From 842e0e439a22081be1b4fed7ddc21d6d228afd10 Mon Sep 17 00:00:00 2001
From: Jörg Thalheim <joerg@higgsboson.tk>
Date: Fri, 25 Nov 2016 00:08:34 +0100
Subject: Simplify remouting with MS_PRIVATE in sandbox build

also fix race condition if mounts are added after mountinfo is read.
---
 nix/libstore/build.cc | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

(limited to 'nix')

diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 63540ddfc1..d68e8b2bc0 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -2086,12 +2086,8 @@ void DerivationGoal::runChild()
                outside of the namespace.  Making a subtree private is
                local to the namespace, though, so setting MS_PRIVATE
                does not affect the outside world. */
-            Strings mounts = tokenizeString<Strings>(readFile("/proc/self/mountinfo", true), "\n");
-            foreach (Strings::iterator, i, mounts) {
-                vector<string> fields = tokenizeString<vector<string> >(*i, " ");
-                string fs = decodeOctalEscaped(fields.at(4));
-                if (mount(0, fs.c_str(), 0, MS_PRIVATE, 0) == -1)
-                    throw SysError(format("unable to make filesystem `%1%' private") % fs);
+            if (mount(0, "/", 0, MS_REC|MS_PRIVATE, 0) == -1) {
+                throw SysError("unable to make ‘/’ private mount");
             }
 
             /* Bind-mount chroot directory to itself, to treat it as a
-- 
cgit v1.2.3


From ed464f48efd80e6439441d7a9f6d0e7988fb1272 Mon Sep 17 00:00:00 2001
From: Andy Wingo <wingo@igalia.com>
Date: Fri, 18 Aug 2017 11:28:02 +0200
Subject: nix: Remove unused function.

* nix/libutil/util.hh:
* nix/libutil/util.cc (decodeOctalEscaped): Remove unused and buggy function.
---
 nix/libutil/util.cc | 15 ---------------
 nix/libutil/util.hh |  6 ------
 2 files changed, 21 deletions(-)

(limited to 'nix')

diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
index c07754487e..768e12b5e4 100644
--- a/nix/libutil/util.cc
+++ b/nix/libutil/util.cc
@@ -1106,21 +1106,6 @@ bool endOfList(std::istream & str)
 }
 
 
-string decodeOctalEscaped(const string & s)
-{
-    string r;
-    for (string::const_iterator i = s.begin(); i != s.end(); ) {
-        if (*i != '\\') { r += *i++; continue; }
-        unsigned char c = 0;
-        ++i;
-        while (i != s.end() && *i >= '0' && *i < '8')
-            c = c * 8 + (*i++ - '0');
-        r += c;
-    }
-    return r;
-}
-
-
 void ignoreException()
 {
     try {
diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh
index e84d64d10a..6a6e07c478 100644
--- a/nix/libutil/util.hh
+++ b/nix/libutil/util.hh
@@ -356,12 +356,6 @@ string parseString(std::istream & str);
 bool endOfList(std::istream & str);
 
 
-/* Escape a string that contains octal-encoded escape codes such as
-   used in /etc/fstab and /proc/mounts (e.g. "foo\040bar" decodes to
-   "foo bar"). */
-string decodeOctalEscaped(const string & s);
-
-
 /* Exception handling in destructors: print an error message, then
    ignore the exception. */
 void ignoreException();
-- 
cgit v1.2.3