From d6fd7eee563f6d7ac4e8c8d5aaecc9dba653eac7 Mon Sep 17 00:00:00 2001
From: Noam Yorav-Raphael <noam.yoravraphael@mobileye.com>
Date: Mon, 9 Sep 2024 19:08:11 +0300
Subject: [PATCH] chmod later

---
 src/libstore/unix/build/local-derivation-goal.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index c53bbab75..4ca0cdfb7 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -771,9 +771,6 @@ void LocalDerivationGoal::startBuilder()
                 pathsInChroot.erase(worker.store.printStorePath(*i.second.second));
         }
 
-        // Make build root read-only, so `mkdir /homeless-shelter` would fail.
-        chmod_(chrootRootDir, 01555);
-
         if (cgroup) {
             if (mkdir(cgroup->c_str(), 0755) != 0)
                 throw SysError("creating cgroup '%s'", *cgroup);
@@ -1973,6 +1970,9 @@ void LocalDerivationGoal::runChild()
             if (rmdir("real-root") == -1)
                 throw SysError("cannot remove real-root directory");
 
+            // Make build root read-only, so `mkdir /homeless-shelter` would fail.
+            chmod_(chrootRootDir, 01555);
+
             /* Switch to the sandbox uid/gid in the user namespace,
                which corresponds to the build user or calling user in
                the parent namespace. */