From 3392ce5d606be84c07624e0626b99e410449639f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Mon, 20 Apr 2015 22:21:51 +0200 Subject: [PATCH] system: Make /gnu/store a read-only bind mount by default. * gnu/system/file-systems.scm (%immutable-store): New variable. (%base-file-systems): Add it. * doc/guix.texi (File Systems): Document it. --- doc/guix.texi | 15 +++++++++++++-- gnu/system/file-systems.scm | 18 ++++++++++++++++-- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 09dcff59f4..4269d4fa5f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4221,8 +4221,9 @@ variables. @defvr {Scheme Variable} %base-file-systems These are essential file systems that are required on normal systems, -such as @var{%devtmpfs-file-system} (see below.) Operating system -declarations should always contain at least these. +such as @var{%devtmpfs-file-system} and @var{%immutable-store} (see +below.) Operating system declarations should always contain at least +these. @end defvr @defvr {Scheme Variable} %devtmpfs-file-system @@ -4244,6 +4245,16 @@ memory sharing across processes (@pxref{Memory-mapped I/O, @code{shm_open},, libc, The GNU C Library Reference Manual}). @end defvr +@defvr {Scheme Variable} %immutable-store +This file system performs a read-only ``bind mount'' of +@file{/gnu/store}, making it read-only for all the users including +@code{root}. This prevents against accidental modification by software +running as @code{root} or by system administrators. + +The daemon itself is still able to write to the store: it remounts it +read-write in its own ``name space.'' +@end defvr + @defvr {Scheme Variable} %binary-format-file-system The @code{binfmt_misc} file system, which allows handling of arbitrary executable file types to be delegated to user space. This requires the diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm index 4760821840..db861baed2 100644 --- a/gnu/system/file-systems.scm +++ b/gnu/system/file-systems.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014 Ludovic Courtès +;;; Copyright © 2013, 2014, 2015 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -19,6 +19,7 @@ (define-module (gnu system file-systems) #:use-module (guix gexp) #:use-module (guix records) + #:use-module (guix store) #:export ( file-system file-system? @@ -37,6 +38,7 @@ %shared-memory-file-system %pseudo-terminal-file-system %devtmpfs-file-system + %immutable-store %base-file-systems @@ -139,12 +141,24 @@ file system." (options "size=50%") ;TODO: make size configurable (create-mount-point? #t))) +(define %immutable-store + ;; Read-only store to avoid users or daemons accidentally modifying it. + ;; 'guix-daemon' has provisions to remount it read-write in its own name + ;; space. + (file-system + (device (%store-prefix)) + (mount-point (%store-prefix)) + (type "none") + (check? #f) + (flags '(read-only bind-mount)))) + (define %base-file-systems ;; List of basic file systems to be mounted. Note that /proc and /sys are ;; currently mounted by the initrd. (list %devtmpfs-file-system %pseudo-terminal-file-system - %shared-memory-file-system)) + %shared-memory-file-system + %immutable-store))