daemon: Remount inputs as read-only.

* nix/libstore/build.cc (DerivationGoal::runChild): Remount ‘target’ as read-only. Reported-by: Reepca Russelstein <reepca@russelstein.xyz> Change-Id: Ib7201bcf4363be566f205d23d17fe2f55d3ad666
author: Ludovic Courtès <ludo@gnu.org> 2025-01-27 23:19:48 +0100
committer: Ludovic Courtès <ludo@gnu.org> 2025-03-26 17:57:43 +0100
commit: 93474f92886fac8a2e5eb0eb3b388654246d640d (patch)
tree: 4b86922cc3684783e544b4ff00637011194ebaa2
parent: 550ca89744453ffc53e998979231046fb3e81a6a (diff)
download: guix-93474f92886fac8a2e5eb0eb3b388654246d640d.tar.gz
guix-93474f92886fac8a2e5eb0eb3b388654246d640d.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 193b279b88..3861a1ffd9 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -2107,8 +2107,15 @@ void DerivationGoal::runChild()
                     createDirs(dirOf(target));
                     writeFile(target, "");
                 }
+
+		/* Extra flags passed with MS_BIND are ignored, hence the
+		   extra MS_REMOUNT.  */
                 if (mount(source.c_str(), target.c_str(), "", MS_BIND, 0) == -1)
                     throw SysError(format("bind mount from `%1%' to `%2%' failed") % source % target);
+		if (source.compare(0, settings.nixStore.length(), settings.nixStore) == 0) {
+		     if (mount(source.c_str(), target.c_str(), "", MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1)
+			  throw SysError(format("read-only remount of `%1%' failed") % target);
+		}
             }
 
             /* Bind a new instance of procfs on /proc to reflect our
author	Ludovic Courtès <ludo@gnu.org>	2025-01-27 23:19:48 +0100
committer	Ludovic Courtès <ludo@gnu.org>	2025-03-26 17:57:43 +0100
commit	93474f92886fac8a2e5eb0eb3b388654246d640d (patch)
tree	4b86922cc3684783e544b4ff00637011194ebaa2
parent	550ca89744453ffc53e998979231046fb3e81a6a (diff)
download	guix-93474f92886fac8a2e5eb0eb3b388654246d640d.tar.gz guix-93474f92886fac8a2e5eb0eb3b388654246d640d.zip