From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id eIKfC+7ITmZoUAAAe85BDQ:P1 (envelope-from ) for ; Thu, 23 May 2024 06:41:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id eIKfC+7ITmZoUAAAe85BDQ (envelope-from ) for ; Thu, 23 May 2024 06:41:18 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=ilGasenS; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1716439278; a=rsa-sha256; cv=none; b=ueo62DUgoO+2+P7kH0lw1sf9eGuVibXuZ5NvA3OQlcuT2pg1ARGF9KYig59a5eOjnYq1Eu ubxXJ7tXXALqReF40WRIAhIDy9CuPZRNr4DzcEXLT8b3yEq8+jR3DQjJQAjUKv8IHLE955 WCWQg2a+62EZznp8vRoPXFKZAbOKFxqouhPJ4NlhiWtOBK39dUQ3NPbIvVGAZ6E1q6I+1X tY3iaW2+kmcYmWfRjaspMHKZrwyRSnQ+VznNuKXaG49GbaG++Qpfg1e9YoLvRoqicHal1J qbhNY7i0z27Z4S56Dc25FzFkTsgEG7Rz1ipp1fbEVv1ntjxnBHXFFfT6wqO3qg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=ilGasenS; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1716439278; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Ak5vhyWKhHSIjWXW8AVnQyCbUUhDQJeO9s3LPUlAA1g=; b=pFKdD0JYKxw4p3Thm3dGcMZ+UvizxXY3IJcqe6WG3yeZkAW/lhWRuFfzvKkGadSLYb6bTH +Tb4L64SyFbwwHxpiGTL3uu5lb62DcBrOmWZMbOQBzUN0r8BmTrJguLl+7/QA9wRdH3+dZ jcN5RpJJXGPnp2D+DlZyqKucIhELeOkGgHdmJD8op6VgzcIdKSd9xuB/eY/JWZKYWlKuZS VbSAfUjPtyOz3yCkeDMfMl9b+08MEQW+bZdx31Vrr3703jlSqhSKx2QnrpgO1Xjx9mcT+/ 6WDwuY+WPxSqBolUVc7eNjgoQGKDLwk4TfHHy63lebiuT4lbMjMzLEEpzLSHPg== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 98F4F1104B for ; Thu, 23 May 2024 06:41:17 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sA0GI-0004bk-KV; Thu, 23 May 2024 00:41:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sA0G7-0004aN-Tr for guix-patches@gnu.org; Thu, 23 May 2024 00:40:58 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sA0G7-0004II-Ko for guix-patches@gnu.org; Thu, 23 May 2024 00:40:55 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sA0GD-0005xD-Oz for guix-patches@gnu.org; Thu, 23 May 2024 00:41:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#71071] [PATCH] services: nix: Mount Nix store read only. Resent-From: Oleg Pykhalov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 23 May 2024 04:41:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71071 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 71071@debbugs.gnu.org Cc: Oleg Pykhalov Received: via spool by 71071-submit@debbugs.gnu.org id=B71071.171643922422874 (code B ref 71071); Thu, 23 May 2024 04:41:01 +0000 Received: (at 71071) by debbugs.gnu.org; 23 May 2024 04:40:24 +0000 Received: from localhost ([127.0.0.1]:58338 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sA0Fb-0005ws-Hz for submit@debbugs.gnu.org; Thu, 23 May 2024 00:40:23 -0400 Received: from mail-lf1-f54.google.com ([209.85.167.54]:39588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sA0FY-0005wm-4N for 71071@debbugs.gnu.org; Thu, 23 May 2024 00:40:23 -0400 Received: by mail-lf1-f54.google.com with SMTP id 2adb3069b0e04-51f101b5d3bso825381e87.2 for <71071@debbugs.gnu.org>; Wed, 22 May 2024 21:40:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716439147; x=1717043947; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Ak5vhyWKhHSIjWXW8AVnQyCbUUhDQJeO9s3LPUlAA1g=; b=ilGasenSprWtWb9J0jtF2lnxAjnjPq/0E4MtNhDwD6cC9MVpF2ljYy+AIJhrWU/nV/ EH/z6m58q/JF2laKXJKLwL/7pPCza/G8HNikFoX55qjZU3ZuCUMitStn4jGgmI4j8Uja qA0q0y7bBzps7vuTew4+KsetWvVTTgvfvZVCg9AqBQuWs5UrqtV15dXKRAqLaHljh+oS m4/KoBWLR1WMKrotN5jBLDHPRrpyZ6HtNWqG1DbC29kq/KOkdcK7azHsG5YUkmTtFpop RS/gKJpDxoS1KrtrJk8yYkKFKlvv67OYDp3ua6CijxYBpUKkR9XVnjU3KpzK3CFuUMlG mDgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716439147; x=1717043947; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ak5vhyWKhHSIjWXW8AVnQyCbUUhDQJeO9s3LPUlAA1g=; b=PDWiCUxlCZZqP8wXyClFFZ2IAghGlBYCd6HbWexlrnPxLr/FzrQbSY3Q6qUOpJ5oSr