[bug#75810,v5,05/14] daemon: Remount root directory as read-only.

Subject: [bug#75810] [PATCH v5 05/14] daemon: Remount root directory as
 read-only.
Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Fri, 14 Mar 2025 17:50:05 +0000
Resent-Message-ID: <handler.75810.B75810.174197460317047@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
To: 75810@debbugs.gnu.org
Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Date: Fri, 14 Mar 2025 18:48:02 +0100
Message-ID: 
 <e9761dd9d4842617fa5d7f1996e354b0c7a877af.1741973869.git.ludo@gnu.org>
In-Reply-To: <cover.1741973869.git.ludo@gnu.org>
References: <cover.1741973869.git.ludo@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org

Message ID	e9761dd9d4842617fa5d7f1996e354b0c7a877af.1741973869.git.ludo@gnu.org
State	New
Headers	Subject: [bug#75810] [PATCH v5 05/14] daemon: Remount root directory as read-only. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 17:50:05 +0000 Resent-Message-ID: <handler.75810.B75810.174197460317047@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Date: Fri, 14 Mar 2025 18:48:02 +0100 Message-ID: <e9761dd9d4842617fa5d7f1996e354b0c7a877af.1741973869.git.ludo@gnu.org> In-Reply-To: <cover.1741973869.git.ludo@gnu.org> References: <cover.1741973869.git.ludo@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches
Series	Rootless guix-daemon \| [bug#75810,v5,00/14] Rootless guix-daemon [bug#75810,v5,01/14] daemon: Use ‘close_range’ where available. [bug#75810,v5,02/14] daemon: Bind-mount /etc/nsswitch.conf & co. only if it exists. [bug#75810,v5,03/14] daemon: Bind-mount all the inputs, not just directories. [bug#75810,v5,04/14] daemon: Remount inputs as read-only. [bug#75810,v5,05/14] daemon: Remount root directory as read-only. [bug#75810,v5,06/14] daemon: Allow running as non-root with unprivileged user namespaces. [bug#75810,v5,07/14] daemon: Create /var/guix/profiles/per-user unconditionally. [bug#75810,v5,08/14] daemon: Drop Linux ambient capabilities before executing builder. [bug#75810,v5,09/14] daemon: Move comments where they belong. [bug#75810,v5,10/14] tests: Add missing derivation inputs. [bug#75810,v5,11/14] tests: Run in a chroot and unprivileged user namespaces. [bug#75810,v5,12/14] etc: systemd services: Run ‘guix-daemon’ as an unprivileged user. [bug#75810,v5,13/14] guix-install.sh: Support the unprivileged daemon where possible. [bug#75810,v5,14/14] DRAFT gnu: guix: Update to 00562be.

[bug#75810,v5,05/14] daemon: Remount root directory as read-only.

Commit Message

Patch