nixos/systemd-chroot: Rename chroot to confinement
Quoting @edolstra from [1]: I don't really like the name "chroot", something like "confine[ment]" or "restrict" seems better. Conceptually we're not providing a completely different filesystem tree but a restricted view of the same tree. I already used "confinement" as a sub-option and I do agree that "chroot" sounds a bit too specific (especially because not *only* chroot is involved). So this changes the module name and its option to use "confinement" instead of "chroot" and also renames the "chroot.confinement" to "confinement.mode". [1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704 Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
parent
ac64ce9945
commit
0ba48f46da
@ -170,7 +170,7 @@
|
||||
./security/rtkit.nix
|
||||
./security/wrappers/default.nix
|
||||
./security/sudo.nix
|
||||
./security/systemd-chroot.nix
|
||||
./security/systemd-confinement.nix
|
||||
./services/admin/oxidized.nix
|
||||
./services/admin/salt/master.nix
|
||||
./services/admin/salt/minion.nix
|
||||
|
@ -8,7 +8,7 @@ let
|
||||
in {
|
||||
options.systemd.services = lib.mkOption {
|
||||
type = types.attrsOf (types.submodule ({ name, config, ... }: {
|
||||
options.chroot.enable = lib.mkOption {
|
||||
options.confinement.enable = lib.mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
@ -20,7 +20,7 @@ in {
|
||||
'';
|
||||
};
|
||||
|
||||
options.chroot.packages = lib.mkOption {
|
||||
options.confinement.packages = lib.mkOption {
|
||||
type = types.listOf (types.either types.str types.package);
|
||||
default = [];
|
||||
description = let
|
||||
@ -44,7 +44,7 @@ in {
|
||||
'';
|
||||
};
|
||||
|
||||
options.chroot.withBinSh = lib.mkOption {
|
||||
options.confinement.withBinSh = lib.mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
@ -59,7 +59,7 @@ in {
|
||||
'';
|
||||
};
|
||||
|
||||
options.chroot.confinement = lib.mkOption {
|
||||
options.confinement.mode = lib.mkOption {
|
||||
type = types.enum [ "full-apivfs" "chroot-only" ];
|
||||
default = "full-apivfs";
|
||||
description = ''
|
||||
@ -81,16 +81,16 @@ in {
|
||||
'';
|
||||
};
|
||||
|
||||
config = lib.mkIf config.chroot.enable {
|
||||
config = lib.mkIf config.confinement.enable {
|
||||
serviceConfig = let
|
||||
rootName = "${mkPathSafeName name}-chroot";
|
||||
in {
|
||||
RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
|
||||
TemporaryFileSystem = "/";
|
||||
MountFlags = lib.mkDefault "private";
|
||||
} // lib.optionalAttrs config.chroot.withBinSh {
|
||||
} // lib.optionalAttrs config.confinement.withBinSh {
|
||||
BindReadOnlyPaths = [ "${pkgs.dash}/bin/dash:/bin/sh" ];
|
||||
} // lib.optionalAttrs (config.chroot.confinement == "full-apivfs") {
|
||||
} // lib.optionalAttrs (config.confinement.mode == "full-apivfs") {
|
||||
MountAPIVFS = true;
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
@ -99,7 +99,7 @@ in {
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
};
|
||||
chroot.packages = let
|
||||
confinement.packages = let
|
||||
startOnly = config.serviceConfig.RootDirectoryStartOnly or false;
|
||||
execOpts = if startOnly then [ "ExecStart" ] else [
|
||||
"ExecReload" "ExecStart" "ExecStartPost" "ExecStartPre" "ExecStop"
|
||||
@ -108,7 +108,7 @@ in {
|
||||
execPkgs = lib.concatMap (opt: let
|
||||
isSet = config.serviceConfig ? ${opt};
|
||||
in lib.optional isSet config.serviceConfig.${opt}) execOpts;
|
||||
in execPkgs ++ lib.optional config.chroot.withBinSh pkgs.dash;
|
||||
in execPkgs ++ lib.optional config.confinement.withBinSh pkgs.dash;
|
||||
};
|
||||
}));
|
||||
};
|
||||
@ -116,8 +116,8 @@ in {
|
||||
config.assertions = lib.concatLists (lib.mapAttrsToList (name: cfg: let
|
||||
whatOpt = optName: "The 'serviceConfig' option '${optName}' for"
|
||||
+ " service '${name}' is enabled in conjunction with"
|
||||
+ " 'chroot.enable'";
|
||||
in lib.optionals cfg.chroot.enable [
|
||||
+ " 'confinement.enable'";
|
||||
in lib.optionals cfg.confinement.enable [
|
||||
{ assertion = !cfg.serviceConfig.RootDirectoryStartOnly or false;
|
||||
message = "${whatOpt "RootDirectoryStartOnly"}, but right now systemd"
|
||||
+ " doesn't support restricting bind-mounts to 'ExecStart'."
