From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp1.migadu.com ([2001:41d0:1008:1e59::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms1.migadu.com with LMTPS
	id kId9BkUTTmYLPAAAA41jLg
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 22 May 2024 17:46:13 +0200
Received: from aspmx1.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1.migadu.com with LMTPS
	id +F42O0QTTmYrHAAA62LTzQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 22 May 2024 17:46:13 +0200
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=R+dUJ0cu;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1716392772; a=rsa-sha256; cv=none;
	b=X3foc5DLhMBVw/iyW+/EvsYvRqM7ljXabpB53VEPKpxdfAjLzvcCMDwioJpPIZ4U7TiNdF
	6cMQH4/HU3SWkq2NkSQ7CY/G8XNct8aLb0Bfnxtk1oIR7Wvgz3ZmaEkfYQVuuwMcZWgir2
	jlD7eZV94892aqEqoCWkOf6r0s2Z1Sx2op2I+FkNBm8OJxVk9uQtUd1zxO4yNiG5/kzChr
	aDcdIp/9NUAWKi74nUtCHn6QFiiZBqAaFdh7Bkc1otDoJ7F1szEx2otGuRNZ7Zwgx6szQ+
	FzGzky4thwN5YgbOnSD1F/2L1AUl3ACBmy76DUnD2dkSOA66hxkCxFDyRomhJQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=R+dUJ0cu;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1716392772;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=BzIYzNkARMcTP8WUj2RdbSjQcGHap39f+o2gizl5ebE=;
	b=h6wzpSivwlxBGlfzLh2EgsUnguwewVlpiloXg0KEV7hkQE4k1Lk5iHk1fuiJm/DIGtkSQG
	JBW9NYkYOlJpPzZ0+OgXxno3B+dd5v0TOhFe2NbzUopRMU9P2PP2P3wuJrXgXUKJejAH1W
	Giw2dhOM+3rV2aY9YceJZVzZZUUmEW1ay95Ea+MMK7u8mOzpYz285GlUXHKgWsb6ODXaWB
	p4riWsxjxHq02Y8EFucDF24RGTwnjD/JKXJCenE1NQ6/ZKapzTTtqdrVn5uoxlpFC478qw
	osHOLVBoB21Bmq+V8h3/WsHqiSLO5ZNBod2VI0n4t/Emb3pzNcuLwanw7YX/mQ==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id C6CC3267C0
	for <larch@yhetil.org>; Wed, 22 May 2024 17:46:12 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1s9oAD-0004DY-Uu; Wed, 22 May 2024 11:46:02 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1s9oA8-00048O-NX
 for guix-patches@gnu.org; Wed, 22 May 2024 11:45:56 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1s9oA8-00010U-CX
 for guix-patches@gnu.org; Wed, 22 May 2024 11:45:56 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1s9oAD-0004Xv-U5
 for guix-patches@gnu.org; Wed, 22 May 2024 11:46:01 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#71071] [PATCH] services: nix: Mount Nix store read only.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 22 May 2024 15:46:01 +0000
Resent-Message-ID: <handler.71071.B71071.171639273217464@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 71071
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Oleg Pykhalov <go.wigust@gmail.com>
Cc: 71071@debbugs.gnu.org
Received: via spool by 71071-submit@debbugs.gnu.org id=B71071.171639273217464
 (code B ref 71071); Wed, 22 May 2024 15:46:01 +0000
Received: (at 71071) by debbugs.gnu.org; 22 May 2024 15:45:32 +0000
Received: from localhost ([127.0.0.1]:56729 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1s9o9h-0004Xc-EP
 for submit@debbugs.gnu.org; Wed, 22 May 2024 11:45:31 -0400
Received: from eggs.gnu.org ([209.51.188.92]:53266)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1s9o9b-0004XU-VK
 for 71071@debbugs.gnu.org; Wed, 22 May 2024 11:45:28 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1s9o9Q-0000ey-BN; Wed, 22 May 2024 11:45:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=BzIYzNkARMcTP8WUj2RdbSjQcGHap39f+o2gizl5ebE=; b=R+dUJ0cuQHk/fI39DhY4
 Qc+kWaIUKQsdfwgqif5qCRkkEmg/D2MlNIdijO2sIU/uZlJs1st+rQX7hcYkcVkbD6SDVeDcScBSD
 P7fo6MW4zevqsC3iiDejOIYByX01IMZErsUA4yNuSvKYB9/x/ak0ptWd6IgCMYoFFVIjYIV52YqFH
 apJAQ7r5ipQSkTaFZbTyjUKnYE7G4Lgp/7LUNqn00I/siT9sOVR3a0nH1eiVQ2x0LVOq/fm1klFgi
 Z1kh0FPg8h9TEcv57p5a5PtSDDTtqaQioxWV31wBefPdEGoi8ZnjkzLTtQZdsedk+1mrBEoLdX7l+
 WRALll62E2MZxA==;
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
In-Reply-To: <274716c3156aa3290666ee3d33a2f1101d02d572.1716146775.git.go.wigust@gmail.com>
 (Oleg Pykhalov's message of "Sun, 19 May 2024 22:26:15 +0300")
References: <274716c3156aa3290666ee3d33a2f1101d02d572.1716146775.git.go.wigust@gmail.com>
Date: Wed, 22 May 2024 17:45:08 +0200
Message-ID: <87ttipdf5n.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
X-Migadu-Queue-Id: C6CC3267C0
X-Migadu-Scanner: mx12.migadu.com
X-Migadu-Spam-Score: -7.26
X-Spam-Score: -7.26
X-TUID: +DATFuu8eyZ7

