forked from mirrors/nixpkgs
nixos/systemd-chroot: Rename chroot to confinement
Quoting @edolstra from [1]: I don't really like the name "chroot", something like "confine[ment]" or "restrict" seems better. Conceptually we're not providing a completely different filesystem tree but a restricted view of the same tree. I already used "confinement" as a sub-option and I do agree that "chroot" sounds a bit too specific (especially because not *only* chroot is involved). So this changes the module name and its option to use "confinement" instead of "chroot" and also renames the "chroot.confinement" to "confinement.mode". [1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704 Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
parent
ac64ce9945
commit
0ba48f46da
|
@ -170,7 +170,7 @@
|
||||||
./security/rtkit.nix
|
./security/rtkit.nix
|
||||||
./security/wrappers/default.nix
|
./security/wrappers/default.nix
|
||||||
./security/sudo.nix
|
./security/sudo.nix
|
||||||
./security/systemd-chroot.nix
|
./security/systemd-confinement.nix
|
||||||
./services/admin/oxidized.nix
|
./services/admin/oxidized.nix
|
||||||
./services/admin/salt/master.nix
|
./services/admin/salt/master.nix
|
||||||
./services/admin/salt/minion.nix
|
./services/admin/salt/minion.nix
|
||||||
|
|
|
@ -8,7 +8,7 @@ let
|
||||||
in {
|
in {
|
||||||
options.systemd.services = lib.mkOption {
|
options.systemd.services = lib.mkOption {
|
||||||
type = types.attrsOf (types.submodule ({ name, config, ... }: {
|
type = types.attrsOf (types.submodule ({ name, config, ... }: {
|
||||||
options.chroot.enable = lib.mkOption {
|
options.confinement.enable = lib.mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
|
@ -20,7 +20,7 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
options.chroot.packages = lib.mkOption {
|
options.confinement.packages = lib.mkOption {
|
||||||
type = types.listOf (types.either types.str types.package);
|
type = types.listOf (types.either types.str types.package);
|
||||||
default = [];
|
default = [];
|
||||||
description = let
|
description = let
|
||||||
|
@ -44,7 +44,7 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
options.chroot.withBinSh = lib.mkOption {
|
options.confinement.withBinSh = lib.mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
description = ''
|
description = ''
|
||||||
|
@ -59,7 +59,7 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
options.chroot.confinement = lib.mkOption {
|
options.confinement.mode = lib.mkOption {
|
||||||
type = types.enum [ "full-apivfs" "chroot-only" ];
|
type = types.enum [ "full-apivfs" "chroot-only" ];
|
||||||
default = "full-apivfs";
|
default = "full-apivfs";
|
||||||
description = ''
|
description = ''
|
||||||
|
@ -81,16 +81,16 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.chroot.enable {
|
config = lib.mkIf config.confinement.enable {
|
||||||
serviceConfig = let
|
serviceConfig = let
|
||||||
rootName = "${mkPathSafeName name}-chroot";
|
rootName = "${mkPathSafeName name}-chroot";
|
||||||
in {
|
in {
|
||||||
RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
|
RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
|
||||||
TemporaryFileSystem = "/";
|
TemporaryFileSystem = "/";
|
||||||
MountFlags = lib.mkDefault "private";
|
MountFlags = lib.mkDefault "private";
|
||||||
} // lib.optionalAttrs config.chroot.withBinSh {
|
} // lib.optionalAttrs config.confinement.withBinSh {
|
||||||
BindReadOnlyPaths = [ "${pkgs.dash}/bin/dash:/bin/sh" ];
