civodul pushed a commit to branch master
in repository guix.
commit 93474f92886fac8a2e5eb0eb3b388654246d640d
Author: Ludovic Courtès <[email protected]>
AuthorDate: Mon Jan 27 23:19:48 2025 +0100
daemon: Remount inputs as read-only.
* nix/libstore/build.cc (DerivationGoal::runChild): Remount ‘target’ as
read-only.
Reported-by: Reepca Russelstein <[email protected]>
Change-Id: Ib7201bcf4363be566f205d23d17fe2f55d3ad666
---
nix/libstore/build.cc | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 193b279b88..3861a1ffd9 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -2107,8 +2107,15 @@ void DerivationGoal::runChild()
createDirs(dirOf(target));
writeFile(target, "");
}
+
+ /* Extra flags passed with MS_BIND are ignored, hence the
+ extra MS_REMOUNT. */
if (mount(source.c_str(), target.c_str(), "", MS_BIND, 0) ==
-1)
throw SysError(format("bind mount from `%1%' to `%2%'
failed") % source % target);
+ if (source.compare(0, settings.nixStore.length(),
settings.nixStore) == 0) {
+ if (mount(source.c_str(), target.c_str(), "", MS_BIND |
MS_REMOUNT | MS_RDONLY, 0) == -1)
+ throw SysError(format("read-only remount of `%1%'
failed") % target);
+ }
}
/* Bind a new instance of procfs on /proc to reflect our
