pkgs/sandbox: Add flag to bind-mount read-only

While the Nix store should be read-only by default, we can't guarantee
this as the Nix store could be mounted read-write (for example on
non-NixOS systems).

For paths other than store directories, I took a conservative approach
here where only /etc is mounted read-only, for all the pseudo-
filesystems such as /proc, /sys or /dev write access might still be
needed, for example to write to a hardware device exposed via /dev (eg.
a gamepad with rumble support).

Signed-off-by: aszlig <aszlig@nix.build>

3 files changed, 16 insertions, 12 deletions

diff --git a/pkgs/build-support/build-sandbox/default.nix b/pkgs/build-support/build-sandbox/default.nix
index ba4f3625..a52be5c9 100644
--- a/pkgs/build-support/build-sandbox/default.nix
+++ b/pkgs/build-support/build-sandbox/default.nix
@@ -49,7 +49,8 @@ in stdenv.mkDerivation ({
     echo 'bool setup_app_paths(void) {' >> params.c
 
     for dep in $runtimeDeps; do
-      echo 'if (!bind_mount("'"$dep"'", true, true)) return false;' >> params.c
+      echo 'if (!bind_mount("'"$dep"'", true, true, true)) return false;' \
+        >> params.c
     done
 
     ${mkExtraMountParams true  pathsRequired}
diff --git a/pkgs/build-support/build-sandbox/src/setup.c b/pkgs/build-support/build-sandbox/src/setup.c
index da6c65c7..ffab2c26 100644
--- a/pkgs/build-support/build-sandbox/src/setup.c
+++ b/pkgs/build-support/build-sandbox/src/setup.c
@@ -245,11 +245,14 @@ recurse:
     return result;
 }
 
-bool bind_mount(const char *path, bool restricted, bool resolve)
+bool bind_mount(const char *path, bool rdonly, bool restricted, bool resolve)
 {
     int mflags = MS_BIND | MS_REC;
     char src[PATH_MAX], *target;
 
+    if (rdonly)
+        mflags |= MS_RDONLY;
+
     if (restricted)
         mflags |= MS_NOSUID | MS_NODEV | MS_NOATIME;
 
@@ -537,7 +540,7 @@ bool extra_mount(const char *path, bool is_required)
     if (is_required && !makedirs(expanded, false))
         return false;
 
-    if (!bind_mount(expanded, true, true)) {
+    if (!bind_mount(expanded, false, true, true)) {
         free(expanded);
         return false;
     }
@@ -597,7 +600,7 @@ static bool mount_requisites(struct query_state *qs, const char *path)
 
     while ((requisite = next_query_result(qs)) != NULL) {
         if (is_dir(requisite)) {
-            if (!bind_mount(requisite, true, false))
+            if (!bind_mount(requisite, true, true, false))
                 return false;
         } else {
             if (!bind_file(requisite))
@@ -685,25 +688,25 @@ static bool setup_chroot(void)
         return false;
     }
 
-    if (!bind_mount("/etc", true, false))
+    if (!bind_mount("/etc", true, true, false))
         return false;
 
-    if (!bind_mount("/dev", false, false))
+    if (!bind_mount("/dev", false, false, false))
         return false;
 
-    if (!bind_mount("/proc", false, false))
+    if (!bind_mount("/proc", false, false, false))
         return false;
 
-    if (!bind_mount("/sys", false, false))
+    if (!bind_mount("/sys", false, false, false))
         return false;
 
-    if (!bind_mount("/run", false, false))
+    if (!bind_mount("/run", false, false, false))
         return false;
 
-    if (!bind_mount("/var/run", false, false))
+    if (!bind_mount("/var/run", false, false, false))
         return false;
 
-    if (!bind_mount("/tmp", true, false))
+    if (!bind_mount("/tmp", false, true, false))
         return false;
 
     if (!setup_runtime_paths())
diff --git a/pkgs/build-support/build-sandbox/src/setup.h b/pkgs/build-support/build-sandbox/src/setup.h
index fe882dc5..2ef05482 100644
--- a/pkgs/build-support/build-sandbox/src/setup.h
+++ b/pkgs/build-support/build-sandbox/src/setup.h
@@ -6,7 +6,7 @@
 #include "nix-query.h"
 
 bool write_maps(pid_t parent_pid);
-bool bind_mount(const char *path, bool restricted, bool resolve);
+bool bind_mount(const char *path, bool rdonly, bool restricted, bool resolve);
 bool extra_mount(const char *path, bool is_required);
 bool mount_from_path_var(struct query_state *qs, const char *name);
 bool setup_sandbox(void);