History

aszlig 0a9cecc35a nixos/systemd-confinement: Make / read-only Our more thorough parametrised tests uncovered that with the changes for supporting DynamicUser, we now have the situation that for static users the root directory within the confined environment is now writable for the user in question. This is obviously not what we want and I'd consider that a regression. However while discussing this with @ju1m and my suggestion being to set TemporaryFileSystem to "/" (as we had previously), they had an even better idea[1]: > The goal is to deny write access to / to non-root users, > > * TemporaryFileSystem=/ gives us that through the ownership of / by > root (instead of the service's user inherited from > RuntimeDirectory=). > * ProtectSystem=strict gives us that by mounting / read-only (while > keeping its ownership to the service's user). > > To avoid the incompatibilities of TemporaryFileSystem=/ mentioned > above, I suggest to mount / read-only in all cases with > ReadOnlyPaths = [ "+/" ]: > > ... > > I guess this would require at least two changes to the current tests: > > 1. to no longer expect root to be able to write to some paths (like > /bin) (at least not without first remounting / in read-write > mode). > 2. to no longer expect non-root users to fail to write to certain > paths with a "permission denied" error code, but with a > "read-only file system" error code. I like the solution with ReadOnlyPaths even more because it further reduces the attack surface if the user is root. In chroot-only mode this is especially useful, since if there are no other bind-mounted paths involved in the unit configuration, the whole file system within the confined environment is read-only. [1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215 Signed-off-by: aszlig <aszlig@nix.build>		2024-05-13 00:40:40 +02:00
..
doc/manual	nixos/systemd-confinement: support ProtectSystem=/DynamicUser=	2024-05-13 00:40:25 +02:00
lib	nixos/systemd-lib: fix assertRangeOrOneOf when value is not comparable	2024-05-06 10:41:20 -07:00
maintainers	nixos: remove all uses of lib.mdDoc	2024-04-13 10:07:35 -07:00
modules	nixos/systemd-confinement: Make / read-only	2024-05-13 00:40:40 +02:00
tests	nixos/systemd-confinement: Make / read-only	2024-05-13 00:40:40 +02:00
COPYING
default.nix
README.md
release-combined.nix	nixos: remove historical maintainership of modules by eelco	2024-05-12 12:48:57 -07:00
release-small.nix	nixos: remove historical maintainership of modules by eelco	2024-05-12 12:48:57 -07:00
release.nix	treewide: rename renamed sddm/displayManager settings	2024-04-08 21:56:38 +02:00

README.md

NixOS

NixOS is a Linux distribution based on the purely functional package management system Nix. More information can be found at https://nixos.org/nixos and in the manual in doc/manual.

Testing changes

You can add new module to your NixOS configuration file (usually it’s /etc/nixos/configuration.nix). And do sudo nixos-rebuild test -I nixpkgs=<path to your local nixpkgs folder> --fast.

Commit conventions

Make sure you read about the commit conventions common to Nixpkgs as a whole.
Format the commit messages in the following way:
```
nixos/(module): (init module | add setting | refactor | etc)

(Motivation for change. Link to release notes. Additional information.)
```
Examples:
- nixos/hydra: add bazBaz option
  
  Dual baz behavior is needed to do foo.
- nixos/nginx: refactor config generation
  
  The old config generation system used impure shell scripts and could break in specific circumstances (see #1234).

Reviewing contributions

When changing the bootloader installation process, extra care must be taken. Grub installations cannot be rolled back, hence changes may break people’s installations forever. For any non-trivial change to the bootloader please file a PR asking for review, especially from @edolstra.

Module updates

Module updates are submissions changing modules in some ways. These often contains changes to the options or introduce new options.

Reviewing process:

Ensure that the module maintainers are notified.
- CODEOWNERS will make GitHub notify users based on the submitted changes, but it can happen that it misses some of the package maintainers.
Ensure that the module tests, if any, are succeeding.
- You may invoke OfBorg with @ofborg test <module> to build nixosTests.<module>
Ensure that the introduced options are correct.
- Type should be appropriate (string related types differs in their merging capabilities, loaOf and string types are deprecated).
- Description, default and example should be provided.
Ensure that option changes are backward compatible.
- mkRenamedOptionModuleWith provides a way to make renamed option backward compatible.
- Use lib.versionAtLeast config.system.stateVersion "23.11" on backward incompatible changes which may corrupt, change or update the state stored on existing setups.
Ensure that removed options are declared with mkRemovedOptionModule.
Ensure that changes that are not backward compatible are mentioned in release notes.
Ensure that documentations affected by the change is updated.

Sample template for a module update review is provided below.

##### Reviewed points

- [ ] changes are backward compatible
- [ ] removed options are declared with `mkRemovedOptionModule`
- [ ] changes that are not backward compatible are documented in release notes
- [ ] module tests succeed on ARCHITECTURE
- [ ] options types are appropriate
- [ ] options description is set
- [ ] options example is provided
- [ ] documentation affected by the changes is updated

##### Possible improvements

##### Comments

New modules

New modules submissions introduce a new module to NixOS.