From cd8bde1c98543236ec0ceb4375c03eb55aa8e56d Mon Sep 17 00:00:00 2001 From: aszlig Date: Mon, 2 Jul 2018 03:42:45 +0200 Subject: pkgs/sandbox: Add flag to bind-mount read-only While the Nix store should be read-only by default, we can't guarantee this as the Nix store could be mounted read-write (for example on non-NixOS systems). For paths other than store directories, I took a conservative approach here where only /etc is mounted read-only, for all the pseudo- filesystems such as /proc, /sys or /dev write access might still be needed, for example to write to a hardware device exposed via /dev (eg. a gamepad with rumble support). Signed-off-by: aszlig --- pkgs/build-support/build-sandbox/src/setup.c | 23 +++++++++++++---------- pkgs/build-support/build-sandbox/src/setup.h | 2 +- 2 files changed, 14 insertions(+), 11 deletions(-) (limited to 'pkgs/build-support/build-sandbox/src') diff --git a/pkgs/build-support/build-sandbox/src/setup.c b/pkgs/build-support/build-sandbox/src/setup.c index da6c65c7..ffab2c26 100644 --- a/pkgs/build-support/build-sandbox/src/setup.c +++ b/pkgs/build-support/build-sandbox/src/setup.c @@ -245,11 +245,14 @@ recurse: return result; } -bool bind_mount(const char *path, bool restricted, bool resolve) +bool bind_mount(const char *path, bool rdonly, bool restricted, bool resolve) { int mflags = MS_BIND | MS_REC; char src[PATH_MAX], *target; + if (rdonly) + mflags |= MS_RDONLY; + if (restricted) mflags |= MS_NOSUID | MS_NODEV | MS_NOATIME; @@ -537,7 +540,7 @@ bool extra_mount(const char *path, bool is_required) if (is_required && !makedirs(expanded, false)) return false; - if (!bind_mount(expanded, true, true)) { + if (!bind_mount(expanded, false, true, true)) { free(expanded); return false; } @@ -597,7 +600,7 @@ static bool mount_requisites(struct query_state *qs, const char *path) while ((requisite = next_query_result(qs)) != NULL) { if (is_dir(requisite)) { - if (!bind_mount(requisite, true, false)) + if (!bind_mount(requisite, true, true, false)) return false; } else { if (!bind_file(requisite)) @@ -685,25 +688,25 @@ static bool setup_chroot(void) return false; } - if (!bind_mount("/etc", true, false)) + if (!bind_mount("/etc", true, true, false)) return false; - if (!bind_mount("/dev", false, false)) + if (!bind_mount("/dev", false, false, false)) return false; - if (!bind_mount("/proc", false, false)) + if (!bind_mount("/proc", false, false, false)) return false; - if (!bind_mount("/sys", false, false)) + if (!bind_mount("/sys", false, false, false)) return false; - if (!bind_mount("/run", false, false)) + if (!bind_mount("/run", false, false, false)) return false; - if (!bind_mount("/var/run", false, false)) + if (!bind_mount("/var/run", false, false, false)) return false; - if (!bind_mount("/tmp", true, false)) + if (!bind_mount("/tmp", false, true, false)) return false; if (!setup_runtime_paths()) diff --git a/pkgs/build-support/build-sandbox/src/setup.h b/pkgs/build-support/build-sandbox/src/setup.h index fe882dc5..2ef05482 100644 --- a/pkgs/build-support/build-sandbox/src/setup.h +++ b/pkgs/build-support/build-sandbox/src/setup.h @@ -6,7 +6,7 @@ #include "nix-query.h" bool write_maps(pid_t parent_pid); -bool bind_mount(const char *path, bool restricted, bool resolve); +bool bind_mount(const char *path, bool rdonly, bool restricted, bool resolve); bool extra_mount(const char *path, bool is_required); bool mount_from_path_var(struct query_state *qs, const char *name); bool setup_sandbox(void); -- cgit 1.4.1