From 0ba48f46dacf1d0771cb1995a9a0ff6c1bd2e4fb Mon Sep 17 00:00:00 2001 From: aszlig Date: Thu, 14 Mar 2019 15:26:10 +0100 Subject: [PATCH] nixos/systemd-chroot: Rename chroot to confinement Quoting @edolstra from [1]: I don't really like the name "chroot", something like "confine[ment]" or "restrict" seems better. Conceptually we're not providing a completely different filesystem tree but a restricted view of the same tree. I already used "confinement" as a sub-option and I do agree that "chroot" sounds a bit too specific (especially because not *only* chroot is involved). So this changes the module name and its option to use "confinement" instead of "chroot" and also renames the "chroot.confinement" to "confinement.mode". [1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704 Signed-off-by: aszlig --- nixos/modules/module-list.nix | 2 +- ...emd-chroot.nix => systemd-confinement.nix} | 26 +++++++++---------- nixos/tests/all-tests.nix | 2 +- ...emd-chroot.nix => systemd-confinement.nix} | 12 ++++----- 4 files changed, 21 insertions(+), 21 deletions(-) rename nixos/modules/security/{systemd-chroot.nix => systemd-confinement.nix} (88%) rename nixos/tests/{systemd-chroot.nix => systemd-confinement.nix} (92%) diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 768bc40d179..ab49bd549a8 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -170,7 +170,7 @@ ./security/rtkit.nix ./security/wrappers/default.nix ./security/sudo.nix - ./security/systemd-chroot.nix + ./security/systemd-confinement.nix ./services/admin/oxidized.nix ./services/admin/salt/master.nix ./services/admin/salt/minion.nix diff --git a/nixos/modules/security/systemd-chroot.nix b/nixos/modules/security/systemd-confinement.nix similarity index 88% rename from nixos/modules/security/systemd-chroot.nix rename to nixos/modules/security/systemd-confinement.nix index befe2d3418c..dc53bbc4dbb 100644 --- a/nixos/modules/security/systemd-chroot.nix +++ b/nixos/modules/security/systemd-confinement.nix @@ -8,7 +8,7 @@ let in { options.systemd.services = lib.mkOption { type = types.attrsOf (types.submodule ({ name, config, ... }: { - options.chroot.enable = lib.mkOption { + options.confinement.enable = lib.mkOption { type = types.bool; default = false; description = '' @@ -20,7 +20,7 @@ in { ''; }; - options.chroot.packages = lib.mkOption { + options.confinement.packages = lib.mkOption { type = types.listOf (types.either types.str types.package); default = []; description = let @@ -44,7 +44,7 @@ in { ''; }; - options.chroot.withBinSh = lib.mkOption { + options.confinement.withBinSh = lib.mkOption { type = types.bool; default = true; description = '' @@ -59,7 +59,7 @@ in { ''; }; - options.chroot.confinement = lib.mkOption { + options.confinement.mode = lib.mkOption { type = types.enum [ "full-apivfs" "chroot-only" ]; default = "full-apivfs"; description = '' @@ -81,16 +81,16 @@ in { ''; }; - config = lib.mkIf config.chroot.enable { + config = lib.mkIf config.confinement.enable { serviceConfig = let rootName = "${mkPathSafeName name}-chroot"; in { RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\""; TemporaryFileSystem = "/"; MountFlags = lib.mkDefault "private"; - } // lib.optionalAttrs config.chroot.withBinSh { + } // lib.optionalAttrs config.confinement.withBinSh { BindReadOnlyPaths = [ "${pkgs.dash}/bin/dash:/bin/sh" ]; - } // lib.optionalAttrs (config.chroot.confinement == "full-apivfs") { + } // lib.optionalAttrs (config.confinement.mode == "full-apivfs") { MountAPIVFS = true; PrivateDevices = true; PrivateTmp = true; @@ -99,7 +99,7 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; }; - chroot.packages = let + confinement.packages = let startOnly = config.serviceConfig.RootDirectoryStartOnly or false; execOpts = if startOnly then [ "ExecStart" ] else [ "ExecReload" "ExecStart" "ExecStartPost" "ExecStartPre" "ExecStop" @@ -108,7 +108,7 @@ in { execPkgs = lib.concatMap (opt: let isSet = config.serviceConfig ? ${opt}; in lib.optional isSet config.serviceConfig.