From cd8bde1c98543236ec0ceb4375c03eb55aa8e56d Mon Sep 17 00:00:00 2001 From: aszlig Date: Mon, 2 Jul 2018 03:42:45 +0200 Subject: pkgs/sandbox: Add flag to bind-mount read-only While the Nix store should be read-only by default, we can't guarantee this as the Nix store could be mounted read-write (for example on non-NixOS systems). For paths other than store directories, I took a conservative approach here where only /etc is mounted read-only, for all the pseudo- filesystems such as /proc, /sys or /dev write access might still be needed, for example to write to a hardware device exposed via /dev (eg. a gamepad with rumble support). Signed-off-by: aszlig --- pkgs/build-support/build-sandbox/src/setup.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'pkgs/build-support/build-sandbox/src/setup.h') diff --git a/pkgs/build-support/build-sandbox/src/setup.h b/pkgs/build-support/build-sandbox/src/setup.h index fe882dc5..2ef05482 100644 --- a/pkgs/build-support/build-sandbox/src/setup.h +++ b/pkgs/build-support/build-sandbox/src/setup.h @@ -6,7 +6,7 @@ #include "nix-query.h" bool write_maps(pid_t parent_pid); -bool bind_mount(const char *path, bool restricted, bool resolve); +bool bind_mount(const char *path, bool rdonly, bool restricted, bool resolve); bool extra_mount(const char *path, bool is_required); bool mount_from_path_var(struct query_state *qs, const char *name); bool setup_sandbox(void); -- cgit 1.4.1