diff options
| -rw-r--r-- | morphlib/extensions.py | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/morphlib/extensions.py b/morphlib/extensions.py index ef233b6f..6b81e116 100644 --- a/morphlib/extensions.py +++ b/morphlib/extensions.py @@ -223,6 +223,8 @@ class ExtensionSubprocess(object): def close_read_end(): os.close(log_read_fd) p = subprocess.Popen( + # We unshare and mount --make-rprivate so mounts done by write + # extensions can't interfere with the rest of the system. ['unshare', '-m', '--', '/bin/sh', '-c', 'mount --make-rprivate / && exec "$@"', '-', filename] + args, cwd=cwd, env=new_env, |