nixos/systemd-chroot: Rename chroot to confinement

Quoting @edolstra from [1]:

  I don't really like the name "chroot", something like "confine[ment]"
  or "restrict" seems better. Conceptually we're not providing a
  completely different filesystem tree but a restricted view of the same
  tree.

I already used "confinement" as a sub-option and I do agree that
"chroot" sounds a bit too specific (especially because not *only* chroot
is involved).

So this changes the module name and its option to use "confinement"
instead of "chroot" and also renames the "chroot.confinement" to
"confinement.mode".

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
aszlig 2019-03-14 15:26:10 +01:00
parent ac64ce9945
commit 0ba48f46da
No known key found for this signature in database
GPG Key ID: 684089CE67EBB691
4 changed files with 21 additions and 21 deletions

View File

@ -170,7 +170,7 @@
./security/rtkit.nix
./security/wrappers/default.nix
./security/sudo.nix
./security/systemd-chroot.nix
./security/systemd-confinement.nix
./services/admin/oxidized.nix
./services/admin/salt/master.nix
./services/admin/salt/minion.nix

View File

@ -8,7 +8,7 @@ let
in {
options.systemd.services = lib.mkOption {
type = types.attrsOf (types.submodule ({ name, config, ... }: {
options.chroot.enable = lib.mkOption {
options.confinement.enable = lib.mkOption {
type = types.bool;
default = false;
description = ''
@ -20,7 +20,7 @@ in {
'';
};
options.chroot.packages = lib.mkOption {
options.confinement.packages = lib.mkOption {
type = types.listOf (types.either types.str types.package);
default = [];
description = let
@ -44,7 +44,7 @@ in {
'';
};
options.chroot.withBinSh = lib.mkOption {
options.confinement.withBinSh = lib.mkOption {
type = types.bool;
default = true;
description = ''
@ -59,7 +59,7 @@ in {
'';
};
options.chroot.confinement = lib.mkOption {
options.confinement.mode = lib.mkOption {
type = types.enum [ "full-apivfs" "chroot-only" ];
default = "full-apivfs";
description = ''
@ -81,16 +81,16 @@ in {
'';
};
config = lib.mkIf config.chroot.enable {
config = lib.mkIf config.confinement.enable {
serviceConfig = let
rootName = "${mkPathSafeName name}-chroot";
in {
RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
TemporaryFileSystem = "/";
MountFlags = lib.mkDefault "private";
} // lib.optionalAttrs config.chroot.withBinSh {
} // lib.optionalAttrs config.confinement.withBinSh {
BindReadOnlyPaths = [ "${pkgs.dash}/bin/dash:/bin/sh" ];
} // lib.optionalAttrs (config.chroot.confinement == "full-apivfs") {
} // lib.optionalAttrs (config.confinement.mode == "full-apivfs") {
MountAPIVFS = true;
PrivateDevices = true;
PrivateTmp = true;
@ -99,7 +99,7 @@ in {
ProtectKernelModules = true;
ProtectKernelTunables = true;
};
chroot.packages = let
confinement.packages = let
startOnly = config.serviceConfig.RootDirectoryStartOnly or false;
execOpts = if startOnly then [ "ExecStart" ] else [
"ExecReload" "ExecStart" "ExecStartPost" "ExecStartPre" "ExecStop"
@ -108,7 +108,7 @@ in {
execPkgs = lib.concatMap (opt: let
isSet = config.serviceConfig ? ${opt};
in lib.optional isSet config.serviceConfig.${opt}) execOpts;
in execPkgs ++ lib.optional config.chroot.withBinSh pkgs.dash;
in execPkgs ++ lib.optional config.confinement.withBinSh pkgs.dash;
};
}));
};
@ -116,8 +116,8 @@ in {
config.assertions = lib.concatLists (lib.mapAttrsToList (name: cfg: let
whatOpt = optName: "The 'serviceConfig' option '${optName}' for"
+ " service '${name}' is enabled in conjunction with"
+ " 'chroot.enable'";
in lib.optionals cfg.chroot.enable [
+ " 'confinement.enable'";
in lib.optionals cfg.confinement.enable [
{ assertion = !cfg.serviceConfig.RootDirectoryStartOnly or false;
message = "${whatOpt "RootDirectoryStartOnly"}, but right now systemd"
+ " doesn't support restricting bind-mounts to 'ExecStart'."
@ -133,7 +133,7 @@ in {
config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let
rootPaths = let
contents = lib.concatStringsSep "\n" cfg.chroot.packages;
contents = lib.concatStringsSep "\n" cfg.confinement.packages;
in pkgs.writeText "${mkPathSafeName name}-string-contexts.txt" contents;
chrootPaths = pkgs.runCommand "${mkPathSafeName name}-chroot-paths" {
@ -156,5 +156,5 @@ in {
fi
done < "$closureInfo/store-paths" >> "$serviceFile"
'';
in lib.optional cfg.chroot.enable chrootPaths) config.systemd.services);
in lib.optional cfg.confinement.enable chrootPaths) config.systemd.services);
}

View File

@ -216,7 +216,7 @@ in
switchTest = handleTest ./switch-test.nix {};
syncthing-relay = handleTest ./syncthing-relay.nix {};
systemd = handleTest ./systemd.nix {};
systemd-chroot = handleTest ./systemd-chroot.nix {};
systemd-confinement = handleTest ./systemd-confinement.nix {};
taskserver = handleTest ./taskserver.nix {};
telegraf = handleTest ./telegraf.nix {};
tomcat = handleTest ./tomcat.nix {};

View File

@ -1,5 +1,5 @@
import ./make-test.nix {
name = "systemd-chroot";
name = "systemd-confinement";
machine = { pkgs, lib, ... }: let
testServer = pkgs.writeScript "testserver.sh" ''
@ -26,13 +26,13 @@ import ./make-test.nix {
};
systemd.services."test${toString num}@" = {
description = "Chrooted Test Service ${toString num}";
chroot = (config.chroot or {}) // { enable = true; };
description = "Confined Test Service ${toString num}";
confinement = (config.confinement or {}) // { enable = true; };
serviceConfig = (config.serviceConfig or {}) // {
ExecStart = testServer;
StandardInput = "socket";
};
} // removeAttrs config [ "chroot" "serviceConfig" ];
} // removeAttrs config [ "confinement" "serviceConfig" ];
__testSteps = lib.mkOrder num ''
subtest '${lib.escape ["\\" "'"] description}', sub {
@ -45,7 +45,7 @@ import ./make-test.nix {
in {
imports = lib.imap1 mkTestStep [
{ description = "chroot-only confinement";
config.chroot.confinement = "chroot-only";
config.confinement.mode = "chroot-only";
testScript = ''
$machine->succeed(
'test "$(chroot-exec ls -1 / | paste -sd,)" = bin,nix',
@ -88,7 +88,7 @@ import ./make-test.nix {
} "ln -s \"$target\" \"$out\"";
in {
description = "check if symlinks are properly bind-mounted";
config.chroot.packages = lib.singleton symlink;
config.confinement.packages = lib.singleton symlink;
testScript = ''
$machine->fail('chroot-exec test -e /etc');
$machine->succeed('chroot-exec cat ${symlink} >&2');