From a139fa14b1764862f5b47eebb0a355da2c0300a1 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 25 Sep 2012 16:33:21 -0400 Subject: [PATCH] Optionally make the Nix store read-only to enforce immutability This will be the default once Nix 1.2 is released. --- modules/services/misc/nix-daemon.nix | 11 +++++++++++ modules/system/boot/stage-2-init.sh | 11 +++++++++++ modules/system/boot/stage-2.nix | 1 + 3 files changed, 23 insertions(+) diff --git a/modules/services/misc/nix-daemon.nix b/modules/services/misc/nix-daemon.nix index cf2d0f52d860..7e52686f32f7 100644 --- a/modules/services/misc/nix-daemon.nix +++ b/modules/services/misc/nix-daemon.nix @@ -183,6 +183,17 @@ in you should increase this value. ''; }; + + readOnlyStore = mkOption { + default = false; + description = '' + If set, NixOS will enforce the immutability of the Nix store + by making /nix/store a read-only bind + mount. Nix will automatically make the store writable when + needed. + ''; + }; + }; }; diff --git a/modules/system/boot/stage-2-init.sh b/modules/system/boot/stage-2-init.sh index f1eb73a8f88f..3aab7a59504b 100644 --- a/modules/system/boot/stage-2-init.sh +++ b/modules/system/boot/stage-2-init.sh @@ -41,6 +41,17 @@ if [ ! -e /proc/1 ]; then fi +# Make /nix/store a read-only bind mount to enforce immutability of +# the Nix store. +if [ -n "@readOnlyStore@" ]; then + if ! mountpoint /nix/store; then + mkdir -p /nix/rw-store + mount --bind /nix/store /nix/store + mount -o remount,ro,bind /nix/store + fi +fi + + # Provide a /etc/mtab. mkdir -m 0755 -p /etc test -e /etc/fstab || touch /etc/fstab # to shut up mount diff --git a/modules/system/boot/stage-2.nix b/modules/system/boot/stage-2.nix index e187219cbd88..3569cfa81139 100644 --- a/modules/system/boot/stage-2.nix +++ b/modules/system/boot/stage-2.nix @@ -60,6 +60,7 @@ let shellDebug = "${pkgs.bashInteractive}/bin/bash"; isExecutable = true; inherit (config.boot) devShmSize runSize cleanTmpDir; + inherit (config.nix) readOnlyStore; ttyGid = config.ids.gids.tty; path = [ pkgs.coreutils