From 0098d16413dc31b0c6ad03d424c3641864bccda0 Mon Sep 17 00:00:00 2001 From: Morgan Jones Date: Sun, 19 Jan 2025 23:03:17 -0800 Subject: [PATCH] stage-2-init: fix false positives for RO Nix store mounts We need to take the "top" mount instead of any mount, which is the last line printed by findmnt. Additionally, make the regex more strict, so we don't select mount options ending in ro (like `errors=remount-ro` from ext4, or overlay paths ending in 'ro') and accidentally leave the Nix store RW after boot. --- nixos/modules/system/boot/stage-2-init.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index b5627ec8e5717..cb3e7cd5a471c 100755 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -69,7 +69,8 @@ fi chown -f 0:30000 /nix/store chmod -f 1775 /nix/store if [ -n "@readOnlyNixStore@" ]; then - if ! [[ "$(findmnt --noheadings --output OPTIONS /nix/store)" =~ ro(,|$) ]]; then + # Ensure that we pick the "top" (i.e. last) mount so we don't get a false positive for a lower mount. + if ! [[ "$(findmnt --noheadings --output OPTIONS /nix/store | tail -n1)" =~ (^|,)ro(,|$) ]]; then if [ -z "$container" ]; then mount --bind /nix/store /nix/store else