Ku1zrJIPzu8WDf+850r4uT4wWrj2S5GMI7TaU8PyZuzUXLDn7s8o0acc/mmc/HRKavLr lxGcg61lnsWgg0+VCp64qvh7mTz8lBblt8RrRLz+l2gtFDR9fLNdrp6yA5d/NvDlsmit l9h+dDuYzQQwoDpZzWTm8OWHsjdgOwLgo0/5ZXWfnK0OQ/0sSTx/UmPshEGPEZb1vjLv 2WJjyuKFBk+EfTrwzLAyxCj+vkW7XA6ssZS9wgce89FnASk1GLBQBRVdsyupzcm8OlVm Ue+A== X-Gm-Message-State: AOJu0Yz+0T6oMDPN1qTguXrbjBhrZSnAzVp1L0zwlumMglrqjh4GimDB 4CGnNtiOemlxqYJqBSGSyGtO3Z0T0ztFoU2JLPJXCsBH6iU/jEBMqsM67w== X-Google-Smtp-Source: AGHT+IGbWOi3dqS946S7R85mCiawhU2NmTL9GHbK0hh93H3ST6G3LJMOtHxhpldINSbS73VAoevtbQ== X-Received: by 2002:ac2:4573:0:b0:51f:d82:8e07 with SMTP id 2adb3069b0e04-526be0280e7mr2170812e87.2.1716439146892; Wed, 22 May 2024 21:39:06 -0700 (PDT) Received: from guixsd.wugi.info ([93.100.15.190]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-52851a9baabsm62524e87.135.2024.05.22.21.39.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 May 2024 21:39:06 -0700 (PDT) From: Oleg Pykhalov Date: Thu, 23 May 2024 07:38:23 +0300 Message-ID: <13d78de1d27742605cf51fc0ed91b832cb5027c9.1716439103.git.go.wigust@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <87ttipdf5n.fsf@gnu.org> References: <87ttipdf5n.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Queue-Id: 98F4F1104B X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: 2.64 X-Spam-Score: 2.64 X-TUID: dAfP+1lnjCsk * gnu/services/nix.scm (nix-shepherd-service): Add requirements. (%nix-store-directory): New variable. (nix-service-type): Add file-system-service-type extension. Change-Id: I73c54ab8699a54be33fac6732d919c4844d1daa4 --- gnu/services/nix.scm | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm index 82853253f6..419e5968fe 100644 --- a/gnu/services/nix.scm +++ b/gnu/services/nix.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2019, 2020, 2021 Oleg Pykhalov +;;; Copyright © 2019, 2020, 2021, 2024 Oleg Pykhalov ;;; Copyright © 2020 Peng Mei Yu ;;; ;;; This file is part of GNU Guix. @@ -26,6 +26,7 @@ (define-module (gnu services nix) #:use-module (gnu services shepherd) #:use-module (gnu services web) #:use-module (gnu services) + #:use-module (gnu system file-systems) #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix packages) @@ -129,6 +130,20 @@ (define nix-service-etc '#$build-sandbox-items)) (for-each (cut display <>) '#$extra-config))))))))))) +(define %nix-store-directory + "/nix/store") + +(define %immutable-nix-store + ;; Read-only store to avoid users or daemons accidentally modifying it. + ;; 'nix-daemon' has provisions to remount it read-write in its own name + ;; space. + (list (file-system + (device %nix-store-directory) + (mount-point %nix-store-directory) + (type "none") + (check? #f) + (flags '(read-only bind-mount))))) + (define nix-shepherd-service ;; Return a for Nix. (match-lambda @@ -137,7 +152,7 @@ (define nix-shepherd-service (shepherd-service (provision '(nix-daemon)) (documentation "Run nix-daemon.") - (requirement '()) + (requirement '(user-processes file-system-/nix/store)) (start #~(make-forkexec-constructor (list (string-append #$package "/bin/nix-daemon") #$@extra-options) @@ -156,7 +171,9 @@ (define nix-service-type (service-extension activation-service-type nix-activation) (service-extension etc-service-type nix-service-etc) (service-extension profile-service-type - (compose list nix-configuration-package)))) + (compose list nix-configuration-package)) + (service-extension file-system-service-type + (const %immutable-nix-store)))) (description "Run the Nix daemon.") (default-value (nix-configuration)))) base-commit: dd03be186adb64bdb77265dfd0ad53fe50ec016e -- 2.41.0