diff options
author | Will Fancher <elvishjerricco@gmail.com> | 2022-08-26 13:25:31 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-08-26 13:25:31 -0400 |
commit | 037cf37ad256a22b0dd7605dec18b1959dac42b4 (patch) | |
tree | 9dc2da88851b14dcbb739efe9e5228da33d2a709 /nixos/modules/system | |
parent | facb0429745fe209dd4b8724fe9d7f31b6780684 (diff) | |
parent | a454a706b584fa5c6583ecd8071b662caaedd9ca (diff) | |
download | nixpkgs-037cf37ad256a22b0dd7605dec18b1959dac42b4.tar nixpkgs-037cf37ad256a22b0dd7605dec18b1959dac42b4.tar.gz nixpkgs-037cf37ad256a22b0dd7605dec18b1959dac42b4.tar.bz2 nixpkgs-037cf37ad256a22b0dd7605dec18b1959dac42b4.tar.lz nixpkgs-037cf37ad256a22b0dd7605dec18b1959dac42b4.tar.xz nixpkgs-037cf37ad256a22b0dd7605dec18b1959dac42b4.tar.zst nixpkgs-037cf37ad256a22b0dd7605dec18b1959dac42b4.zip |
Merge pull request #185085 from ElvishJerricco/shutdown-ramfs-protection
shutdown: Protect system from make-initrd-ng
Diffstat (limited to 'nixos/modules/system')
-rw-r--r-- | nixos/modules/system/boot/systemd/shutdown.nix | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/nixos/modules/system/boot/systemd/shutdown.nix b/nixos/modules/system/boot/systemd/shutdown.nix index cb257dce6f0..5b190700c5d 100644 --- a/nixos/modules/system/boot/systemd/shutdown.nix +++ b/nixos/modules/system/boot/systemd/shutdown.nix @@ -33,26 +33,30 @@ in { systemd.shutdownRamfs.contents."/shutdown".source = "${config.systemd.package}/lib/systemd/systemd-shutdown"; systemd.shutdownRamfs.storePaths = [pkgs.runtimeShell "${pkgs.coreutils}/bin"]; + systemd.mounts = [{ + what = "tmpfs"; + where = "/run/initramfs"; + type = "tmpfs"; + }]; + systemd.services.generate-shutdown-ramfs = { description = "Generate shutdown ramfs"; wantedBy = [ "shutdown.target" ]; before = [ "shutdown.target" ]; unitConfig = { DefaultDependencies = false; + RequiresMountsFor = "/run/initramfs"; ConditionFileIsExecutable = [ "!/run/initramfs/shutdown" ]; }; - path = [pkgs.util-linux pkgs.makeInitrdNGTool]; - serviceConfig.Type = "oneshot"; - script = '' - mkdir -p /run/initramfs - if ! mountpoint -q /run/initramfs; then - mount -t tmpfs tmpfs /run/initramfs - fi - make-initrd-ng ${ramfsContents} /run/initramfs - ''; + serviceConfig = { + Type = "oneshot"; + ProtectSystem = "strict"; + ReadWritePaths = "/run/initramfs"; + ExecStart = "${pkgs.makeInitrdNGTool}/bin/make-initrd-ng ${ramfsContents} /run/initramfs"; + }; }; }; } |