Merge pull request #7878 from NixOS/backport-7856-to-2.13-maintenance

[Backport 2.13-maintenance] Wait with making /etc unwritable until after build env setup
NixOS · Feb 22, 2023 · 4acc684 · 4acc684
2 parents 1083ecb + 11522a5
commit 4acc684
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
@@ -1024,10 +1024,6 @@ void LocalDerivationGoal::startBuilder()
                 "nobody:x:65534:65534:Nobody:/:/noshell\n",
                 sandboxUid(), sandboxGid(), settings.sandboxBuildDir));
 
-        /* Make /etc unwritable */
-        if (!parsedDrv->useUidRange())
-            chmod_(chrootRootDir + "/etc", 0555);
-
         /* Save the mount- and user namespace of the child. We have to do this
            *before* the child does a chroot. */
         sandboxMountNamespace = open(fmt("/proc/%d/ns/mnt", (pid_t) pid).c_str(), O_RDONLY);
@@ -1912,6 +1908,10 @@ void LocalDerivationGoal::runChild()
                 }
             }
 
+            /* Make /etc unwritable */
+            if (!parsedDrv->useUidRange())
+                chmod_(chrootRootDir + "/etc", 0555);
+
             /* Unshare this mount namespace. This is necessary because
                pivot_root() below changes the root of the mount
                namespace. This means that the call to setns() in