From patchwork Sun May 19 19:26:15 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Oleg Pykhalov <go.wigust@gmail.com>
X-Patchwork-Id: 27699
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id A57FE27BBEA; Sun, 19 May 2024 20:28:39 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No,
 score=-2.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,
	SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 68BF827BBE2
	for <patchwork@mira.cbaines.net>; Sun, 19 May 2024 20:28:38 +0100 (BST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1s8mCT-0005pw-9f; Sun, 19 May 2024 15:28:05 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1s8mCM-0005pC-JQ
 for guix-patches@gnu.org; Sun, 19 May 2024 15:28:01 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1s8mCL-0001KF-Uk
 for guix-patches@gnu.org; Sun, 19 May 2024 15:27:58 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1s8mCP-0005O4-Qp
 for guix-patches@gnu.org; Sun, 19 May 2024 15:28:01 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#71071] [PATCH] services: nix: Mount Nix store read only.
Resent-From: Oleg Pykhalov <go.wigust@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 19 May 2024 19:28:01 +0000
Resent-Message-ID: <handler.71071.B.171614683420684@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 71071
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 71071@debbugs.gnu.org
Cc: Oleg Pykhalov <go.wigust@gmail.com>
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.171614683420684
 (code B ref -1); Sun, 19 May 2024 19:28:01 +0000
Received: (at submit) by debbugs.gnu.org; 19 May 2024 19:27:14 +0000
Received: from localhost ([127.0.0.1]:37652 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1s8mBd-0005NY-Ia
 for submit@debbugs.gnu.org; Sun, 19 May 2024 15:27:13 -0400
Received: from lists.gnu.org ([209.51.188.17]:34680)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <go.wigust@gmail.com>) id 1s8mBb-0005NS-82
 for submit@debbugs.gnu.org; Sun, 19 May 2024 15:27:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <go.wigust@gmail.com>)
 id 1s8mBW-0005m4-N5
 for guix-patches@gnu.org; Sun, 19 May 2024 15:27:06 -0400
Received: from mail-lf1-x133.google.com ([2a00:1450:4864:20::133])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <go.wigust@gmail.com>)
 id 1s8mBU-00018c-VK
 for guix-patches@gnu.org; Sun, 19 May 2024 15:27:06 -0400
Received: by mail-lf1-x133.google.com with SMTP id
 2adb3069b0e04-51f782c666eso369188e87.0
 for <guix-patches@gnu.org>; Sun, 19 May 2024 12:27:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1716146821; x=1716751621; darn=gnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=U3EoDWTIYSmUAkjZcvF5UpIDgLMIHMP5x5EKhVOdVpg=;
 b=QWJ6VXqezpVyZB6QW/lorh8EeQ2nWknLH15MxpC6rTFU0iE1MsNLmE2hQucuibWLYx
 51peraaI6lZJQ5OCmeYrmUjdTww7upsp3UbEYep6VPfVOHyd1Txxng8G0ua+76Mv653c
 LoWO3o3uirYzSe91JefI1Pdb+kMcmMe2t9r2nc/Dxw3ZgynbBQ0VbLA1Mrx0xrOXXdo/
 Sz9wklltKJzWWzo+1PTxcgZgzIxV6rSyIVBtGxW/4dgfuM9iJdUA9XwIq+sO1WrmUsOl
 YynabZkDx33MxU16UhBToZD4rRsFl57/Gi37p12SWid+LoWizCM0Mm9j0+YfAvbfL7RD
 fHog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716146821; x=1716751621;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=U3EoDWTIYSmUAkjZcvF5UpIDgLMIHMP5x5EKhVOdVpg=;
 b=mLyuSoxS7VqHC3LnnBi6eou9TnXmM+SzJkjtZpqeGP3O15hafIlyqq54xsklQxc5K9
 y08VABFhBFklMAKtRf8RQ5vOisHQeUHoRxpMUEkdEI5u3ksE5lncLJO22ejc83rNm2Ep
 ZfhOnoqVZ1kfhcB9iKQuXsvPrJdy3lj2wIBAqKhJW0zF4WivYFujHO0EKOmjUoVo8W6X
 G6PySKHY3ygoO842InLN/3I/S6bmHqexs89kU7sW2hggy7Aj+rmGQAw5dCoO3a3nIaxr
 QhcUw9Ww0zu+SX7qtMQngw2FQDM3loZp36X51on+W9H5NHE+wQrucZadmKP2lPVPIic3
 lfcQ==
X-Gm-Message-State: AOJu0YycbsbkM0SsYtLNAYNek0i9BtsJPA5N8XHyCJY8xTUhbsDaRw5+
 WF3TPtRd2SXNREWtJCXhS/kTD6IunUGKVETH3vdQ9huEKv4q2Hm59KJpaw==
X-Google-Smtp-Source: 
 AGHT+IEQgYT4hM8pNDPyvmYia01cFCjuTvwIW44cpiU9ewj7sfczExEU4WNLSlrwTgIDrtkfoC8Hlw==
X-Received: by 2002:a05:6512:b9a:b0:51f:1896:be05 with SMTP id
 2adb3069b0e04-5220fb67c76mr20392814e87.1.1716146821198;
 Sun, 19 May 2024 12:27:01 -0700 (PDT)
Received: from guixsd.wugi.info ([93.100.15.190])
 by smtp.gmail.com with ESMTPSA id
 2adb3069b0e04-52395481b5dsm1711211e87.250.2024.05.19.12.27.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 19 May 2024 12:27:00 -0700 (PDT)
From: Oleg Pykhalov <go.wigust@gmail.com>
Date: Sun, 19 May 2024 22:26:15 +0300
Message-ID: 
 <274716c3156aa3290666ee3d33a2f1101d02d572.1716146775.git.go.wigust@gmail.com>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Received-SPF: pass client-ip=2a00:1450:4864:20::133;
 envelope-from=go.wigust@gmail.com; helo=mail-lf1-x133.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

