From 55f225049e3705cfec0454ea02ccebaf3064cd5c Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Mon, 12 May 2025 10:47:58 +0200 Subject: [PATCH] nixos/tests/boot-stage2: check mount options The option `boot.nixStoreMountOpts` needs to be tested. Trying to put a SUID/SGID file into the store will fail because of seccomp filters. The best test we can do, without intentionally dropping the seccomp filter here, is to just check `findmnt` and read the mount options in use. --- nixos/tests/boot-stage2.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nixos/tests/boot-stage2.nix b/nixos/tests/boot-stage2.nix index 90f0ac01207c..c2bec97e4376 100644 --- a/nixos/tests/boot-stage2.nix +++ b/nixos/tests/boot-stage2.nix @@ -66,6 +66,10 @@ import ./make-test-python.nix ( machine.wait_for_unit("multi-user.target") machine.succeed("test /etc/post-boot-ran") machine.fail("touch /nix/store/should-not-work"); + + for opt in ["ro", "nosuid", "nodev"]: + with subtest(f"testing store mount option: {opt}"): + machine.succeed(f'[[ "$(findmnt --direction backward --first-only --noheadings --output OPTIONS /nix/store)" =~ (^|,){opt}(,|$) ]]') ''; meta.maintainers = with pkgs.lib.maintainers; [ numinit ];