lix/src/libutil/immutable.cc

#include "config.h"

#include "immutable.hh"
#include "util.hh"

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#if HAVE_LINUX_FS_H
#include <linux/fs.h>
#include <sys/ioctl.h>
#include <errno.h>
#endif

namespace nix {


void changeMutable(const Path & path, bool mut)
{
#if defined(FS_IOC_SETFLAGS) && defined(FS_IOC_GETFLAGS) && defined(FS_IMMUTABLE_FL)

    /* Don't even try if we're not root.  One day we should support
       the CAP_LINUX_IMMUTABLE capability. */
    if (getuid() != 0) return;

    /* The O_NOFOLLOW is important to prevent us from changing the
       mutable bit on the target of a symlink (which would be a
       security hole). */
    AutoCloseFD fd = open(path.c_str(), O_RDONLY | O_NOFOLLOW);
    if (fd == -1) {
        if (errno == ELOOP) return; // it's a symlink
        throw SysError(format("opening file `%1%'") % path);
    }

    unsigned int flags = 0, old;

    /* Silently ignore errors getting/setting the immutable flag so
       that we work correctly on filesystems that don't support it. */
    if (ioctl(fd, FS_IOC_GETFLAGS, &flags)) return;

    old = flags;
    
    if (mut) flags &= ~FS_IMMUTABLE_FL;
    else flags |= FS_IMMUTABLE_FL;

    if (old == flags) return;

    if (ioctl(fd, FS_IOC_SETFLAGS, &flags)) return;
    
#endif
}


void makeImmutable(const Path & path)
{
    changeMutable(path, false);
}


void makeMutable(const Path & path)
{
    changeMutable(path, true);
}


}
On Linux, make the Nix store really read-only by using the immutable bit I was bitten one time too many by Python modifying the Nix store by creating *.pyc files when run as root. On Linux, we can prevent this by setting the immutable bit on files and directories (as in ‘chattr +i’). This isn't supported by all filesystems, so it's not an error if setting the bit fails. The immutable bit is cleared by the garbage collector before deleting a path. The only tricky aspect is in optimiseStore(), since it's forbidden to create hard links to an immutable file. Thus optimiseStore() temporarily clears the immutable bit before creating the link. 2012-02-15 00:31:56 +00:00			`#include "config.h"`

			`#include "immutable.hh"`
			`#include "util.hh"`

			`#include <sys/types.h>`
			`#include <sys/stat.h>`
			`#include <fcntl.h>`

			`#if HAVE_LINUX_FS_H`
			`#include <linux/fs.h>`
			`#include <sys/ioctl.h>`
			`#include <errno.h>`
			`#endif`

			`namespace nix {`


			`void changeMutable(const Path & path, bool mut)`
			`{`
			`#if defined(FS_IOC_SETFLAGS) && defined(FS_IOC_GETFLAGS) && defined(FS_IMMUTABLE_FL)`

			`/* Don't even try if we're not root. One day we should support`
			`the CAP_LINUX_IMMUTABLE capability. */`
			`if (getuid() != 0) return;`

			`/* The O_NOFOLLOW is important to prevent us from changing the`
			`mutable bit on the target of a symlink (which would be a`
			`security hole). */`
			`AutoCloseFD fd = open(path.c_str(), O_RDONLY \| O_NOFOLLOW);`
			`if (fd == -1) {`
			`if (errno == ELOOP) return; // it's a symlink`
			throw SysError(format("opening file `%1%'") % path);
			`}`

			`unsigned int flags = 0, old;`

			`/* Silently ignore errors getting/setting the immutable flag so`
			`that we work correctly on filesystems that don't support it. */`
			`if (ioctl(fd, FS_IOC_GETFLAGS, &flags)) return;`

			`old = flags;`

			`if (mut) flags &= ~FS_IMMUTABLE_FL;`
			`else flags \|= FS_IMMUTABLE_FL;`

			`if (old == flags) return;`

			`if (ioctl(fd, FS_IOC_SETFLAGS, &flags)) return;`

			`#endif`
			`}`


			`void makeImmutable(const Path & path)`
			`{`
			`changeMutable(path, false);`
			`}`


			`void makeMutable(const Path & path)`
			`{`
			`changeMutable(path, true);`
			`}`


			`}`