diff options
author | Jörg Thalheim <joerg@thalheim.io> | 2020-12-31 09:14:28 +0100 |
---|---|---|
committer | Jörg Thalheim <joerg@thalheim.io> | 2021-07-01 08:01:18 +0200 |
commit | e12188c0f2e01953055f981c7b77f3a934426ef3 (patch) | |
tree | c88c9361e3892c98cce6b91ec9e890c76b3535e4 /nixos/modules/security/systemd-confinement.nix | |
parent | cd687af9f4825f82cb7c77456d6ffdf826a44d31 (diff) | |
download | nixpkgs-e12188c0f2e01953055f981c7b77f3a934426ef3.tar nixpkgs-e12188c0f2e01953055f981c7b77f3a934426ef3.tar.gz nixpkgs-e12188c0f2e01953055f981c7b77f3a934426ef3.tar.bz2 nixpkgs-e12188c0f2e01953055f981c7b77f3a934426ef3.tar.lz nixpkgs-e12188c0f2e01953055f981c7b77f3a934426ef3.tar.xz nixpkgs-e12188c0f2e01953055f981c7b77f3a934426ef3.tar.zst nixpkgs-e12188c0f2e01953055f981c7b77f3a934426ef3.zip |
nixos/systemd-confinment: use /var/empty as chroot mountpoint
bind mounting directories into the nix-store breaks nix commands. In particular it introduces character devices that are not supported by nix-store as valid files in the nix store. Use `/var/empty` instead which is designated for these kind of use cases. We won't create any files beause of the tmpfs mounted.
Diffstat (limited to 'nixos/modules/security/systemd-confinement.nix')
-rw-r--r-- | nixos/modules/security/systemd-confinement.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix index afb81a2b56b..0a09a755e93 100644 --- a/nixos/modules/security/systemd-confinement.nix +++ b/nixos/modules/security/systemd-confinement.nix @@ -105,7 +105,7 @@ in { wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs"); in lib.mkIf config.confinement.enable { serviceConfig = { - RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\""; + RootDirectory = "/var/empty"; TemporaryFileSystem = "/"; PrivateMounts = lib.mkDefault true; |