Hello,

Oleg Pykhalov <go.wigust@gmail.com> skribis:

> * gnu/services/nix.scm (nix-shepherd-service): Mount Nix store read only.
> (%nix-store-directory, %immutable-nix-store): New variables.
> (%nix-store-prefix): New parameter.
> (nix-activation): Move /nix/store provision to 'nix-shepherd-service'.
>
> Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49

That=E2=80=99s a good idea.  Some suggestions:

> +(define %nix-store-directory
> +  "/nix/store")
> +
> +(define %nix-store-prefix
> +  ;; Absolute path to the Nix store.
> +  (make-parameter %nix-store-directory))

I think you can omit this parameter and simply use
=E2=80=98%nix-store-directory=E2=80=99 because=E2=80=A6

> +(define %immutable-nix-store
> +  ;; Read-only store to avoid users or daemons accidentally modifying it.
> +  ;; 'nix-daemon' has provisions to remount it read-write in its own name
> +  ;; space.
> +  #~(file-system
> +      (device #$(%nix-store-prefix))
> +      (mount-point #$(%nix-store-prefix))

=E2=80=A6 the parameter is used at the top-level anyway, so changing its va=
lue
won=E2=80=99t have any effect.

>         (start #~(make-forkexec-constructor
> -                 (list (string-append #$package "/bin/nix-daemon")
> -                       #$@extra-options)
> +                 (list
> +                  #$(program-file
> +                     "nix-daemon-wrapper"
> +                     (with-imported-modules (source-module-closure '((gn=
u build file-systems)
> +                                                                     (gn=
u system file-systems)))
> +                       #~(begin
> +                           (use-modules (gnu build file-systems)
> +                                        (gnu system file-systems)
> +                                        (guix build syscalls)
> +                                        (guix build utils))
> +                           (unless (member #$(%nix-store-prefix) (mount-=
points))
> +                             (mkdir-p "/nix/store")
> +                             (chown "/nix/store"
> +                                    (passwd:uid (getpw "root"))
> +                                    (group:gid (getpw "nixbld01")))
> +                             (chmod "/nix/store" #o775)
> +                             (mount-file-system #$%immutable-nix-store
> +                                                #:root "/"))
> +                           (execl #$(file-append package "/bin/nix-daemo=
n")
> +                                  "nix-daemon" #$@extra-options)))))
>                   #:environment-variables
>                   (list (string-append "TMPDIR=3D" #$build-directory)
>                         "PATH=3D/run/current-system/profile/bin")))

Instead of having this wrapper, what about extending
=E2=80=98file-system-service-type=E2=80=99 with a read-only bind-mount <fil=
e-system>
similar to =E2=80=98%immutable-store=E2=80=99?

The Shepherd service that spawns nix-daemon would depend on that file
system:

  (requirement '(user-processes file-system-/nix/store))

Thanks,
Ludo=E2=80=99.