system: Make /gnu/store a read-only bind mount by default.

* gnu/system/file-systems.scm (%immutable-store): New variable. (%base-file-systems): Add it. * doc/guix.texi (File Systems): Document it.
2015-04-20 22:21:51 +02:00 · 2015-04-20 22:21:51 +02:00 · 3392ce5d60
parent b86fee7848
commit 3392ce5d60
2 changed files with 29 additions and 4 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -4221,8 +4221,9 @@ variables.

@defvr {Scheme Variable} %base-file-systems
 These are essential file systems that are required on normal systems,
-such as @var{%devtmpfs-file-system} (see below.)  Operating system
-declarations should always contain at least these.
+such as @var{%devtmpfs-file-system} and @var{%immutable-store} (see
+below.)  Operating system declarations should always contain at least
+these.
@end defvr

@defvr {Scheme Variable} %devtmpfs-file-system
@ -4244,6 +4245,16 @@ memory sharing across processes (@pxref{Memory-mapped I/O,
@code{shm_open},, libc, The GNU C Library Reference Manual}).
@end defvr

+@defvr {Scheme Variable} %immutable-store
+This file system performs a read-only ``bind mount'' of
+@file{/gnu/store}, making it read-only for all the users including
+@code{root}.  This prevents against accidental modification by software
+running as @code{root} or by system administrators.
+
+The daemon itself is still able to write to the store: it remounts it
+read-write in its own ``name space.''
+@end defvr
+
@defvr {Scheme Variable} %binary-format-file-system
 The @code{binfmt_misc} file system, which allows handling of arbitrary
 executable file types to be delegated to user space.  This requires the
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@ -19,6 +19,7 @@
 (define-module (gnu system file-systems)
  #:use-module (guix gexp)
  #:use-module (guix records)
+  #:use-module (guix store)
  #:export (<file-system>
            file-system
            file-system?
@ -37,6 +38,7 @@
            %shared-memory-file-system
            %pseudo-terminal-file-system
            %devtmpfs-file-system
+            %immutable-store

            %base-file-systems

@ -139,12 +141,24 @@ file system."
    (options "size=50%")                         ;TODO: make size configurable
    (create-mount-point? #t)))

+(define %immutable-store
+  ;; Read-only store to avoid users or daemons accidentally modifying it.
+  ;; 'guix-daemon' has provisions to remount it read-write in its own name
+  ;; space.
+  (file-system
+    (device (%store-prefix))
+    (mount-point (%store-prefix))
+    (type "none")
+    (check? #f)
+    (flags '(read-only bind-mount))))
+
 (define %base-file-systems
  ;; List of basic file systems to be mounted.  Note that /proc and /sys are
  ;; currently mounted by the initrd.
  (list %devtmpfs-file-system
        %pseudo-terminal-file-system
-        %shared-memory-file-system))
+        %shared-memory-file-system
+        %immutable-store))