about summary refs log tree commit diff
path: root/pkgs/build-support/build-sandbox/src/setup.c
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/build-support/build-sandbox/src/setup.c')
-rw-r--r--pkgs/build-support/build-sandbox/src/setup.c23
1 files changed, 13 insertions, 10 deletions
diff --git a/pkgs/build-support/build-sandbox/src/setup.c b/pkgs/build-support/build-sandbox/src/setup.c
index da6c65c7..ffab2c26 100644
--- a/pkgs/build-support/build-sandbox/src/setup.c
+++ b/pkgs/build-support/build-sandbox/src/setup.c
@@ -245,11 +245,14 @@ recurse:
     return result;
 }
 
-bool bind_mount(const char *path, bool restricted, bool resolve)
+bool bind_mount(const char *path, bool rdonly, bool restricted, bool resolve)
 {
     int mflags = MS_BIND | MS_REC;
     char src[PATH_MAX], *target;
 
+    if (rdonly)
+        mflags |= MS_RDONLY;
+
     if (restricted)
         mflags |= MS_NOSUID | MS_NODEV | MS_NOATIME;
 
@@ -537,7 +540,7 @@ bool extra_mount(const char *path, bool is_required)
     if (is_required && !makedirs(expanded, false))
         return false;
 
-    if (!bind_mount(expanded, true, true)) {
+    if (!bind_mount(expanded, false, true, true)) {
         free(expanded);
         return false;
     }
@@ -597,7 +600,7 @@ static bool mount_requisites(struct query_state *qs, const char *path)
 
     while ((requisite = next_query_result(qs)) != NULL) {
         if (is_dir(requisite)) {
-            if (!bind_mount(requisite, true, false))
+            if (!bind_mount(requisite, true, true, false))
                 return false;
         } else {
             if (!bind_file(requisite))
@@ -685,25 +688,25 @@ static bool setup_chroot(void)
         return false;
     }
 
-    if (!bind_mount("/etc", true, false))
+    if (!bind_mount("/etc", true, true, false))
         return false;
 
-    if (!bind_mount("/dev", false, false))
+    if (!bind_mount("/dev", false, false, false))
         return false;
 
-    if (!bind_mount("/proc", false, false))
+    if (!bind_mount("/proc", false, false, false))
         return false;
 
-    if (!bind_mount("/sys", false, false))
+    if (!bind_mount("/sys", false, false, false))
         return false;
 
-    if (!bind_mount("/run", false, false))
+    if (!bind_mount("/run", false, false, false))
         return false;
 
-    if (!bind_mount("/var/run", false, false))
+    if (!bind_mount("/var/run", false, false, false))
         return false;
 
-    if (!bind_mount("/tmp", true, false))
+    if (!bind_mount("/tmp", false, true, false))
         return false;
 
     if (!setup_runtime_paths())
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-06 10:37:05 +0000