nixos/mysql: enable sandbox mode

2024-11-22 21:50:55 +00:00 · 2020-05-14 20:29:59 +03:00 · 2020-05-14 20:29:59 +03:00 · df7e52814d
parent 0ba7e1ae98
commit df7e52814d
2 changed files with 46 additions and 5 deletions
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@ -89,6 +89,22 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
      When MariaDB data directory is just upgraded (not initialized), the users are not created or modified.
    </para>
   </listitem>
+   <listitem>
+    <para>
+      MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options
+      may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when
+      calling <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. In this scenario a variant of the following may be required:
+        - allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal>
+<programlisting>
+systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only";
+</programlisting>
+        - allow MySQL to write to custom folder <literal>/var/data</literal> when using <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write
+          access to <literal>/var/data</literal>
+<programlisting>
+systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
+</programlisting>
+    </para>
+   </listitem>
  </itemizedlist>
 </section>

--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@ -367,11 +367,7 @@ in
        '';

        serviceConfig = {
-          User = cfg.user;
-          Group = "mysql";
          Type = if hasNotify then "notify" else "simple";
-          RuntimeDirectory = "mysqld";
-          RuntimeDirectoryMode = "0755";
          Restart = "on-abort";
          RestartSec = "5s";
          # The last two environment variables are used for starting Galera clusters
@ -452,7 +448,7 @@ in
                        cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N
                      ''}

-                    rm /tmp/mysql_init
+                    rm ${cfg.dataDir}/mysql_init
                fi

                ${optionalString (cfg.ensureDatabases != []) ''
@ -476,6 +472,35 @@ in
              # ensureDatbases & ensureUsers depends on this script being run as root
              # when the user has secured their mysql install
              "+${setupScript}";
+          # User and group
+          User = cfg.user;
+          Group = "mysql";
+          # Runtime directory and mode
+          RuntimeDirectory = "mysqld";
+          RuntimeDirectoryMode = "0755";
+          # Access write directories
+          ReadWritePaths = [ cfg.dataDir ];
+          # Capabilities
+          CapabilityBoundingSet = "";
+          # Security
+          NoNewPrivileges = true;
+          # Sandboxing
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
+          ProtectHostname = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectControlGroups = true;
+          RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          PrivateMounts = true;
+          # System Call Filtering
+          SystemCallArchitectures = "native";
        };
      };