|
||||
@ -133,7 +133,7 @@ in {
|
||||
|
||||
config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let
|
||||
rootPaths = let
|
||||
contents = lib.concatStringsSep "\n" cfg.chroot.packages;
|
||||
contents = lib.concatStringsSep "\n" cfg.confinement.packages;
|
||||
in pkgs.writeText "${mkPathSafeName name}-string-contexts.txt" contents;
|
||||
|
||||
chrootPaths = pkgs.runCommand "${mkPathSafeName name}-chroot-paths" {
|
||||
@ -156,5 +156,5 @@ in {
|
||||
fi
|
||||
done < "$closureInfo/store-paths" >> "$serviceFile"
|
||||
'';
|
||||
in lib.optional cfg.chroot.enable chrootPaths) config.systemd.services);
|
||||
in lib.optional cfg.confinement.enable chrootPaths) config.systemd.services);
|
||||
}
|
@ -216,7 +216,7 @@ in
|
||||
switchTest = handleTest ./switch-test.nix {};
|
||||
syncthing-relay = handleTest ./syncthing-relay.nix {};
|
||||
systemd = handleTest ./systemd.nix {};
|
||||
systemd-chroot = handleTest ./systemd-chroot.nix {};
|
||||
systemd-confinement = handleTest ./systemd-confinement.nix {};
|
||||
taskserver = handleTest ./taskserver.nix {};
|
||||
telegraf = handleTest ./telegraf.nix {};
|
||||
tomcat = handleTest ./tomcat.nix {};
|
||||
|
@ -1,5 +1,5 @@
|
||||
import ./make-test.nix {
|
||||
name = "systemd-chroot";
|
||||
name = "systemd-confinement";
|
||||
|
||||
machine = { pkgs, lib, ... }: let
|
||||
testServer = pkgs.writeScript "testserver.sh" ''
|
||||
@ -26,13 +26,13 @@ import ./make-test.nix {
|
||||
};
|
||||
|
||||
systemd.services."test${toString num}@" = {
|
||||
description = "Chrooted Test Service ${toString num}";
|
||||
chroot = (config.chroot or {}) // { enable = true; };
|
||||
description = "Confined Test Service ${toString num}";
|
||||
confinement = (config.confinement or {}) // { enable = true; };
|
||||
serviceConfig = (config.serviceConfig or {}) // {
|
||||
ExecStart = testServer;
|
||||
StandardInput = "socket";
|
||||
};
|
||||
} // removeAttrs config [ "chroot" "serviceConfig" ];
|
||||
} // removeAttrs config [ "confinement" "serviceConfig" ];
|
||||
|
||||
__testSteps = lib.mkOrder num ''
|
||||
subtest '${lib.escape ["\\" "'"] description}', sub {
|
||||
@ -45,7 +45,7 @@ import ./make-test.nix {
|
||||
in {
|
||||
imports = lib.imap1 mkTestStep [
|
||||
{ description = "chroot-only confinement";
|
||||
config.chroot.confinement = "chroot-only";
|
||||
config.confinement.mode = "chroot-only";
|
||||
testScript = ''
|
||||
$machine->succeed(
|
||||
'test "$(chroot-exec ls -1 / | paste -sd,)" = bin,nix',
|
||||
@ -88,7 +88,7 @@ import ./make-test.nix {
|
||||
} "ln -s \"$target\" \"$out\"";
|
||||
in {
|
||||
description = "check if symlinks are properly bind-mounted";
|
||||
config.chroot.packages = lib.singleton symlink;
|
||||
config.confinement.packages = lib.singleton symlink;
|
||||
testScript = ''
|
||||
$machine->fail('chroot-exec test -e /etc');
|
||||
$machine->succeed('chroot-exec cat ${symlink} >&2');
|
Loading…
Reference in New Issue
Block a user