nixos/etc-overlay: mount etc with nodev,nosuid

2025-06-12 04:35:41 +03:00 · 2025-03-25 11:26:06 +01:00 · 2025-03-25 11:26:06 +01:00 · a2f3516c24
commit a2f3516c24
parent e235177a38
2 changed files with 10 additions and 8 deletions
--- a/nixos/modules/system/etc/etc-activation.nix
+++ b/nixos/modules/system/etc/etc-activation.nix
@ -52,7 +52,7 @@
            where = "/run/nixos-etc-metadata";
            what = "/etc-metadata-image";
            type = "erofs";
-            options = "loop,ro";
+            options = "loop,ro,nodev,nosuid";
            unitConfig = {
              # Since this unit depends on the nix store being mounted, it cannot
              # be a dependency of local-fs.target, because if it did, we'd have
@ -81,6 +81,8 @@
            type = "overlay";
            options = lib.concatStringsSep "," (
              [
+                "nodev"
+                "nosuid"
                "relatime"
                "redirect_dir=on"
                "metacopy=on"
--- a/nixos/modules/system/etc/etc.nix
+++ b/nixos/modules/system/etc/etc.nix
@ -285,23 +285,23 @@ in
            ''}

            tmpMetadataMount=$(TMPDIR="/run" mktemp --directory -t nixos-etc-metadata.XXXXXXXXXX)
-            mount --type erofs -o ro ${config.system.build.etcMetadataImage} $tmpMetadataMount
+            mount --type erofs --options ro,nodev,nosuid ${config.system.build.etcMetadataImage} $tmpMetadataMount

            # There was no previous /etc mounted. This happens when we're called
            # directly without an initrd, like with nixos-enter.
            if ! mountpoint -q /etc; then
-              mount --type overlay overlay \
-                --options lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \
-                /etc
+              mount --type overlay \
+                --options nodev,nosuid,lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \
+                overlay /etc
            else
              # Mount the new /etc overlay to a temporary private mount.
              # This needs the indirection via a private bind mount because you
              # cannot move shared mounts.
              tmpEtcMount=$(TMPDIR="/run" mktemp --directory -t nixos-etc.XXXXXXXXXX)
              mount --bind --make-private $tmpEtcMount $tmpEtcMount
-              mount --type overlay overlay \
-                --options lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \
-                $tmpEtcMount
+              mount --type overlay \
+                --options nodev,nosuid,lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \
+                overlay $tmpEtcMount

              # Before moving the new /etc overlay under the old /etc, we have to
              # move mounts on top of /etc to the new /etc mountpoint.