Read-only sandbox paths mounts (Linux) #13315
Open
+43
−24
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Samuli Thomasson <[email protected]>
some of the functional tests that run config check wouldn't tolerate some oddities in `PATH`, something like a null string entry (e.g. `::` in the middle or a trailing `:`) I think. This allows the test pass. Signed-off-by: Samuli Thomasson <[email protected]>
tomberek
added
the
idea approved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
This extends the
sandbox-pathssyntax to allow the extra optional suffix:rofor marking that path so as to be mounted read-only in the sandbox. The suffix is excluded from the mounted source or target path. It will only cause the mountMS_RDONLYflag to be set.Context
...well, technically we make then another
mount(2)call on the target path right after mounting the path for the first time, in order to do a second mount (or rather remount,MS_REMOUNT) withMS_RDONLY. For some reason singlemountsyscall can't both create a new bind-mount and assign the read-only flag to it (its mount-point really) ... or propagation properties for that matter.The
mount(8)cli fromutil-linuxabstracts over this with a second syscall as necessary as well (more even sometimes, it seems).There's a better, modern API since about linux 5.12 with
open_tree(),mount_setattr()andmove_mount(). Probably doesn't really make a difference until there's some need or want for those features though.One of the commits (2eaca52) is not related to to the bulk of the changes in this. it's a small change to fix a certain edge-case (think user launching
nixor running tests with aPATHthat still works, for all intents and purposes, but looks like it fell through a slipstream portal sideways).add 👍 to pull requests you find important.
the nix maintainer team uses a github project board to schedule and track reviews