diff options
| -rw-r--r-- | gnu/build/linux-container.scm | 9 | ||||
| -rw-r--r-- | guix/build/syscalls.scm | 4 |
2 files changed, 12 insertions, 1 deletions
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm index 87695c98fd..adfcc32d2c 100644 --- a/gnu/build/linux-container.scm +++ b/gnu/build/linux-container.scm @@ -99,7 +99,14 @@ for the process." ;; The container's file system is completely ephemeral, sans directories ;; bind-mounted from the host. - (mount "none" root "tmpfs") + ;; Make this private in the container namespace so everything mounted under + ;; it is local to this namespace. + (mount "none" "/" "none" (logior MS_REC MS_PRIVATE)) + (let ((current-perms (stat:perms (stat root)))) + (mount "none" root "tmpfs" 0 (string-append "mode=" + (number->string current-perms + 8)))) + ;; A proc mount requires a new pid namespace. (when mount-/proc? diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm index 0938ec0ff1..b9d19380ca 100644 --- a/guix/build/syscalls.scm +++ b/guix/build/syscalls.scm @@ -45,6 +45,8 @@ MS_MOVE MS_STRICTATIME MS_LAZYTIME + MS_PRIVATE + MS_REC MNT_FORCE MNT_DETACH MNT_EXPIRE @@ -452,6 +454,8 @@ the returned procedure is called." (define MS_NOATIME 1024) (define MS_BIND 4096) (define MS_MOVE 8192) +(define MS_REC 16384) +(define MS_PRIVATE 262144) (define MS_STRICTATIME 16777216) (define MS_LAZYTIME 33554432) |