From b25259e021de4b3969090895e48fd213c4b4b444 Mon Sep 17 00:00:00 2001
From: Minijackson <minijackson@riseup.net>
Date: Thu, 29 Sep 2022 08:33:44 +0200
Subject: [PATCH 1/2] nixos/stage-1: follow mount options

For fileSystems needed for boot which are bind mounts, busybox tend to
ignore mount options, so we remount right afterwards
---
 nixos/modules/system/boot/stage-1-init.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh
index af57310bda7d..835788dbbc97 100644
--- a/nixos/modules/system/boot/stage-1-init.sh
+++ b/nixos/modules/system/boot/stage-1-init.sh
@@ -410,6 +410,11 @@ mountFS() {
         n=$((n + 1))
     done
 
+    # For bind mounts, busybox has a tendency to ignore options, which can be a
+    # security issue (e.g. "nosuid"). Remounting the partition seems to fix the
+    # issue.
+    mount "/mnt-root$mountPoint" -o "remount,$optionsPrefixed"
+
     [ "$mountPoint" == "/" ] &&
         [ -f "/mnt-root/etc/NIXOS_LUSTRATE" ] &&
         lustrateRoot "/mnt-root"

From 8f94053a21261c894d408c35821b4efa27255c2f Mon Sep 17 00:00:00 2001
From: Minijackson <minijackson@riseup.net>
Date: Tue, 25 Apr 2023 13:07:08 +0200
Subject: [PATCH 2/2] nixosTests.early-mount-options: init

---
 nixos/tests/all-tests.nix           |  1 +
 nixos/tests/early-mount-options.nix | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 nixos/tests/early-mount-options.nix

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 506cba25ba50..25b12e51ba1f 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -195,6 +195,7 @@ in {
   dovecot = handleTest ./dovecot.nix {};
   drbd = handleTest ./drbd.nix {};
   earlyoom = handleTestOn ["x86_64-linux"] ./earlyoom.nix {};
+  early-mount-options = handleTest ./early-mount-options.nix {};
   ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {};
   ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {};
   ecryptfs = handleTest ./ecryptfs.nix {};
diff --git a/nixos/tests/early-mount-options.nix b/nixos/tests/early-mount-options.nix
new file mode 100644
index 000000000000..8be318ae13bc
--- /dev/null
+++ b/nixos/tests/early-mount-options.nix
@@ -0,0 +1,19 @@
+# Test for https://github.com/NixOS/nixpkgs/pull/193469
+import ./make-test-python.nix {
+  name = "early-mount-options";
+
+  nodes.machine = {
+    virtualisation.fileSystems."/var" = {
+      options = [ "bind" "nosuid" "nodev" "noexec" ];
+      device = "/var";
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+
+    var_mount_info = machine.succeed("findmnt /var -n -o OPTIONS")
+    options = var_mount_info.strip().split(",")
+    assert "nosuid" in options and "nodev" in options and "noexec" in options
+  '';
+}