From 10957db2de1616927f6278bcd66389af45f97303 Mon Sep 17 00:00:00 2001 From: Amine Hassane Date: Sun, 24 Aug 2025 23:16:34 +0100 Subject: [PATCH] sops-install-secrets: use noswap mount option with tmpfs --- default.nix | 2 +- go.mod | 1 + go.sum | 2 ++ modules/sops/default.nix | 2 +- pkgs/sops-install-secrets/linux.go | 21 ++++++++++++++++++--- 5 files changed, 23 insertions(+), 5 deletions(-) diff --git a/default.nix b/default.nix index c71a46d..8e2e77a 100644 --- a/default.nix +++ b/default.nix @@ -1,6 +1,6 @@ { pkgs ? import { }, - vendorHash ? "sha256-M1+oE8rbv8GN0n+EifRBG7IanHCE4JbnD0JrJD/N7Sk=", + vendorHash ? "sha256-Ni9gJP1tjPlrLRVILgubJVNAzEtmhI6rN8xNaGYy9TU=", }: let sops-install-secrets = pkgs.callPackage ./pkgs/sops-install-secrets { diff --git a/go.mod b/go.mod index 73fb867..ea68c28 100644 --- a/go.mod +++ b/go.mod @@ -9,6 +9,7 @@ require ( github.com/ProtonMail/go-crypto v1.3.0 github.com/getsops/sops/v3 v3.10.2 github.com/joho/godotenv v1.5.1 + github.com/moby/sys/mountinfo v0.7.2 github.com/mozilla-services/yaml v0.0.0-20201007153854-c369669a6625 golang.org/x/crypto v0.41.0 golang.org/x/sys v0.36.0 diff --git a/go.sum b/go.sum index b71dbc2..7855c20 100644 --- a/go.sum +++ b/go.sum @@ -229,6 +229,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= +github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= +github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo= github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs= github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ= diff --git a/modules/sops/default.nix b/modules/sops/default.nix index b990e3e..1e7cf48 100644 --- a/modules/sops/default.nix +++ b/modules/sops/default.nix @@ -306,7 +306,7 @@ in Use tmpfs in place of ramfs for secrets storage. *WARNING* - Enabling this option has the potential to write secrets to disk unencrypted if the tmpfs volume is written to swap. Do not use unless absolutely necessary. + On Linux kernels earlier than 6.4, enabling this option has the potential to write secrets to disk unencrypted if the tmpfs volume is written to swap. Do not use unless absolutely necessary. When using a swap file or device, consider enabling swap encryption by setting the `randomEncryption.enable` option diff --git a/pkgs/sops-install-secrets/linux.go b/pkgs/sops-install-secrets/linux.go index ed3f8a2..92ffd82 100644 --- a/pkgs/sops-install-secrets/linux.go +++ b/pkgs/sops-install-secrets/linux.go @@ -4,10 +4,12 @@ package main import ( + "errors" "fmt" "os" "golang.org/x/sys/unix" + "github.com/moby/sys/mountinfo" ) func RuntimeDir() (string, error) { @@ -30,18 +32,31 @@ func MountSecretFs(mountpoint string, keysGID int, useTmpfs bool, userMode bool) var fstype = "ramfs" var fsmagic = RamfsMagic + var fsoptions = "mode=0751" if useTmpfs { fstype = "tmpfs" fsmagic = TmpfsMagic + fsoptions += ",noswap" } buf := unix.Statfs_t{} if err := unix.Statfs(mountpoint, &buf); err != nil { return fmt.Errorf("cannot get statfs for directory '%s': %w", mountpoint, err) } - if int32(buf.Type) != fsmagic { - if err := unix.Mount("none", mountpoint, fstype, unix.MS_NODEV|unix.MS_NOSUID, "mode=0751"); err != nil { - return fmt.Errorf("cannot mount: %w", err) + mounted, err := mountinfo.Mounted(mountpoint) + if err != nil { + return fmt.Errorf("cannot check if directory '%s' is a mountpoint: %w", mountpoint, err) + } + if !mounted || int32(buf.Type) != fsmagic { + flags := uintptr(unix.MS_NODEV | unix.MS_NOSUID | unix.MS_NOEXEC) + if err := unix.Mount("none", mountpoint, fstype, flags, fsoptions); err != nil { + if useTmpfs && errors.Is(err, unix.EINVAL) { + if err := unix.Mount("none", mountpoint, fstype, flags, "mode=0751"); err != nil { + return fmt.Errorf("cannot mount (fallback without noswap failed): %w", err) + } + } else { + return fmt.Errorf("cannot mount: %w", err) + } } }