stage-2-init: fix false positives for RO Nix store mounts

We need to take the "top" mount instead of any mount, which is the last line printed by findmnt. Additionally, make the regex more strict, so we don't select mount options ending in ro (like `errors=remount-ro` from ext4, or overlay paths ending in 'ro') and accidentally leave the Nix store RW after boot.
NixOS · Jan 20, 2025 · 734b798 · 734b798
1 parent 9e1a1fd
commit 734b798
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh
@@ -69,7 +69,8 @@ fi
 chown -f 0:30000 /nix/store
 chmod -f 1775 /nix/store
 if [ -n "@readOnlyNixStore@" ]; then
-    if ! [[ "$(findmnt --noheadings --output OPTIONS /nix/store)" =~ ro(,|$) ]]; then
+    # #375257: Ensure that we pick the "top" (i.e. last) mount so we don't get a false positive for a lower mount.
+    if ! [[ "$(findmnt --noheadings --output OPTIONS /nix/store | tail -n1)" =~ (^|,)ro(,|$) ]]; then
         if [ -z "$container" ]; then
             mount --bind /nix/store /nix/store
         else