nixo
/
guix-devel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

system: Make /gnu/store a read-only bind mount by default. 

* gnu/system/file-systems.scm (%immutable-store): New variable.
  (%base-file-systems): Add it.
* doc/guix.texi (File Systems): Document it.
This commit is contained in:
Ludovic Courtès 2015-04-20 22:21:51 +02:00
parent b86fee7848
commit 3392ce5d60
2 changed files with 29 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
doc/guix.texi
View File

@ -4221,8 +4221,9 @@ variables.
@defvr {Scheme Variable} %base-file-systems @defvr {Scheme Variable} %base-file-systems
These are essential file systems that are required on normal systems, These are essential file systems that are required on normal systems,
such as @var{%devtmpfs-file-system} (see below.) Operating system such as @var{%devtmpfs-file-system} and @var{%immutable-store} (see
declarations should always contain at least these. below.) Operating system declarations should always contain at least
these.
@end defvr @end defvr
@defvr {Scheme Variable} %devtmpfs-file-system @defvr {Scheme Variable} %devtmpfs-file-system
@ -4244,6 +4245,16 @@ memory sharing across processes (@pxref{Memory-mapped I/O,
@code{shm_open},, libc, The GNU C Library Reference Manual}). @code{shm_open},, libc, The GNU C Library Reference Manual}).
@end defvr @end defvr
@defvr {Scheme Variable} %immutable-store
This file system performs a read-only ``bind mount'' of
@file{/gnu/store}, making it read-only for all the users including
@code{root}. This prevents against accidental modification by software
running as @code{root} or by system administrators.
The daemon itself is still able to write to the store: it remounts it
read-write in its own ``name space.''
@end defvr
@defvr {Scheme Variable} %binary-format-file-system @defvr {Scheme Variable} %binary-format-file-system
The @code{binfmt_misc} file system, which allows handling of arbitrary The @code{binfmt_misc} file system, which allows handling of arbitrary
executable file types to be delegated to user space. This requires the executable file types to be delegated to user space. This requires the

18
gnu/system/file-systems.scm
View File

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -19,6 +19,7 @@
(define-module (gnu system file-systems) (define-module (gnu system file-systems)
#:use-module (guix gexp) #:use-module (guix gexp)
#:use-module (guix records) #:use-module (guix records)
#:use-module (guix store)
#:export (<file-system> #:export (<file-system>
file-system file-system
file-system? file-system?
@ -37,6 +38,7 @@
%shared-memory-file-system %shared-memory-file-system
%pseudo-terminal-file-system %pseudo-terminal-file-system
%devtmpfs-file-system %devtmpfs-file-system
%immutable-store
%base-file-systems %base-file-systems
@ -139,12 +141,24 @@ file system."
(options "size=50%") ;TODO: make size configurable (options "size=50%") ;TODO: make size configurable
(create-mount-point? #t))) (create-mount-point? #t)))
(define %immutable-store
;; Read-only store to avoid users or daemons accidentally modifying it.
;; 'guix-daemon' has provisions to remount it read-write in its own name
;; space.
(file-system
(device (%store-prefix))
(mount-point (%store-prefix))
(type "none")
(check? #f)
(flags '(read-only bind-mount))))
(define %base-file-systems (define %base-file-systems
;; List of basic file systems to be mounted. Note that /proc and /sys are ;; List of basic file systems to be mounted. Note that /proc and /sys are
;; currently mounted by the initrd. ;; currently mounted by the initrd.
(list %devtmpfs-file-system (list %devtmpfs-file-system
%pseudo-terminal-file-system %pseudo-terminal-file-system
%shared-memory-file-system)) %shared-memory-file-system
%immutable-store))