wrappers service: make /run/wrappers a mountpoint

pyrox.dev / nixpkgs

fork atom

lol

fork atom

Also remove some compatibility code because the directory in question would be
shadowed by a mountpoint anyway.

Nikolay Amiantov 9 years ago 2cc4703a 8e5b630b

+12 -17

2 changed files

expand all

unified split

nixos

modules

security

wrappers

default.nix

tasks

filesystems.nix

+11 -16

nixos/modules/security/wrappers/default.nix

··· 3 3 4 4 inherit (config.security) wrapperDir wrappers; 5 5 6 + parentWrapperDir = dirOf wrapperDir; 7 + 6 8 programs = 7 9 (lib.mapAttrsToList 8 10 (n: v: (if v ? "program" then v else v // {program=n;})) ··· 15 17 hardeningEnable = [ "pie" ]; 16 18 installPhase = '' 17 19 mkdir -p $out/bin 18 - parentWrapperDir=$(dirname ${wrapperDir}) 19 - gcc -Wall -O2 -DWRAPPER_DIR=\"$parentWrapperDir\" \ 20 + gcc -Wall -O2 -DWRAPPER_DIR=\"${parentWrapperDir}\" \ 20 21 -lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper 21 22 ''; 22 23 }; ··· 156 157 157 158 security.wrappers.fusermount.source = "${pkgs.fuse}/bin/fusermount"; 158 159 160 + boot.specialFileSystems.${parentWrapperDir} = { 161 + fsType = "tmpfs"; 162 + options = [ "nodev" ]; 163 + }; 164 + 159 165 # Make sure our wrapperDir exports to the PATH env variable when 160 166 # initializing the shell 161 167 environment.extraInit = '' ··· 183 189 # Remove the old /run/setuid-wrappers-dir path from the 184 190 # system as well... 185 191 # 186 - # TDOO: this is only necessary for ugprades 16.09 => 17.x; 192 + # TODO: this is only necessary for ugprades 16.09 => 17.x; 187 193 # this conditional removal block needs to be removed after 188 194 # the release. 189 195 if [ -d /run/setuid-wrapper-dirs ]; then 190 196 rm -rf /run/setuid-wrapper-dirs 191 197 fi 192 198 193 - # Get the "/run/wrappers" path, we want to place the tmpdirs 194 - # for the wrappers there 195 - parentWrapperDir="$(dirname ${wrapperDir})" 196 - 197 - mkdir -p "$parentWrapperDir" 198 - wrapperDir=$(mktemp --directory --tmpdir="$parentWrapperDir" wrappers.XXXXXXXXXX) 199 + # We want to place the tmpdirs for the wrappers to the parent dir. 200 + wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) 199 201 chmod a+rx $wrapperDir 200 202 201 203 ${lib.concatStringsSep "\n" mkWrappedPrograms} ··· 207 209 ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp 208 210 mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} 209 211 rm --force --recursive $old 210 - elif [ -d ${wrapperDir} ]; then 211 - # Compatibility with old state, just remove the folder and symlink 212 - rm -f ${wrapperDir}/* 213 - # if it happens to be a tmpfs 214 - ${pkgs.utillinux}/bin/umount ${wrapperDir} || true 215 - rm -d ${wrapperDir} 216 - ln -d --symbolic $wrapperDir ${wrapperDir} 217 212 else 218 213 # For initial setup 219 214 ln --symbolic $wrapperDir ${wrapperDir}

+1 -1

nixos/modules/tasks/filesystems.nix

··· 291 291 # Sync mount options with systemd's src/core/mount-setup.c: mount_table. 292 292 boot.specialFileSystems = { 293 293 "/proc" = { fsType = "proc"; options = [ "nosuid" "noexec" "nodev" ]; }; 294 - "/run" = { fsType = "tmpfs"; options = [ "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; }; 294 + "/run" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; }; 295 295 "/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; }; 296 296 "/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; }; 297 297 "/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "gid=${toString config.ids.gids.tty}" ]; };