nixos/shutdown: Create /run/initramfs with mode 0700

2025-04-02 15:56:28 -04:00 · 2025-04-02 15:56:28 -04:00 · c9ea864d6f
commit c9ea864d6f
parent 93b98639dd
2 changed files with 9 additions and 0 deletions
--- a/nixos/modules/system/boot/systemd/shutdown.nix
+++ b/nixos/modules/system/boot/systemd/shutdown.nix
@ -52,6 +52,7 @@ in
        what = "tmpfs";
        where = "/run/initramfs";
        type = "tmpfs";
+        options = "mode=0700";
      }
    ];

--- a/nixos/tests/systemd-shutdown.nix
+++ b/nixos/tests/systemd-shutdown.nix
@ -23,6 +23,8 @@ import ./make-test-python.nix (
    };

    testScript = ''
+      # Check that 'generate-shutdown-ramfs.service' is started
+      # automatically and that 'systemd-shutdown' runs our script.
      machine.wait_for_unit("multi-user.target")
      # .shutdown() would wait for the machine to power off
      machine.succeed("systemctl poweroff")
@ -31,6 +33,12 @@ import ./make-test-python.nix (
      machine.wait_for_console_text("${msg}")
      # Don't try to sync filesystems
      machine.wait_for_shutdown()
+
+      # In a separate boot, start 'generate-shutdown-ramfs.service'
+      # manually in order to check the permissions on '/run/initramfs'.
+      machine.systemctl("start generate-shutdown-ramfs.service")
+      stat = machine.succeed("stat --printf=%a:%u:%g /run/initramfs")
+      assert stat == "700:0:0", f"Improper permissions on /run/initramfs: {stat}"
    '';
  }
 )