summary refs log tree commit diff
path: root/nix/libstore/build.cc
diff options
context:
space:
mode:
authorJörg Thalheim <joerg@higgsboson.tk>2016-11-25 00:08:34 +0100
committerAndy Wingo <wingo@igalia.com>2017-08-18 11:31:17 +0200
commit842e0e439a22081be1b4fed7ddc21d6d228afd10 (patch)
tree5bb64ee7583cb46b60000c6fc25fbbff8fc8f05b /nix/libstore/build.cc
parent2559401037a712f2d3c6e5be8b1aeca3679c3f74 (diff)
downloadguix-842e0e439a22081be1b4fed7ddc21d6d228afd10.tar.gz
Simplify remouting with MS_PRIVATE in sandbox build
also fix race condition if mounts are added after mountinfo is read.
Diffstat (limited to 'nix/libstore/build.cc')
-rw-r--r--nix/libstore/build.cc8
1 files changed, 2 insertions, 6 deletions
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 63540ddfc1..d68e8b2bc0 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -2086,12 +2086,8 @@ void DerivationGoal::runChild()
                outside of the namespace.  Making a subtree private is
                local to the namespace, though, so setting MS_PRIVATE
                does not affect the outside world. */
-            Strings mounts = tokenizeString<Strings>(readFile("/proc/self/mountinfo", true), "\n");
-            foreach (Strings::iterator, i, mounts) {
-                vector<string> fields = tokenizeString<vector<string> >(*i, " ");
-                string fs = decodeOctalEscaped(fields.at(4));
-                if (mount(0, fs.c_str(), 0, MS_PRIVATE, 0) == -1)
-                    throw SysError(format("unable to make filesystem `%1%' private") % fs);
+            if (mount(0, "/", 0, MS_REC|MS_PRIVATE, 0) == -1) {
+                throw SysError("unable to make ‘/’ private mount");
             }
 
             /* Bind-mount chroot directory to itself, to treat it as a