From 3877ec5b2ff7436f4962ac0fe3200833cf78cb8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Domen=20Ko=C5=BEar?= <domen@dev.si>
Date: Tue, 6 Sep 2016 17:14:50 +0200
Subject: [PATCH 1/2] Make /var/empty immutable

Fixes #14910 and #18358

Deployed to an existing server, restarted sshd and polkit to verify
they don't fail.
---
 .../system/activation/activation-script.nix    | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix
index 1c587413121e..47550ae76a66 100644
--- a/nixos/modules/system/activation/activation-script.nix
+++ b/nixos/modules/system/activation/activation-script.nix
@@ -12,11 +12,14 @@ let
     '';
   });
 
-  path = map getBin
-    [ pkgs.coreutils pkgs.gnugrep pkgs.findutils
-      pkgs.glibc # needed for getent
-      pkgs.shadow
-      pkgs.nettools # needed for hostname
+  path = with pkgs; map getBin
+    [ coreutils
+      gnugrep
+      findutils
+      glibc # needed for getent
+      shadow
+      nettools # needed for hostname
+      e2fsprogs # needed for chattr
     ];
 
 in
@@ -137,8 +140,13 @@ in
 
         mkdir -m 1777 -p /var/tmp
 
+        # Make sure it's really empty
+        chattr -i /var/empty
+        rm -rf /var/empty
+
         # Empty, read-only home directory of many system accounts.
         mkdir -m 0555 -p /var/empty
+        chattr +i /var/empty
       '';
 
     system.activationScripts.usrbinenv = if config.environment.usrbinenv != null

From 8f95e6f6aa8ac62e809a5d1cba6af2b6707d90dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Domen=20Ko=C5=BEar?= <domen@dev.si>
Date: Wed, 7 Sep 2016 10:41:56 +0200
Subject: [PATCH 2/2] hardcode e2fsprogs, idempotent chmod, remove care
 condition

---
 .../modules/system/activation/activation-script.nix | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix
index 47550ae76a66..60298362d767 100644
--- a/nixos/modules/system/activation/activation-script.nix
+++ b/nixos/modules/system/activation/activation-script.nix
@@ -19,7 +19,6 @@ let
       glibc # needed for getent
       shadow
       nettools # needed for hostname
-      e2fsprogs # needed for chattr
     ];
 
 in
@@ -140,13 +139,13 @@ in
 
         mkdir -m 1777 -p /var/tmp
 
+        # Empty, immutable home directory of many system accounts.
+        mkdir -p /var/empty
         # Make sure it's really empty
-        chattr -i /var/empty
-        rm -rf /var/empty
-
-        # Empty, read-only home directory of many system accounts.
-        mkdir -m 0555 -p /var/empty
-        chattr +i /var/empty
+        ${pkgs.e2fsprogs}/bin/chattr -i /var/empty
+        find /var/empty -mindepth 1 -delete
+        chmod 0555 /var/empty
+        ${pkgs.e2fsprogs}/bin/chattr +i /var/empty
       '';
 
     system.activationScripts.usrbinenv = if config.environment.usrbinenv != null