From edc799dabfb059735f1a3084384925fe573d9de1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Tue, 6 May 2025 11:29:19 +0200
Subject: [PATCH] environment, home: Make /tmp writable.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes <https://issues.guix.gnu.org/78272>.

Fixes a bug caused by commit ce363c1dc7bd63a74dcf7788d340819f6d5db89f,
which inadvertently made /tmp read-only as well.

* guix/scripts/environment.scm (launch-environment/container)[tmpfs]:
New variable.
Add it to ‘file-systems’.
* guix/scripts/home.scm (spawn-home-container): Add /tmp file system
to #:mounts.
* tests/guix-environment-container.sh: Add test.

Reported-by: Tomas Volf <~@wolfsden.cz>
Change-Id: I5cb449e6d0c213d4b5866cbcbd14990437a7d4c5
---
 guix/scripts/environment.scm        | 8 ++++++++
 guix/scripts/home.scm               | 7 ++++++-
 tests/guix-environment-container.sh | 5 +++++
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index ad1b26454a3..7103fdaf202 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -770,6 +770,13 @@ added to the container.
 
 Preserve environment variables whose name matches the one of the regexps in
 WHILE-LIST."
+  (define tmpfs
+    (file-system
+      (device "none")
+      (mount-point "/tmp")
+      (type "tmpfs")
+      (check? #f)))
+
   (define (optional-mapping->fs mapping)
     (and (file-exists? (file-system-mapping-source mapping))
          (file-system-mapping->bind-mount mapping)))
@@ -867,6 +874,7 @@ WHILE-LIST."
                       (writable? #f)))
                    reqs)))
             (file-systems (append %container-file-systems
+                                  (list tmpfs)
                                   (if network?
                                       (filter-map optional-mapping->fs
                                                   %network-file-mappings)
diff --git a/guix/scripts/home.scm b/guix/scripts/home.scm
index 57c0df62943..a4b8cc01e70 100644
--- a/guix/scripts/home.scm
+++ b/guix/scripts/home.scm
@@ -353,7 +353,12 @@ immediately.  Return the exit status of the process in the container."
    #:namespaces (if network?
                     (delq 'net %namespaces)       ; share host network
                     %namespaces)
-   #:mounts (list (file-system
+   #:mounts (list (file-system                    ;writable /tmp
+                    (device "none")
+                    (mount-point "/tmp")
+                    (type "tmpfs")
+                    (check? #f))
+                  (file-system
                     (device "none")
                     (mount-point
                      (in-vicinity "/run/user"     ;for shepherd & co.
diff --git a/tests/guix-environment-container.sh b/tests/guix-environment-container.sh
index d6cb382de92..d0f19c83725 100644
--- a/tests/guix-environment-container.sh
+++ b/tests/guix-environment-container.sh
@@ -195,6 +195,11 @@ guix environment --bootstrap --container --ad-hoc guile-bootstrap	\
      --writable-root							\
      -- guile -c '(mkdir "/whatever")'
 
+# /tmp itself is always writable.
+guix environment --bootstrap --container --ad-hoc guile-bootstrap \
+     -- guile -c '(mkdir "/tmp/foo")'
+
+
 # Check the exit code.
 
 abnormal_exit_code="