GNU bug report logs - #71071
[PATCH] services: nix: Mount Nix store read only.

Previous Next

Package: guix-patches;

Reported by: Oleg Pykhalov <go.wigust <at> gmail.com>

Date: Sun, 19 May 2024 19:28:01 UTC

Severity: normal

Tags: patch

Done: Oleg Pykhalov <go.wigust <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 71071 <at> debbugs.gnu.org (full text, mbox):

From: Oleg Pykhalov <go.wigust <at> gmail.com>
To: 71071 <at> debbugs.gnu.org
Cc: Oleg Pykhalov <go.wigust <at> gmail.com>
Subject: [PATCH] services: nix: Mount Nix store read only.
Date: Thu, 23 May 2024 07:38:23 +0300

* gnu/services/nix.scm (nix-shepherd-service): Add requirements.
(%nix-store-directory): New variable.
(nix-service-type): Add file-system-service-type extension.

Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4
---
 gnu/services/nix.scm | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 82853253f6..419e5968fe 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust <at> gmail.com>
+;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust <at> gmail.com>
 ;;; Copyright © 2020 Peng Mei Yu <i <at> pengmeiyu.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -26,6 +26,7 @@ (define-module (gnu services nix)
   #:use-module (gnu services shepherd)
   #:use-module (gnu services web)
   #:use-module (gnu services)
+  #:use-module (gnu system file-systems)
   #:use-module (gnu system shadow)
   #:use-module (guix gexp)
   #:use-module (guix packages)
@@ -129,6 +130,20 @@ (define nix-service-etc
                                     '#$build-sandbox-items))
                     (for-each (cut display <>) '#$extra-config)))))))))))
 
+(define %nix-store-directory
+  "/nix/store")
+
+(define %immutable-nix-store
+  ;; Read-only store to avoid users or daemons accidentally modifying it.
+  ;; 'nix-daemon' has provisions to remount it read-write in its own name
+  ;; space.
+  (list (file-system
+          (device %nix-store-directory)
+          (mount-point %nix-store-directory)
+          (type "none")
+          (check? #f)
+          (flags '(read-only bind-mount)))))
+
 (define nix-shepherd-service
   ;; Return a <shepherd-service> for Nix.
   (match-lambda
@@ -137,7 +152,7 @@ (define nix-shepherd-service
       (shepherd-service
        (provision '(nix-daemon))
        (documentation "Run nix-daemon.")
-       (requirement '())
+       (requirement '(user-processes file-system-/nix/store))
        (start #~(make-forkexec-constructor
                  (list (string-append #$package "/bin/nix-daemon")
                        #$@extra-options)
@@ -156,7 +171,9 @@ (define nix-service-type
           (service-extension activation-service-type nix-activation)
           (service-extension etc-service-type nix-service-etc)
           (service-extension profile-service-type
-                             (compose list nix-configuration-package))))
+                             (compose list nix-configuration-package))
+          (service-extension file-system-service-type
+                             (const %immutable-nix-store))))
    (description "Run the Nix daemon.")
    (default-value (nix-configuration))))
 

base-commit: dd03be186adb64bdb77265dfd0ad53fe50ec016e
-- 
2.41.0
This bug report was last modified 358 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.