summary refs log tree commit diff
path: root/gnu/system/file-systems.scm
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2015-04-20 22:21:51 +0200
committerLudovic Courtès <ludo@gnu.org>2015-04-20 22:21:51 +0200
commit3392ce5d606be84c07624e0626b99e410449639f (patch)
tree7e7d739c3019463a479e4c85e5ebc99fc9b3b204 /gnu/system/file-systems.scm
parentb86fee7848f964da4d5e695dc8027d95d40a1c77 (diff)
downloadguix-3392ce5d606be84c07624e0626b99e410449639f.tar.gz
system: Make /gnu/store a read-only bind mount by default.
* gnu/system/file-systems.scm (%immutable-store): New variable.
  (%base-file-systems): Add it.
* doc/guix.texi (File Systems): Document it.
Diffstat (limited to 'gnu/system/file-systems.scm')
-rw-r--r--gnu/system/file-systems.scm18
1 files changed, 16 insertions, 2 deletions
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
index 4760821840..db861baed2 100644
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -19,6 +19,7 @@
 (define-module (gnu system file-systems)
   #:use-module (guix gexp)
   #:use-module (guix records)
+  #:use-module (guix store)
   #:export (<file-system>
             file-system
             file-system?
@@ -37,6 +38,7 @@
             %shared-memory-file-system
             %pseudo-terminal-file-system
             %devtmpfs-file-system
+            %immutable-store
 
             %base-file-systems
 
@@ -139,12 +141,24 @@ file system."
     (options "size=50%")                         ;TODO: make size configurable
     (create-mount-point? #t)))
 
+(define %immutable-store
+  ;; Read-only store to avoid users or daemons accidentally modifying it.
+  ;; 'guix-daemon' has provisions to remount it read-write in its own name
+  ;; space.
+  (file-system
+    (device (%store-prefix))
+    (mount-point (%store-prefix))
+    (type "none")
+    (check? #f)
+    (flags '(read-only bind-mount))))
+
 (define %base-file-systems
   ;; List of basic file systems to be mounted.  Note that /proc and /sys are
   ;; currently mounted by the initrd.
   (list %devtmpfs-file-system
         %pseudo-terminal-file-system
-        %shared-memory-file-system))
+        %shared-memory-file-system
+        %immutable-store))