|
BindReadOnlyPaths = [ "${pkgs.dash}/bin/dash:/bin/sh" ];
|
||||||
} // lib.optionalAttrs (config.chroot.confinement == "full-apivfs") {
|
} // lib.optionalAttrs (config.confinement.mode == "full-apivfs") {
|
||||||
MountAPIVFS = true;
|
MountAPIVFS = true;
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
|
@ -99,7 +99,7 @@ in {
|
||||||
ProtectKernelModules = true;
|
ProtectKernelModules = true;
|
||||||
ProtectKernelTunables = true;
|
ProtectKernelTunables = true;
|
||||||
};
|
};
|
||||||
chroot.packages = let
|
confinement.packages = let
|
||||||
startOnly = config.serviceConfig.RootDirectoryStartOnly or false;
|
startOnly = config.serviceConfig.RootDirectoryStartOnly or false;
|
||||||
execOpts = if startOnly then [ "ExecStart" ] else [
|
execOpts = if startOnly then [ "ExecStart" ] else [
|
||||||
"ExecReload" "ExecStart" "ExecStartPost" "ExecStartPre" "ExecStop"
|
"ExecReload" "ExecStart" "ExecStartPost" "ExecStartPre" "ExecStop"
|
||||||
|
@ -108,7 +108,7 @@ in {
|
||||||
execPkgs = lib.concatMap (opt: let
|
execPkgs = lib.concatMap (opt: let
|
||||||
isSet = config.serviceConfig ? ${opt};
|
isSet = config.serviceConfig ? ${opt};
|
||||||
in lib.optional isSet config.serviceConfig.${opt}) execOpts;
|
in lib.optional isSet config.serviceConfig.${opt}) execOpts;
|
||||||
in execPkgs ++ lib.optional config.chroot.withBinSh pkgs.dash;
|
in execPkgs ++ lib.optional config.confinement.withBinSh pkgs.dash;
|
||||||
};
|
};
|
||||||
}));
|
}));
|
||||||
};
|
};
|
||||||
|
@ -116,8 +116,8 @@ in {
|
||||||
config.assertions = lib.concatLists (lib.mapAttrsToList (name: cfg: let
|
config.assertions = lib.concatLists (lib.mapAttrsToList (name: cfg: let
|
||||||
whatOpt = optName: "The 'serviceConfig' option '${optName}' for"
|
whatOpt = optName: "The 'serviceConfig' option '${optName}' for"
|
||||||
+ " service '${name}' is enabled in conjunction with"
|
+ " service '${name}' is enabled in conjunction with"
|
||||||
+ " 'chroot.enable'";
|
+ " 'confinement.enable'";
|
||||||
in lib.optionals cfg.chroot.enable [
|
in lib.optionals cfg.confinement.enable [
|
||||||
{ assertion = !cfg.serviceConfig.RootDirectoryStartOnly or false;
|
{ assertion = !cfg.serviceConfig.RootDirectoryStartOnly or false;
|
||||||
message = "${whatOpt "RootDirectoryStartOnly"}, but right now systemd"
|
message = "${whatOpt "RootDirectoryStartOnly"}, but right now systemd"
|
||||||
+ " doesn't support restricting bind-mounts to 'ExecStart'."
|
+ " doesn't support restricting bind-mounts to 'ExecStart'."
|
||||||
|
@ -133,7 +133,7 @@ in {
|
||||||
|
|
||||||
config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let
|
config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let
|
||||||
rootPaths = let
|
rootPaths = let
|
||||||
contents = lib.concatStringsSep "\n" cfg.chroot.packages;
|
contents = lib.concatStringsSep "\n" cfg.confinement.packages;
|
||||||
in pkgs.writeText "${mkPathSafeName name}-string-contexts.txt" contents;
|
in pkgs.writeText "${mkPathSafeName name}-string-contexts.txt" contents;
|
||||||
|
|
||||||
chrootPaths = pkgs.runCommand "${mkPathSafeName name}-chroot-paths" {
|
chrootPaths = pkgs.runCommand "${mkPathSafeName name}-chroot-paths" {
|
||||||
|
@ -156,5 +156,5 @@ in {
|
||||||
fi
|
fi
|
||||||
done < "$closureInfo/store-paths" >> "$serviceFile"
|
done < "$closureInfo/store-paths" >> "$serviceFile"
|
||||||
'';
|
'';
|
||||||
in lib.optional cfg.chroot.enable chrootPaths) config.systemd.services);
|
