maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

On Linux, make the Nix store really read-only by using the immutable bit

Browse source 
I was bitten one time too many by Python modifying the Nix store by
creating *.pyc files when run as root.  On Linux, we can prevent this
by setting the immutable bit on files and directories (as in ‘chattr
+i’).  This isn't supported by all filesystems, so it's not an error
if setting the bit fails.  The immutable bit is cleared by the garbage
collector before deleting a path.  The only tricky aspect is in
optimiseStore(), since it's forbidden to create hard links to an
immutable file.  Thus optimiseStore() temporarily clears the immutable
bit before creating the link.
This commit is contained in:
Eelco Dolstra 2012-02-15 01:31:56 +01:00
parent 5e57047d87
commit bd013b6f98
7 changed files with 130 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/libstore/local-store.cc
View file

@ -5,6 +5,7 @@
#include "pathlocks.hh"
#include "worker-protocol.hh"
#include "derivations.hh"
#include "immutable.hh"
#include <iostream>
#include <algorithm>
@ -405,6 +406,10 @@ void canonicalisePathMetaData(const Path & path, bool recurse)
if (lstat(path.c_str(), &st))
throw SysError(format("getting attributes of path `%1%'") % path);
/* Really make sure that the path is of a supported type. This
has already been checked in dumpPath(). */
assert(S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) || S_ISLNK(st.st_mode));
/* Change ownership to the current uid. If it's a symlink, use
lchown if available, otherwise don't bother. Wrong ownership
of a symlink doesn't matter, since the owning user can't change
@ -451,6 +456,8 @@ void canonicalisePathMetaData(const Path & path, bool recurse)
foreach (Strings::iterator, i, names)
canonicalisePathMetaData(path + "/" + *i, true);
}
makeImmutable(path);
}

26
src/libstore/optimise-store.cc
View file

@ -1,5 +1,6 @@
#include "util.hh"
#include "local-store.hh"
#include "immutable.hh"
#include <sys/types.h>
#include <sys/stat.h>
@ -19,6 +20,7 @@ static void makeWritable(const Path & path)
struct stat st;
if (lstat(path.c_str(), &st))
throw SysError(format("getting attributes of path `%1%'") % path);
if (S_ISDIR(st.st_mode) || S_ISREG(st.st_mode)) makeMutable(path);
if (chmod(path.c_str(), st.st_mode | S_IWUSR) == -1)
throw SysError(format("changing writability of `%1%'") % path);
}
@ -31,6 +33,8 @@ struct MakeReadOnly
~MakeReadOnly()
{
try {
/* This will make the path read-only (and restore the
immutable bit on platforms that support it). */
if (path != "") canonicalisePathMetaData(path, false);
} catch (...) {
ignoreException();
@ -39,6 +43,14 @@ struct MakeReadOnly
};
struct MakeImmutable
{
Path path;
MakeImmutable(const Path & path) : path(path) { }
~MakeImmutable() { makeImmutable(path); }
};
static void hashAndLink(bool dryRun, HashToPath & hashToPath,
OptimiseStats & stats, const Path & path)
{
@ -96,14 +108,24 @@ static void hashAndLink(bool dryRun, HashToPath & hashToPath,
/* Make the containing directory writable, but only if
it's not the store itself (we don't want or need to
mess with its permissions). */
mess with its permissions). */
bool mustToggle = !isStorePath(path);
if (mustToggle) makeWritable(dirOf(path));
/* When we're done, make the directory read-only again and
reset its timestamp back to 0. */
MakeReadOnly makeReadOnly(mustToggle ? dirOf(path) : "");
/* If prevPath is immutable, we can't create hard links
to it, so make it mutable first (and make it immutable
again when we're done). We also have to make path
mutable, otherwise rename() will fail to delete it. */
makeMutable(prevPath.first);
MakeImmutable mk1(prevPath.first);
makeMutable(path);
MakeImmutable mk2(path);
if (link(prevPath.first.c_str(), tempLink.c_str()) == -1) {
if (errno == EMLINK) {
/* Too many links to the same file (>= 32000 on