colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/systemd-chroot: Rename chroot to confinement

Browse Source 
Quoting @edolstra from [1]:

  I don't really like the name "chroot", something like "confine[ment]"
  or "restrict" seems better. Conceptually we're not providing a
  completely different filesystem tree but a restricted view of the same
  tree.

I already used "confinement" as a sub-option and I do agree that
"chroot" sounds a bit too specific (especially because not *only* chroot
is involved).

So this changes the module name and its option to use "confinement"
instead of "chroot" and also renames the "chroot.confinement" to
"confinement.mode".

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
aszlig 2019-03-14 15:26:10 +01:00
parent ac64ce9945
commit 0ba48f46da
No known key found for this signature in database
GPG Key ID: 684089CE67EBB691
4 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/module-list.nix
View File

@ -170,7 +170,7 @@
./security/rtkit.nix ./security/rtkit.nix
./security/wrappers/default.nix ./security/wrappers/default.nix
./security/sudo.nix ./security/sudo.nix
./security/systemd-chroot.nix ./security/systemd-confinement.nix
./services/admin/oxidized.nix ./services/admin/oxidized.nix
./services/admin/salt/master.nix ./services/admin/salt/master.nix
./services/admin/salt/minion.nix ./services/admin/salt/minion.nix

26
nixos/modules/security/systemd-chroot.nix → nixos/modules/security/systemd-confinement.nix
View File

@ -8,7 +8,7 @@ let
in { in {
options.systemd.services = lib.mkOption { options.systemd.services = lib.mkOption {
type = types.attrsOf (types.submodule ({ name, config, ... }: { type = types.attrsOf (types.submodule ({ name, config, ... }: {
options.chroot.enable = lib.mkOption { options.confinement.enable = lib.mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = ''
@ -20,7 +20,7 @@ in {
''; '';
}; };
options.chroot.packages = lib.mkOption { options.confinement.packages = lib.mkOption {
type = types.listOf (types.either types.str types.package); type = types.listOf (types.either types.str types.package);
default = []; default = [];
description = let description = let
@ -44,7 +44,7 @@ in {
''; '';
}; };
options.chroot.withBinSh = lib.mkOption { options.confinement.withBinSh = lib.mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = '' description = ''
@ -59,7 +59,7 @@ in {
''; '';
}; };
options.chroot.confinement = lib.mkOption { options.confinement.mode = lib.mkOption {
type = types.enum [ "full-apivfs" "chroot-only" ]; type = types.enum [ "full-apivfs" "chroot-only" ];
default = "full-apivfs"; default = "full-apivfs";
description = '' description = ''
@ -81,16 +81,16 @@ in {
''; '';
}; };
config = lib.mkIf config.chroot.enable { config = lib.mkIf config.confinement.enable {
serviceConfig = let serviceConfig = let
rootName = "${mkPathSafeName name}-chroot"; rootName = "${mkPathSafeName name}-chroot";
in { in {
RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\""; RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
TemporaryFileSystem = "/"; TemporaryFileSystem = "/";
MountFlags = lib.mkDefault "private"; MountFlags = lib.mkDefault "private";
} // lib.optionalAttrs config.chroot.withBinSh { } // lib.optionalAttrs config.confinement.withBinSh {
BindReadOnlyPaths = [ "${pkgs.dash}/bin/dash:/bin/sh" ]; BindReadOnlyPaths = [ "${pkgs.dash}/bin/dash:/bin/sh" ];
} // lib.optionalAttrs (config.chroot.confinement == "full-apivfs") { } // lib.optionalAttrs (config.confinement.mode == "full-apivfs") {
MountAPIVFS = true; MountAPIVFS = true;
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
@ -99,7 +99,7 @@ in {
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
}; };
chroot.packages = let confinement.packages = let
startOnly = config.serviceConfig.RootDirectoryStartOnly or false; startOnly = config.serviceConfig.RootDirectoryStartOnly or false;
execOpts = if startOnly then [ "ExecStart" ] else [ execOpts = if startOnly then [ "ExecStart" ] else [
"ExecReload" "ExecStart" "ExecStartPost" "ExecStartPre" "ExecStop" "ExecReload" "ExecStart" "ExecStartPost" "ExecStartPre" "ExecStop"
@ -108,7 +108,7 @@ in {
execPkgs = lib.concatMap (opt: let execPkgs = lib.concatMap (opt: let
isSet = config.serviceConfig ? ${opt}; isSet = config.serviceConfig ? ${opt};
in lib.optional isSet config.serviceConfig.${opt}) execOpts; in lib.optional isSet config.serviceConfig.${opt}) execOpts;
in execPkgs ++ lib.optional config.chroot.withBinSh pkgs.dash; in execPkgs ++ lib.optional config.confinement.withBinSh pkgs.dash;
}; };
})); }));
}; };
@ -116,8 +116,8 @@ in {
config.assertions = lib.concatLists (lib.mapAttrsToList (name: cfg: let config.assertions = lib.concatLists (lib.mapAttrsToList (name: cfg: let
whatOpt = optName: "The 'serviceConfig' option '${optName}' for" whatOpt = optName: "The 'serviceConfig' option '${optName}' for"
+ " service '${name}' is enabled in conjunction with" + " service '${name}' is enabled in conjunction with"
+ " 'chroot.enable'"; + " 'confinement.enable'";
in lib.optionals cfg.chroot.enable [ in lib.optionals cfg.confinement.enable [
{ assertion = !cfg.serviceConfig.RootDirectoryStartOnly or false; { assertion = !cfg.serviceConfig.RootDirectoryStartOnly or false;
message = "${whatOpt "RootDirectoryStartOnly"}, but right now systemd" message = "${whatOpt "RootDirectoryStartOnly"}, but right now systemd"
+ " doesn't support restricting bind-mounts to 'ExecStart'." + " doesn't support restricting bind-mounts to 'ExecStart'."
@ -133,7 +133,7 @@ in {
config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let
rootPaths = let rootPaths = let
contents = lib.concatStringsSep "\n" cfg.chroot.packages; contents = lib.concatStringsSep "\n" cfg.confinement.packages;
in pkgs.writeText "${mkPathSafeName name}-string-contexts.txt" contents; in pkgs.writeText "${mkPathSafeName name}-string-contexts.txt" contents;
chrootPaths = pkgs.runCommand "${mkPathSafeName name}-chroot-paths" { chrootPaths = pkgs.runCommand "${mkPathSafeName name}-chroot-paths" {
@ -156,5 +156,5 @@ in {
fi fi
done < "$closureInfo/store-paths" >> "$serviceFile" done < "$closureInfo/store-paths" >> "$serviceFile"
''; '';
in lib.optional cfg.chroot.enable chrootPaths) config.systemd.services); in lib.optional cfg.confinement.enable chrootPaths) config.systemd.services);
} }

