diff options
| author | Ryan Lahfa <masterancpp@gmail.com> | 2023-05-05 17:05:48 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-05 17:05:48 +0200 |
| commit | 275a6e3d8df942e8eabdaa9e1a239cd79d929006 (patch) | |
| tree | 7218f89c70dc4cff9955f387747e878b6a84d2a2 /nixos | |
| parent | 49cc79c383ae6fdb0b45c90c54671e08b3da724f (diff) | |
| parent | 8f94053a21261c894d408c35821b4efa27255c2f (diff) | |
Merge pull request #193469 from minijackson/mount-options-stage-1
nixos/stage-1: follow mount options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/system/boot/stage-1-init.sh | 5 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/early-mount-options.nix | 19 |
3 files changed, 25 insertions, 0 deletions
diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index af57310bda7d9..835788dbbc976 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -410,6 +410,11 @@ mountFS() { n=$((n + 1)) done + # For bind mounts, busybox has a tendency to ignore options, which can be a + # security issue (e.g. "nosuid"). Remounting the partition seems to fix the + # issue. + mount "/mnt-root$mountPoint" -o "remount,$optionsPrefixed" + [ "$mountPoint" == "/" ] && [ -f "/mnt-root/etc/NIXOS_LUSTRATE" ] && lustrateRoot "/mnt-root" diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 461678cdefe2a..9acb2dc7a45bd 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -206,6 +206,7 @@ in { dovecot = handleTest ./dovecot.nix {}; drbd = handleTest ./drbd.nix {}; earlyoom = handleTestOn ["x86_64-linux"] ./earlyoom.nix {}; + early-mount-options = handleTest ./early-mount-options.nix {}; ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {}; ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {}; ecryptfs = handleTest ./ecryptfs.nix {}; diff --git a/nixos/tests/early-mount-options.nix b/nixos/tests/early-mount-options.nix new file mode 100644 index 0000000000000..8be318ae13bca --- /dev/null +++ b/nixos/tests/early-mount-options.nix @@ -0,0 +1,19 @@ +# Test for https://github.com/NixOS/nixpkgs/pull/193469 +import ./make-test-python.nix { + name = "early-mount-options"; + + nodes.machine = { + virtualisation.fileSystems."/var" = { + options = [ "bind" "nosuid" "nodev" "noexec" ]; + device = "/var"; + }; + }; + + testScript = '' + machine.wait_for_unit("multi-user.target") + + var_mount_info = machine.succeed("findmnt /var -n -o OPTIONS") + options = var_mount_info.strip().split(",") + assert "nosuid" in options and "nodev" in options and "noexec" in options + ''; +} |