From 040042b8a516e453aef5156fa99176e4bae7004f Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 27 Mar 2012 14:51:08 +0000
Subject: [PATCH] * Blackhole the address 169.254.169.254 after we've obtained
 the user   data to prevent non-root processes from getting the private host  
 key.

svn path=/nixos/trunk/; revision=33442
---
 modules/virtualisation/ec2-data.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/virtualisation/ec2-data.nix b/modules/virtualisation/ec2-data.nix
index 42e3cb675667..65f408262256 100644
--- a/modules/virtualisation/ec2-data.nix
+++ b/modules/virtualisation/ec2-data.nix
@@ -15,10 +15,12 @@ with pkgs.lib;
 
       task = true;
 
-      path = [ pkgs.curl ];
+      path = [ pkgs.curl pkgs.iproute ];
 
       script =
         ''
+          ip route del blackhole 169.254.169.254/32 || true
+          
           curl="curl --retry 3 --retry-delay 0 --fail"
         
           echo "setting host name..."
@@ -53,6 +55,10 @@ with pkgs.lib;
               (umask 077; echo "$key" > /etc/ssh/ssh_host_dsa_key)
               echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub
           fi
+
+          # Since the user data is sensitive, prevent it from being
+          # accessed from now on.
+          ip route add blackhole 169.254.169.254/32
         '';
     };