mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2026-04-07 05:30:38 +02:00
73da0e3a23
* gnu/build/linux-container.scm (mount-file-systems): First remount all filesystems in the current mount namespace as private (by mounting / with MS_PRIVATE and MS_REC), so that the set of mounts cannot increase except from within the container. Also, the tmpfs mounted over the chroot directory now inherits the chroot directory's permissions (p11-kit, for example, has a test that assumes that the root directory is not writable for the current user, and tmpfs is by default 1777 when created). * guix/build/syscalls.scm (MS_PRIVATE, MS_REC): new variables.