diff options
author | Ludovic Courtès <ludo@gnu.org> | 2015-04-20 22:21:51 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2015-04-20 22:21:51 +0200 |
commit | 3392ce5d606be84c07624e0626b99e410449639f (patch) | |
tree | 7e7d739c3019463a479e4c85e5ebc99fc9b3b204 /gnu/system | |
parent | b86fee7848f964da4d5e695dc8027d95d40a1c77 (diff) | |
download | gnu-guix-3392ce5d606be84c07624e0626b99e410449639f.tar gnu-guix-3392ce5d606be84c07624e0626b99e410449639f.tar.gz |
system: Make /gnu/store a read-only bind mount by default.
* gnu/system/file-systems.scm (%immutable-store): New variable.
(%base-file-systems): Add it.
* doc/guix.texi (File Systems): Document it.
Diffstat (limited to 'gnu/system')
-rw-r--r-- | gnu/system/file-systems.scm | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm index 4760821840..db861baed2 100644 --- a/gnu/system/file-systems.scm +++ b/gnu/system/file-systems.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -19,6 +19,7 @@ (define-module (gnu system file-systems) #:use-module (guix gexp) #:use-module (guix records) + #:use-module (guix store) #:export (<file-system> file-system file-system? @@ -37,6 +38,7 @@ %shared-memory-file-system %pseudo-terminal-file-system %devtmpfs-file-system + %immutable-store %base-file-systems @@ -139,12 +141,24 @@ file system." (options "size=50%") ;TODO: make size configurable (create-mount-point? #t))) +(define %immutable-store + ;; Read-only store to avoid users or daemons accidentally modifying it. + ;; 'guix-daemon' has provisions to remount it read-write in its own name + ;; space. + (file-system + (device (%store-prefix)) + (mount-point (%store-prefix)) + (type "none") + (check? #f) + (flags '(read-only bind-mount)))) + (define %base-file-systems ;; List of basic file systems to be mounted. Note that /proc and /sys are ;; currently mounted by the initrd. (list %devtmpfs-file-system %pseudo-terminal-file-system - %shared-memory-file-system)) + %shared-memory-file-system + %immutable-store)) |