* gnu/services/nix.scm (nix-shepherd-service): Mount Nix store read only.
(%nix-store-directory, %immutable-nix-store): New variables.
(%nix-store-prefix): New parameter.
(nix-activation): Move /nix/store provision to 'nix-shepherd-service'.

Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49
---
 gnu/services/nix.scm | 47 +++++++++++++++++++++++++++++++++++++-------
 1 file changed, 40 insertions(+), 7 deletions(-)


base-commit: dd03be186adb64bdb77265dfd0ad53fe50ec016e

diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 82853253f6..343b42c13a 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2020 Peng Mei Yu <i@pengmeiyu.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -97,12 +97,9 @@ (define (nix-activation _)
   #~(begin
       (use-modules (guix build utils)
                    (srfi srfi-26))
-      (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
+      (for-each (cut mkdir-p <>) '("/nix/var/log"
                                    "/nix/var/nix/gcroots/per-user"
                                    "/nix/var/nix/profiles/per-user"))
-      (chown "/nix/store"
-             (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
-      (chmod "/nix/store" #o775)
       (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
                                        "/nix/var/nix/profiles/per-user"))))
 
@@ -129,6 +126,24 @@ (define nix-service-etc
                                     '#$build-sandbox-items))
                     (for-each (cut display <>) '#$extra-config)))))))))))
 
+(define %nix-store-directory
+  "/nix/store")
+
+(define %nix-store-prefix
+  ;; Absolute path to the Nix store.
+  (make-parameter %nix-store-directory))
+
+(define %immutable-nix-store
+  ;; Read-only store to avoid users or daemons accidentally modifying it.
+  ;; 'nix-daemon' has provisions to remount it read-write in its own name
+  ;; space.
+  #~(file-system
+      (device #$(%nix-store-prefix))
+      (mount-point #$(%nix-store-prefix))
+      (type "none")
+      (check? #f)
+      (flags '(read-only bind-mount))))
+
 (define nix-shepherd-service
   ;; Return a <shepherd-service> for Nix.
   (match-lambda
@@ -139,8 +154,26 @@ (define nix-shepherd-service
        (documentation "Run nix-daemon.")
        (requirement '())
        (start #~(make-forkexec-constructor
-                 (list (string-append #$package "/bin/nix-daemon")
-                       #$@extra-options)
+                 (list
+                  #$(program-file
+                     "nix-daemon-wrapper"
+                     (with-imported-modules (source-module-closure '((gnu build file-systems)
+                                                                     (gnu system file-systems)))
+                       #~(begin
+                           (use-modules (gnu build file-systems)
+                                        (gnu system file-systems)
+                                        (guix build syscalls)
+                                        (guix build utils))
+                           (unless (member #$(%nix-store-prefix) (mount-points))
+                             (mkdir-p "/nix/store")
+                             (chown "/nix/store"
+                                    (passwd:uid (getpw "root"))
+                                    (group:gid (getpw "nixbld01")))
+                             (chmod "/nix/store" #o775)
+                             (mount-file-system #$%immutable-nix-store
+                                                #:root "/"))
+                           (execl #$(file-append package "/bin/nix-daemon")
+                                  "nix-daemon" #$@extra-options)))))
                  #:environment-variables
                  (list (string-append "TMPDIR=" #$build-directory)
                        "PATH=/run/current-system/profile/bin")))