); return false; } @@ -597,7 +600,7 @@ static bool mount_requisites(struct query_state *qs, const char *path) while ((requisite = next_query_result(qs)) != NULL) { if (is_dir(requisite)) { - if (!bind_mount(requisite, true, false)) + if (!bind_mount(requisite, true, true, false)) return false; } else { if (!bind_file(requisite)) @@ -685,25 +688,25 @@ static bool setup_chroot(void) return false; } - if (!bind_mount("/etc", true, false)) + if (!bind_mount("/etc", true, true, false)) return false; - if (!bind_mount("/dev", false, false)) + if (!bind_mount("/dev", false, false, false)) return false; - if (!bind_mount("/proc", false, false)) + if (!bind_mount("/proc", false, false, false)) return false; - if (!bind_mount("/sys", false, false)) + if (!bind_mount("/sys", false, false, false)) return false; - if (!bind_mount("/run", false, false)) + if (!bind_mount("/run", false, false, false)) return false; - if (!bind_mount("/var/run", false, false)) + if (!bind_mount("/var/run", false, false, false)) return false; - if (!bind_mount("/tmp", true, false)) + if (!bind_mount("/tmp", false, true, false)) return false; if (!setup_runtime_paths()) |