Merge pull request #193469 from minijackson/mount-options-stage-1

nixos/stage-1: follow mount options
author: Ryan Lahfa <masterancpp@gmail.com> 2023-05-05 17:05:48 +0200
committer: GitHub <noreply@github.com> 2023-05-05 17:05:48 +0200
commit: 275a6e3d8df942e8eabdaa9e1a239cd79d929006 (patch)
tree: 7218f89c70dc4cff9955f387747e878b6a84d2a2 /nixos/modules/system/boot/stage-1-init.sh
parent: 49cc79c383ae6fdb0b45c90c54671e08b3da724f (diff)
parent: 8f94053a21261c894d408c35821b4efa27255c2f (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh
index af57310bda7d9..835788dbbc976 100644
--- a/nixos/modules/system/boot/stage-1-init.sh
+++ b/nixos/modules/system/boot/stage-1-init.sh
@@ -410,6 +410,11 @@ mountFS() {
         n=$((n + 1))
     done
 
+    # For bind mounts, busybox has a tendency to ignore options, which can be a
+    # security issue (e.g. "nosuid"). Remounting the partition seems to fix the
+    # issue.
+    mount "/mnt-root$mountPoint" -o "remount,$optionsPrefixed"
+
     [ "$mountPoint" == "/" ] &&
         [ -f "/mnt-root/etc/NIXOS_LUSTRATE" ] &&
         lustrateRoot "/mnt-root"
author	Ryan Lahfa <masterancpp@gmail.com>	2023-05-05 17:05:48 +0200
committer	GitHub <noreply@github.com>	2023-05-05 17:05:48 +0200
commit	275a6e3d8df942e8eabdaa9e1a239cd79d929006 (patch)
tree	7218f89c70dc4cff9955f387747e878b6a84d2a2 /nixos/modules/system/boot/stage-1-init.sh
parent	49cc79c383ae6fdb0b45c90c54671e08b3da724f (diff)
parent	8f94053a21261c894d408c35821b4efa27255c2f (diff)