On Linux, make the Nix store really read-only by using the immutable bit

I was bitten one time too many by Python modifying the Nix store by
creating *.pyc files when run as root.  On Linux, we can prevent this
by setting the immutable bit on files and directories (as in ‘chattr
+i’).  This isn't supported by all filesystems, so it's not an error
if setting the bit fails.  The immutable bit is cleared by the garbage
collector before deleting a path.  The only tricky aspect is in
optimiseStore(), since it's forbidden to create hard links to an
immutable file.  Thus optimiseStore() temporarily clears the immutable
bit before creating the link.

1 files changed, 3 insertions, 0 deletions

diff --git a/src/libutil/util.cc b/src/libutil/util.cc
index 42e5519b48..31322f9c48 100644
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@@ -12,6 +12,7 @@
 #include <limits.h>
 
 #include "util.hh"
+#include "immutable.hh"
 
 
 extern char * * environ;
@@ -304,6 +305,8 @@ static void _deletePath(const Path & path, unsigned long long & bytesFreed,
 
     struct stat st = lstat(path);
 
+    if (S_ISDIR(st.st_mode) || S_ISREG(st.st_mode)) makeMutable(path);
+
     if (!S_ISDIR(st.st_mode) && st.st_nlink == 1) {
         bytesFreed += st.st_size;
         blocksFreed += st.st_blocks;