From e05f98c7af4f4ad36e6566c8a6f3343138cff255 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@nix.build>
Date: Mon, 2 Jul 2018 04:20:26 +0200
Subject: pkgs/sandbox: Fix mount flags

When using MS_BIND the mount flags aren't actually applied, so we need
to remount the bind mount with the flags we wanted if additional flags
are desired for the mount.

I've also removed the MS_NOATIME, because this doesn't work for kernel
4.14 (returns -EPERM) and it's really not necessary to change the atime
flags for our bind mounts.

Signed-off-by: aszlig <aszlig@nix.build>
---
 pkgs/build-support/build-sandbox/src/setup.c | 29 +++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

(limited to 'pkgs/build-support/build-sandbox/src')

diff --git a/pkgs/build-support/build-sandbox/src/setup.c b/pkgs/build-support/build-sandbox/src/setup.c
index ffab2c26..18b288d9 100644
--- a/pkgs/build-support/build-sandbox/src/setup.c
+++ b/pkgs/build-support/build-sandbox/src/setup.c
@@ -247,23 +247,26 @@ recurse:
 
 bool bind_mount(const char *path, bool rdonly, bool restricted, bool resolve)
 {
-    int mflags = MS_BIND | MS_REC;
+    int base_mflags = MS_BIND | MS_REC, mflags = 0;
+    const char *msrc;
     char src[PATH_MAX], *target;
 
     if (rdonly)
         mflags |= MS_RDONLY;
 
     if (restricted)
-        mflags |= MS_NOSUID | MS_NODEV | MS_NOATIME;
+        mflags |= MS_NOSUID | MS_NODEV;
 
     if (resolve ? realpath(path, src) == NULL : access(path, F_OK) == -1)
         // Skip missing mount source
         return true;
 
-    if (is_regular_file(resolve ? src : path))
-        return bind_file(resolve ? src : path);
+    msrc = resolve ? src : path;
 
-    if ((target = get_mount_target(resolve ? src : path)) == NULL)
+    if (is_regular_file(msrc))
+        return bind_file(msrc);
+
+    if ((target = get_mount_target(msrc)) == NULL)
         return false;
 
     if (resolve) {
@@ -278,18 +281,26 @@ bool bind_mount(const char *path, bool rdonly, bool restricted, bool resolve)
         return false;
     }
 
-    if (!cache_path(cached_paths, resolve ? src : path)) {
+    if (!cache_path(cached_paths, msrc)) {
         free(target);
         return true;
     }
 
-    if (mount(resolve ? src : path, target, "", mflags, NULL) == -1) {
-        fprintf(stderr, "mount %s to %s: %s\n",
-                resolve ? src : path, target, strerror(errno));
+    if (mount(msrc, target, "", base_mflags, NULL) == -1) {
+        fprintf(stderr, "mount %s to %s: %s\n", msrc, target, strerror(errno));
         free(target);
         return false;
     }
 
+    if (mflags != 0) {
+        mflags |= base_mflags | MS_REMOUNT;
+        if (mount("none", target, "", mflags, NULL) == -1) {
+            fprintf(stderr, "remount %s: %s\n", target, strerror(errno));
+            free(target);
+            return false;
+        }
+    }
+
     free(target);
     return true;
 }
-- 
cgit 1.4.1