Unverified Commit 1ccfe2eb authored by Jared Baur's avatar Jared Baur
Browse files

buildFHSEnvBubblewrap: do not use read-only bind on /nix 

Using a read-only bind mount on /nix for bubblewrap FHS environments
means that the build products of buildFHSEnvBubblewrap cannot write to
anywhere in /nix (notably /nix/var/nix/*, which is not a read-only
directory in any deployment I've seen). Since /nix/store is in most
cases already read-only on the host system (thanks to
`boot.nixStoreMountOpts` defaulting to options that make it read-only),
there is no need to enforce that property on the bubblewrap side as
well.
parent fe6c67bf

pkgs/build-support/build-fhsenv-bubblewrap/default.nix

+1 −1
Original line number Diff line number Diff line
@@ -288,7 +288,7 @@ let 
        ${optionalString unshareUts "--unshare-uts"}

        ${optionalString unshareCgroup "--unshare-cgroup"}

        ${optionalString dieWithParent "--die-with-parent"}

        --ro-bind /nix /nix

        --bind /nix /nix

        ${optionalString privateTmp "--tmpfs /tmp"}

        # Our glibc will look for the cache in its own path in `/nix/store`.

        # As such, we need a cache to exist there, because pressure-vessel