aszlig
commented
3 years ago systemd.services.grafana = { confinement.enable = true; serviceConfig.BindPaths = ["/var/lib/grafana"]; };
Btw. you can also use StateDirectory:
systemd.services.grafana = {
confinement.enable = true;
serviceConfig.StateDirectory = "grafana";
};I guess my question boils down to this: Should users wanting to enable confinement themselves be expected to look at the unit file and add dependencies from the above list manually, risking breakage if a service is updated to use a listed dependency, should they when in doubt just enable fullUnit (contradicting the docs) or should services directly reference packages from this list so they'll be included in the Exec closures?
This is something I pointed out in the initial pull request, which is why the documentation has the following note:
The store paths listed in
pathare not included in the closure as well as paths from other options except those listed above.
So yes, this is deliberate and the services either need to directly reference ${pkgs.coreutils} or have coreutils in confinement.packages.
In theory, we could also add path to confinement.packages by default, but it would only add to the options needed in order to have the most strict level of confinement. For example right now if you want it to be a strict as possible you need to set mode = "chroot-only" and binSh = null. Including path by default would add another mkForce on confinement.packages.
Of course, this is how I usually approach sandboxing services, which not only involves confinement but also other things such as SystemCallFilter, PrivateNetwork, etc... and I go from the most restrictive configuration to "just enough things allowed so the application works". I also tend to sometimes go through a few hoops to make sure the application in question uses the full store path rather than rely on PATH or ugly wrappers, but of course YMMV.
If people commonly expect that path is included in confinement.packages we could change the default, but given that it will be painful in terms of backwards-compatibility (eg. existing services using the module silently get new store paths in the chroot) I'd rather see very convincing arguments why this would be a good default.
ArdaXi
stale[bot]
Describe the bug I just tried to enable confinement for a service, and it broke because it had a bare
lnline inExecStartPre.systemd-confinementonly looks at the closure of theExeclines and does not include the service's path.This could be solved in two ways, either
systemd-confinementalso takes the service'sPathinto account, or services are more explicit about relying oncoreutils. When I had a look in the repo, I found a grand total of two services that call${pkgs.coreutils}/bin/lnrather than justln, and this is probably also extended to more binaries. However,confinement.fullUnitspecifically exists so the default does not pull incoreutils.To Reproduce Steps to reproduce the behavior:
coreutilsbeing in the path, I started with GrafanaExpected behavior Service starts without needing to add
coreutils.Additional context I realise that
coreutilshas been a part of the default path for services for quite a long time and services are written with this in mind. I realise that actually changing this list is unlikely to happen, especially in the short term. I would however like to ask whether services should be written with this list in mind, or whether they should be explicit in their dependencies.https://github.com/NixOS/nixpkgs/blob/df18d77f1ea455909d0799edfa2e425aa04faf14/nixos/modules/system/boot/systemd.nix#L255-L262
I guess my question boils down to this: Should users wanting to enable confinement themselves be expected to look at the unit file and add dependencies from the above list manually, risking breakage if a service is updated to use a listed dependency, should they when in doubt just enable
fullUnit(contradicting the docs) or should services directly reference packages from this list so they'll be included in theExecclosures?Notify maintainers @aszlig