2
nixos/tests/all-tests.nix
View File

@ -216,7 +216,7 @@ in
switchTest = handleTest ./switch-test.nix {}; switchTest = handleTest ./switch-test.nix {};
syncthing-relay = handleTest ./syncthing-relay.nix {}; syncthing-relay = handleTest ./syncthing-relay.nix {};
systemd = handleTest ./systemd.nix {}; systemd = handleTest ./systemd.nix {};
systemd-chroot = handleTest ./systemd-chroot.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {};
taskserver = handleTest ./taskserver.nix {}; taskserver = handleTest ./taskserver.nix {};
telegraf = handleTest ./telegraf.nix {}; telegraf = handleTest ./telegraf.nix {};
tomcat = handleTest ./tomcat.nix {}; tomcat = handleTest ./tomcat.nix {};

12
nixos/tests/systemd-chroot.nix → nixos/tests/systemd-confinement.nix
View File

@ -1,5 +1,5 @@
import ./make-test.nix { import ./make-test.nix {
name = "systemd-chroot"; name = "systemd-confinement";
machine = { pkgs, lib, ... }: let machine = { pkgs, lib, ... }: let
testServer = pkgs.writeScript "testserver.sh" '' testServer = pkgs.writeScript "testserver.sh" ''
@ -26,13 +26,13 @@ import ./make-test.nix {
}; };
systemd.services."test${toString num}@" = { systemd.services."test${toString num}@" = {
description = "Chrooted Test Service ${toString num}"; description = "Confined Test Service ${toString num}";
chroot = (config.chroot or {}) // { enable = true; }; confinement = (config.confinement or {}) // { enable = true; };
serviceConfig = (config.serviceConfig or {}) // { serviceConfig = (config.serviceConfig or {}) // {
ExecStart = testServer; ExecStart = testServer;
StandardInput = "socket"; StandardInput = "socket";
}; };
} // removeAttrs config [ "chroot" "serviceConfig" ]; } // removeAttrs config [ "confinement" "serviceConfig" ];
__testSteps = lib.mkOrder num '' __testSteps = lib.mkOrder num ''
subtest '${lib.escape ["\\" "'"] description}', sub { subtest '${lib.escape ["\\" "'"] description}', sub {
@ -45,7 +45,7 @@ import ./make-test.nix {
in { in {
imports = lib.imap1 mkTestStep [ imports = lib.imap1 mkTestStep [
{ description = "chroot-only confinement"; { description = "chroot-only confinement";
config.chroot.confinement = "chroot-only"; config.confinement.mode = "chroot-only";
testScript = '' testScript = ''
$machine->succeed( $machine->succeed(
'test "$(chroot-exec ls -1 / | paste -sd,)" = bin,nix', 'test "$(chroot-exec ls -1 / | paste -sd,)" = bin,nix',
@ -88,7 +88,7 @@ import ./make-test.nix {
} "ln -s \"$target\" \"$out\""; } "ln -s \"$target\" \"$out\"";
in { in {
description = "check if symlinks are properly bind-mounted"; description = "check if symlinks are properly bind-mounted";
config.chroot.packages = lib.singleton symlink; config.confinement.packages = lib.singleton symlink;
testScript = '' testScript = ''
$machine->fail('chroot-exec test -e /etc'); $machine->fail('chroot-exec test -e /etc');
$machine->succeed('chroot-exec cat ${symlink} >&2'); $machine->succeed('chroot-exec cat ${symlink} >&2');