From 52299bccf5a56f6af8a204a71c908c7b7623facb Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@nix.build>
Date: Wed, 27 Mar 2019 20:27:02 +0100
Subject: nixos/confinement: Use PrivateMounts option

So far we had MountFlags = "private", but as @Infinisil has correctly
noticed, there is a dedicated PrivateMounts option, which does exactly
that and is better integrated than providing raw mount flags.

When checking for the reason why I used MountFlags instead of
PrivateMounts, I found that at the time I wrote the initial version of
this module (Mar 12 06:15:58 2018 +0100) the PrivateMounts option didn't
exist yet and has been added to systemd in Jun 13 08:20:18 2018 +0200.

Signed-off-by: aszlig <aszlig@nix.build>
---
 nixos/modules/security/systemd-confinement.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix
index 31b07b1b03d..cd4eb81dbe1 100644
--- a/nixos/modules/security/systemd-confinement.nix
+++ b/nixos/modules/security/systemd-confinement.nix
@@ -107,7 +107,7 @@ in {
         serviceConfig = {
           RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
           TemporaryFileSystem = "/";
-          MountFlags = lib.mkDefault "private";
+          PrivateMounts = lib.mkDefault true;
 
           # https://github.com/NixOS/nixpkgs/issues/14645 is a future attempt
           # to change some of these to default to true.
-- 
cgit 1.4.1