in lib.optional cfg.confinement.enable chrootPaths) config.systemd.services);
|
||||||
}
|
}
|
|
@ -216,7 +216,7 @@ in
|
||||||
switchTest = handleTest ./switch-test.nix {};
|
switchTest = handleTest ./switch-test.nix {};
|
||||||
syncthing-relay = handleTest ./syncthing-relay.nix {};
|
syncthing-relay = handleTest ./syncthing-relay.nix {};
|
||||||
systemd = handleTest ./systemd.nix {};
|
systemd = handleTest ./systemd.nix {};
|
||||||
systemd-chroot = handleTest ./systemd-chroot.nix {};
|
systemd-confinement = handleTest ./systemd-confinement.nix {};
|
||||||
taskserver = handleTest ./taskserver.nix {};
|
taskserver = handleTest ./taskserver.nix {};
|
||||||
telegraf = handleTest ./telegraf.nix {};
|
telegraf = handleTest ./telegraf.nix {};
|
||||||
tomcat = handleTest ./tomcat.nix {};
|
tomcat = handleTest ./tomcat.nix {};
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
import ./make-test.nix {
|
import ./make-test.nix {
|
||||||
name = "systemd-chroot";
|
name = "systemd-confinement";
|
||||||
|
|
||||||
machine = { pkgs, lib, ... }: let
|
machine = { pkgs, lib, ... }: let
|
||||||
testServer = pkgs.writeScript "testserver.sh" ''
|
testServer = pkgs.writeScript "testserver.sh" ''
|
||||||
|
@ -26,13 +26,13 @@ import ./make-test.nix {
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services."test${toString num}@" = {
|
systemd.services."test${toString num}@" = {
|
||||||
description = "Chrooted Test Service ${toString num}";
|
description = "Confined Test Service ${toString num}";
|
||||||
chroot = (config.chroot or {}) // { enable = true; };
|
confinement = (config.confinement or {}) // { enable = true; };
|
||||||
serviceConfig = (config.serviceConfig or {}) // {
|
serviceConfig = (config.serviceConfig or {}) // {
|
||||||
ExecStart = testServer;
|
ExecStart = testServer;
|
||||||
StandardInput = "socket";
|
StandardInput = "socket";
|
||||||
};
|
};
|
||||||
} // removeAttrs config [ "chroot" "serviceConfig" ];
|
} // removeAttrs config [ "confinement" "serviceConfig" ];
|
||||||
|
|
||||||
__testSteps = lib.mkOrder num ''
|
__testSteps = lib.mkOrder num ''
|
||||||
subtest '${lib.escape ["\\" "'"] description}', sub {
|
subtest '${lib.escape ["\\" "'"] description}', sub {
|
||||||
|
@ -45,7 +45,7 @@ import ./make-test.nix {
|
||||||
in {
|
in {
|
||||||
imports = lib.imap1 mkTestStep [
|
imports = lib.imap1 mkTestStep [
|
||||||
{ description = "chroot-only confinement";
|
{ description = "chroot-only confinement";
|
||||||
config.chroot.confinement = "chroot-only";
|
config.confinement.mode = "chroot-only";
|
||||||
testScript = ''
|
testScript = ''
|
||||||
$machine->succeed(
|
$machine->succeed(
|
||||||
'test "$(chroot-exec ls -1 / | paste -sd,)" = bin,nix',
|
'test "$(chroot-exec ls -1 / | paste -sd,)" = bin,nix',
|
||||||
|
@ -88,7 +88,7 @@ import ./make-test.nix {
|
||||||
} "ln -s \"$target\" \"$out\"";
|
} "ln -s \"$target\" \"$out\"";
|
||||||
in {
|
in {
|
||||||
description = "check if symlinks are properly bind-mounted";
|
description = "check if symlinks are properly bind-mounted";
|
||||||
config.chroot.packages = lib.singleton symlink;
|
config.confinement.packages = lib.singleton symlink;
|
||||||
testScript = ''
|
testScript = ''
|
||||||
$machine->fail('chroot-exec test -e /etc');
|
$machine->fail('chroot-exec test -e /etc');
|
||||||
$machine->succeed('chroot-exec cat ${symlink} >&2');
|
$machine->succeed('chroot-exec cat ${symlink} >&2');
|
Loading…
Reference in a new issue