From a454a706b584fa5c6583ecd8071b662caaedd9ca Mon Sep 17 00:00:00 2001 From: Will Fancher Date: Wed, 3 Aug 2022 20:46:04 -0400 Subject: [PATCH] shutdown: Protect system from make-initrd-ng --- .../modules/system/boot/systemd/shutdown.nix | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/nixos/modules/system/boot/systemd/shutdown.nix b/nixos/modules/system/boot/systemd/shutdown.nix index cb257dce6f04..5b190700c5d5 100644 --- a/nixos/modules/system/boot/systemd/shutdown.nix +++ b/nixos/modules/system/boot/systemd/shutdown.nix @@ -33,26 +33,30 @@ in { systemd.shutdownRamfs.contents."/shutdown".source = "${config.systemd.package}/lib/systemd/systemd-shutdown"; systemd.shutdownRamfs.storePaths = [pkgs.runtimeShell "${pkgs.coreutils}/bin"]; + systemd.mounts = [{ + what = "tmpfs"; + where = "/run/initramfs"; + type = "tmpfs"; + }]; + systemd.services.generate-shutdown-ramfs = { description = "Generate shutdown ramfs"; wantedBy = [ "shutdown.target" ]; before = [ "shutdown.target" ]; unitConfig = { DefaultDependencies = false; + RequiresMountsFor = "/run/initramfs"; ConditionFileIsExecutable = [ "!/run/initramfs/shutdown" ]; }; - path = [pkgs.util-linux pkgs.makeInitrdNGTool]; - serviceConfig.Type = "oneshot"; - script = '' - mkdir -p /run/initramfs - if ! mountpoint -q /run/initramfs; then - mount -t tmpfs tmpfs /run/initramfs - fi - make-initrd-ng ${ramfsContents} /run/initramfs - ''; + serviceConfig = { + Type = "oneshot"; + ProtectSystem = "strict"; + ReadWritePaths = "/run/initramfs"; + ExecStart = "${pkgs.makeInitrdNGTool}/bin/make-initrd-ng ${ramfsContents} /run/initramfs"; + }; }; }; }