WIP: Fix missing privilege separation directory: /var/empty #15

Merged
sb10q merged 1 commits from fsagbuya/nix-servo:var into master 2024-08-17 17:37:24 +08:00
2 changed files with 5 additions and 39 deletions

View File

@ -9,19 +9,13 @@
let
pkgs = import nixpkgs { system = "x86_64-linux"; };
patched-not-os = let
remote-patches = [
{
# Zynq image various fixes and cleanup
url = "https://patch-diff.githubusercontent.com/raw/cleverca22/not-os/pull/28.patch";
sha256 = "sha256-EnYb95QfwHmUHfbCT9tL291mC8Tze0Koadb11arvTDY=";
}
];
local-patches = [ ./not-os.patch ];
in pkgs.applyPatches {
patched-not-os = pkgs.applyPatches {
name = "not-os-patched";
src = not-os;
patches = map pkgs.fetchpatch remote-patches ++ local-patches;
patches = [
./pr-28.patch
./pr-29.patch
];
};
gnu-platform = "arm-none-eabi";

View File

@ -1,28 +0,0 @@
diff --git a/base.nix b/base.nix
index 7eaee32..b5a61ee 100644
--- a/base.nix
+++ b/base.nix
@@ -155,7 +155,23 @@ with lib;
# dummy to make setup-etc happy
'';
system.activationScripts.etc = stringAfter [ "users" "groups" ] config.system.build.etcActivationCommands;
+ # Re-apply deprecated var value due to systemd preference in recent nixpkgs
+ # See https://github.com/NixOS/nixpkgs/commit/59e37267556eb917146ca3110ab7c96905b9ffbd
+ system.activationScripts.var = lib.mkForce ''
+ # Various log/runtime directories.
+ mkdir -p /var/tmp
+ chmod 1777 /var/tmp
+
+ # Empty, immutable home directory of many system accounts.
+ mkdir -p /var/empty
+ # Make sure it's really empty
+ ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true
+ find /var/empty -mindepth 1 -delete
+ chmod 0555 /var/empty
+ chown root:root /var/empty
+ ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
+ '';
# nix-build -A system.build.toplevel && du -h $(nix-store -qR result) --max=0 -BM|sort -n
system.build.toplevel = pkgs.runCommand "not-os" {
activationScript = config.system.activationScripts.script;