Optionally make the Nix store read-only to enforce immutability

This will be the default once Nix 1.2 is released.

3 files changed, 23 insertions, 0 deletions

diff --git a/modules/services/misc/nix-daemon.nix b/modules/services/misc/nix-daemon.nix
index cf2d0f52d86..7e52686f32f 100644
--- a/modules/services/misc/nix-daemon.nix
+++ b/modules/services/misc/nix-daemon.nix
@@ -183,6 +183,17 @@ in
           you should increase this value.
         '';
       };
+
+      readOnlyStore = mkOption {
+        default = false;
+        description = ''
+          If set, NixOS will enforce the immutability of the Nix store
+          by making <filename>/nix/store</filename> a read-only bind
+          mount.  Nix will automatically make the store writable when
+          needed.
+        '';
+      };
+
     };
   };
 
diff --git a/modules/system/boot/stage-2-init.sh b/modules/system/boot/stage-2-init.sh
index f1eb73a8f88..3aab7a59504 100644
--- a/modules/system/boot/stage-2-init.sh
+++ b/modules/system/boot/stage-2-init.sh
@@ -41,6 +41,17 @@ if [ ! -e /proc/1 ]; then
 fi
 
 
+# Make /nix/store a read-only bind mount to enforce immutability of
+# the Nix store.
+if [ -n "@readOnlyStore@" ]; then
+    if ! mountpoint /nix/store; then
+        mkdir -p /nix/rw-store
+        mount --bind /nix/store /nix/store
+        mount -o remount,ro,bind /nix/store
+    fi
+fi
+
+
 # Provide a /etc/mtab.
 mkdir -m 0755 -p /etc
 test -e /etc/fstab || touch /etc/fstab # to shut up mount
diff --git a/modules/system/boot/stage-2.nix b/modules/system/boot/stage-2.nix
index e187219cbd8..3569cfa8113 100644
--- a/modules/system/boot/stage-2.nix
+++ b/modules/system/boot/stage-2.nix
@@ -60,6 +60,7 @@ let
     shellDebug = "${pkgs.bashInteractive}/bin/bash";
     isExecutable = true;
     inherit (config.boot) devShmSize runSize cleanTmpDir;
+    inherit (config.nix) readOnlyStore;
     ttyGid = config.ids.gids.tty;
     path =
       [ pkgs.coreutils