From patchwork Thu May 23 04:38:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Oleg Pykhalov X-Patchwork-Id: 64843 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 8F90B27BBEA; Thu, 23 May 2024 05:41:26 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id A3CF727BBE2 for ; Thu, 23 May 2024 05:41:17 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sA0GI-0004bk-KV; Thu, 23 May 2024 00:41:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sA0G7-0004aN-Tr for guix-patches@gnu.org; Thu, 23 May 2024 00:40:58 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sA0G7-0004II-Ko for guix-patches@gnu.org; Thu, 23 May 2024 00:40:55 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sA0GD-0005xD-Oz for guix-patches@gnu.org; Thu, 23 May 2024 00:41:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#71071] [PATCH] services: nix: Mount Nix store read only. Resent-From: Oleg Pykhalov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 23 May 2024 04:41:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71071 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 71071@debbugs.gnu.org Cc: Oleg Pykhalov Received: via spool by 71071-submit@debbugs.gnu.org id=B71071.171643922422874 (code B ref 71071); Thu, 23 May 2024 04:41:01 +0000 Received: (at 71071) by debbugs.gnu.org; 23 May 2024 04:40:24 +0000 Received: from localhost ([127.0.0.1]:58338 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sA0Fb-0005ws-Hz for submit@debbugs.gnu.org; Thu, 23 May 2024 00:40:23 -0400 Received: from mail-lf1-f54.google.com ([209.85.167.54]:39588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sA0FY-0005wm-4N for 71071@debbugs.gnu.org; Thu, 23 May 2024 00:40:23 -0400 Received: by mail-lf1-f54.google.com with SMTP id 2adb3069b0e04-51f101b5d3bso825381e87.2 for <71071@debbugs.gnu.org>; Wed, 22 May 2024 21:40:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716439147; x=1717043947; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Ak5vhyWKhHSIjWXW8AVnQyCbUUhDQJeO9s3LPUlAA1g=; b=ilGasenSprWtWb9J0jtF2lnxAjnjPq/0E4MtNhDwD6cC9MVpF2ljYy+AIJhrWU/nV/ EH/z6m58q/JF2laKXJKLwL/7pPCza/G8HNikFoX55qjZU3ZuCUMitStn4jGgmI4j8Uja qA0q0y7bBzps7vuTew4+KsetWvVTTgvfvZVCg9AqBQuWs5UrqtV15dXKRAqLaHljh+oS m4/KoBWLR1WMKrotN5jBLDHPRrpyZ6HtNWqG1DbC29kq/KOkdcK7azHsG5YUkmTtFpop RS/gKJpDxoS1KrtrJk8yYkKFKlvv67OYDp3ua6CijxYBpUKkR9XVnjU3KpzK3CFuUMlG mDgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716439147; x=1717043947; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ak5vhyWKhHSIjWXW8AVnQyCbUUhDQJeO9s3LPUlAA1g=; b=PDWiCUxlCZZqP8wXyClFFZ2IAghGlBYCd6HbWexlrnPxLr/FzrQbSY3Q6qUOpJ5oSr Ku1zrJIPzu8WDf+850r4uT4wWrj2S5GMI7TaU8PyZuzUXLDn7s8o0acc/mmc/HRKavLr lxGcg61lnsWgg0+VCp64qvh7mTz8lBblt8RrRLz+l2gtFDR9fLNdrp6yA5d/NvDlsmit l9h+dDuYzQQwoDpZzWTm8OWHsjdgOwLgo0/5ZXWfnK0OQ/0sSTx/UmPshEGPEZb1vjLv 2WJjyuKFBk+EfTrwzLAyxCj+vkW7XA6ssZS9wgce89FnASk1GLBQBRVdsyupzcm8OlVm Ue+A== X-Gm-Message-State: AOJu0Yz+0T6oMDPN1qTguXrbjBhrZSnAzVp1L0zwlumMglrqjh4GimDB 4CGnNtiOemlxqYJqBSGSyGtO3Z0T0ztFoU2JLPJXCsBH6iU/jEBMqsM67w== X-Google-Smtp-Source: AGHT+IGbWOi3dqS946S7R85mCiawhU2NmTL9GHbK0hh93H3ST6G3LJMOtHxhpldINSbS73VAoevtbQ== X-Received: by 2002:ac2:4573:0:b0:51f:d82:8e07 with SMTP id 2adb3069b0e04-526be0280e7mr2170812e87.2.1716439146892; Wed, 22 May 2024 21:39:06 -0700 (PDT) Received: from guixsd.wugi.info ([93.100.15.190]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-52851a9baabsm62524e87.135.2024.05.22.21.39.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 May 2024 21:39:06 -0700 (PDT) From: Oleg Pykhalov Date: Thu, 23 May 2024 07:38:23 +0300 Message-ID: <13d78de1d27742605cf51fc0ed91b832cb5027c9.1716439103.git.go.wigust@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <87ttipdf5n.fsf@gnu.org> References: <87ttipdf5n.fsf@gnu.org> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/nix.scm (nix-shepherd-service): Add requirements. (%nix-store-directory): New variable. (nix-service-type): Add file-system-service-type extension. Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4 --- gnu/services/nix.scm | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) base-commit: dd03be186adb64bdb77265dfd0ad53fe50ec016e diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm index 82853253f6..419e5968fe 100644 --- a/gnu/services/nix.scm +++ b/gnu/services/nix.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov +;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov ;;; Copyright © 2020 Peng Mei Yu ;;; ;;; This file is part of GNU Guix. @@ -26,6 +26,7 @@ (define-module (gnu services nix) #:use-module (gnu services shepherd) #:use-module (gnu services web) #:use-module (gnu services) + #:use-module (gnu system file-systems) #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix packages) @@ -129,6 +130,20 @@ (define nix-service-etc '#$build-sandbox-items)) (for-each (cut display <>) '#$extra-config))))))))))) +(define %nix-store-directory + "/nix/store") + +(define %immutable-nix-store + ;; Read-only store to avoid users or daemons accidentally modifying it. + ;; 'nix-daemon' has provisions to remount it read-write in its own name + ;; space. + (list (file-system + (device %nix-store-directory) + (mount-point %nix-store-directory) + (type "none") + (check? #f) + (flags '(read-only bind-mount))))) + (define nix-shepherd-service ;; Return a for Nix. (match-lambda @@ -137,7 +152,7 @@ (define nix-shepherd-service (shepherd-service (provision '(nix-daemon)) (documentation "Run nix-daemon.") - (requirement '()) + (requirement '(user-processes file-system-/nix/store)) (start #~(make-forkexec-constructor (list (string-append #$package "/bin/nix-daemon") #$@extra-options) @@ -156,7 +171,9 @@ (define nix-service-type (service-extension activation-service-type nix-activation) (service-extension etc-service-type nix-service-etc) (service-extension profile-service-type - (compose list nix-configuration-package)))) + (compose list nix-configuration-package)) + (service-extension file-system-service-type + (const %immutable-nix-store)))) (description "Run the Nix daemon.") (default-value (nix-configuration))))