Is it secure to have /nix/store bind-mount'ed to containers

[milabs]

Ok, nix-bitcoin is a great project which heavily uses containers. With the help of extra-container it's possible to deploy and run non-declarative bitcoin node container using tor in few minutes which is amazing.

My question is the following. We know that containers meant to be isolated from the host system and it's meant to give us one more level of security. On the other side exposing whole /nix/store to the container definitely has information leakage impact as it contains a lot of host-specific data which in theory could give an attacker some hints about the environment.

[erikarvstedt]

Agreed, the global nix store can leak sensitive data of the host system like hostname or home dir user names, or even more private info when home-manager is used.
NixOS VMs are affected in the same way.

A fix would be to instead bind mount a FUSE filesystem that forwards to the nix store, restricted to the store path closure of the container system.
I'll look into this, with low-medium prio.

[prusnak]

A fix would be to instead bind mount a FUSE filesystem that forwards to the nix store, restricted to the store path closure of the container system.

I am wondering whether using AppArmor for this is more or less convenient.