movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-17 06:59:46 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/etc-overlay: mount etc with nodev,nosuid

Browse source
This commit is contained in:
r-vdp 2025-03-25 11:26:06 +01:00
parent e235177a38
commit a2f3516c24
No known key found for this signature in database
2 changed files with 10 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

4
nixos/modules/system/etc/etc-activation.nix
View file

@ -52,7 +52,7 @@
where = "/run/nixos-etc-metadata"; where = "/run/nixos-etc-metadata";
what = "/etc-metadata-image"; what = "/etc-metadata-image";
type = "erofs"; type = "erofs";
options = "loop,ro"; options = "loop,ro,nodev,nosuid";
unitConfig = { unitConfig = {
# Since this unit depends on the nix store being mounted, it cannot # Since this unit depends on the nix store being mounted, it cannot
# be a dependency of local-fs.target, because if it did, we'd have # be a dependency of local-fs.target, because if it did, we'd have
@ -81,6 +81,8 @@
type = "overlay"; type = "overlay";
options = lib.concatStringsSep "," ( options = lib.concatStringsSep "," (
[ [
"nodev"
"nosuid"
"relatime" "relatime"
"redirect_dir=on" "redirect_dir=on"
"metacopy=on" "metacopy=on"

14
nixos/modules/system/etc/etc.nix
View file

@ -285,23 +285,23 @@ in
''} ''}
tmpMetadataMount=$(TMPDIR="/run" mktemp --directory -t nixos-etc-metadata.XXXXXXXXXX) tmpMetadataMount=$(TMPDIR="/run" mktemp --directory -t nixos-etc-metadata.XXXXXXXXXX)
mount --type erofs -o ro ${config.system.build.etcMetadataImage} $tmpMetadataMount mount --type erofs --options ro,nodev,nosuid ${config.system.build.etcMetadataImage} $tmpMetadataMount
# There was no previous /etc mounted. This happens when we're called # There was no previous /etc mounted. This happens when we're called
# directly without an initrd, like with nixos-enter. # directly without an initrd, like with nixos-enter.
if ! mountpoint -q /etc; then if ! mountpoint -q /etc; then
mount --type overlay overlay \ mount --type overlay \
--options lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \ --options nodev,nosuid,lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \
/etc overlay /etc
else else
# Mount the new /etc overlay to a temporary private mount. # Mount the new /etc overlay to a temporary private mount.
# This needs the indirection via a private bind mount because you # This needs the indirection via a private bind mount because you
# cannot move shared mounts. # cannot move shared mounts.
tmpEtcMount=$(TMPDIR="/run" mktemp --directory -t nixos-etc.XXXXXXXXXX) tmpEtcMount=$(TMPDIR="/run" mktemp --directory -t nixos-etc.XXXXXXXXXX)
mount --bind --make-private $tmpEtcMount $tmpEtcMount mount --bind --make-private $tmpEtcMount $tmpEtcMount
mount --type overlay overlay \ mount --type overlay \
--options lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \ --options nodev,nosuid,lowerdir=$tmpMetadataMount::${config.system.build.etcBasedir},${etcOverlayOptions} \
$tmpEtcMount overlay $tmpEtcMount
# Before moving the new /etc overlay under the old /etc, we have to # Before moving the new /etc overlay under the old /etc, we have to
# move mounts on top of /etc to the new /etc mountpoint. # move mounts on top of /etc to the new /etc mountpoint.