Optionally make the Nix store read-only to enforce immutability

This will be the default once Nix 1.2 is released.
12 years ago · a139fa14b1
parent fcebb3f3cd
commit a139fa14b1
3 changed files with 23 additions and 0 deletions
--- a/modules/services/misc/nix-daemon.nix
+++ b/modules/services/misc/nix-daemon.nix
@ -183,6 +183,17 @@ in
          you should increase this value.
        '';
      };
+
+      readOnlyStore = mkOption {
+        default = false;
+        description = ''
+          If set, NixOS will enforce the immutability of the Nix store
+          by making <filename>/nix/store</filename> a read-only bind
+          mount.  Nix will automatically make the store writable when
+          needed.
+        '';
+      };
+
    };
  };

--- a/modules/system/boot/stage-2-init.sh
+++ b/modules/system/boot/stage-2-init.sh
@ -41,6 +41,17 @@ if [ ! -e /proc/1 ]; then
 fi


+# Make /nix/store a read-only bind mount to enforce immutability of
+# the Nix store.
+if [ -n "@readOnlyStore@" ]; then
+    if ! mountpoint /nix/store; then
+        mkdir -p /nix/rw-store
+        mount --bind /nix/store /nix/store
+        mount -o remount,ro,bind /nix/store
+    fi
+fi
+
+
 # Provide a /etc/mtab.
 mkdir -m 0755 -p /etc
 test -e /etc/fstab || touch /etc/fstab # to shut up mount
--- a/modules/system/boot/stage-2.nix
+++ b/modules/system/boot/stage-2.nix
@ -60,6 +60,7 @@ let
    shellDebug = "${pkgs.bashInteractive}/bin/bash";
    isExecutable = true;
    inherit (config.boot) devShmSize runSize cleanTmpDir;
+    inherit (config.nix) readOnlyStore;
    ttyGid = config.ids.gids.tty;
    path =
      [ pkgs.coreutils