On Linux, make the Nix store really read-only by using the immutable bit

I was bitten one time too many by Python modifying the Nix store by
creating *.pyc files when run as root.  On Linux, we can prevent this
by setting the immutable bit on files and directories (as in ‘chattr
+i’).  This isn't supported by all filesystems, so it's not an error
if setting the bit fails.  The immutable bit is cleared by the garbage
collector before deleting a path.  The only tricky aspect is in
optimiseStore(), since it's forbidden to create hard links to an
immutable file.  Thus optimiseStore() temporarily clears the immutable
bit before creating the link.

1 files changed, 19 insertions, 0 deletions

diff --git a/src/libutil/immutable.hh b/src/libutil/immutable.hh
new file mode 100644
index 000000000..5a42a4610
--- /dev/null
+++ b/src/libutil/immutable.hh
@@ -0,0 +1,19 @@
+#ifndef __IMMUTABLE_H
+#define __IMMUTABLE_H
+
+#include <types.hh>
+
+namespace nix {
+
+/* Make the given path immutable, i.e., prevent it from being modified
+   in any way, even by root.  This is a no-op on platforms that do not
+   support this, or if the calling user is not privileged.  On Linux,
+   this is implemented by doing the equivalent of ‘chattr +i path’. */
+void makeImmutable(const Path & path);
+
+/* Make the given path mutable. */
+void makeMutable(const Path & path);
+
+}
+
+#endif /* !__IMMUTABLE_H */