${opt}) execOpts; - in execPkgs ++ lib.optional config.chroot.withBinSh pkgs.dash; + in execPkgs ++ lib.optional config.confinement.withBinSh pkgs.dash; }; })); }; @@ -116,8 +116,8 @@ in { config.assertions = lib.concatLists (lib.mapAttrsToList (name: cfg: let whatOpt = optName: "The 'serviceConfig' option '${optName}' for" + " service '${name}' is enabled in conjunction with" - + " 'chroot.enable'"; - in lib.optionals cfg.chroot.enable [ + + " 'confinement.enable'"; + in lib.optionals cfg.confinement.enable [ { assertion = !cfg.serviceConfig.RootDirectoryStartOnly or false; message = "${whatOpt "RootDirectoryStartOnly"}, but right now systemd" + " doesn't support restricting bind-mounts to 'ExecStart'." @@ -133,7 +133,7 @@ in { config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let rootPaths = let - contents = lib.concatStringsSep "\n" cfg.chroot.packages; + contents = lib.concatStringsSep "\n" cfg.confinement.packages; in pkgs.writeText "${mkPathSafeName name}-string-contexts.txt" contents; chrootPaths = pkgs.runCommand "${mkPathSafeName name}-chroot-paths" { @@ -156,5 +156,5 @@ in { fi done < "$closureInfo/store-paths" >> "$serviceFile" ''; - in lib.optional cfg.chroot.enable chrootPaths) config.systemd.services); + in lib.optional cfg.confinement.enable chrootPaths) config.systemd.services); } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index fe67e245350..70103c4e6da 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -216,7 +216,7 @@ in switchTest = handleTest ./switch-test.nix {}; syncthing-relay = handleTest ./syncthing-relay.nix {}; systemd = handleTest ./systemd.nix {}; - systemd-chroot = handleTest ./systemd-chroot.nix {}; + systemd-confinement = handleTest ./systemd-confinement.nix {}; taskserver = handleTest ./taskserver.nix {}; telegraf = handleTest ./telegraf.nix {}; tomcat = handleTest ./tomcat.nix {}; diff --git a/nixos/tests/systemd-chroot.nix b/nixos/tests/systemd-confinement.nix similarity index 92% rename from nixos/tests/systemd-chroot.nix rename to nixos/tests/systemd-confinement.nix index 523e1ad9f4d..448d34ec30b 100644 --- a/nixos/tests/systemd-chroot.nix +++ b/nixos/tests/systemd-confinement.nix @@ -1,5 +1,5 @@ import ./make-test.nix { - name = "systemd-chroot"; + name = "systemd-confinement"; machine = { pkgs, lib, ... }: let testServer = pkgs.writeScript "testserver.sh" '' @@ -26,13 +26,13 @@ import ./make-test.nix { }; systemd.services."test${toString num}@" = { - description = "Chrooted Test Service ${toString num}"; - chroot = (config.chroot or {}) // { enable = true; }; + description = "Confined Test Service ${toString num}"; + confinement = (config.confinement or {}) // { enable = true; }; serviceConfig = (config.serviceConfig or {}) // { ExecStart = testServer; StandardInput = "socket"; }; - } // removeAttrs config [ "chroot" "serviceConfig" ]; + } // removeAttrs config [ "confinement" "serviceConfig" ]; __testSteps = lib.mkOrder num '' subtest '${lib.escape ["\\" "'"] description}', sub { @@ -45,7 +45,7 @@ import ./make-test.nix { in { imports = lib.imap1 mkTestStep [ { description = "chroot-only confinement"; - config.chroot.confinement = "chroot-only"; + config.confinement.mode = "chroot-only"; testScript = '' $machine->succeed( 'test "$(chroot-exec ls -1 / | paste -sd,)" = bin,nix', @@ -88,7 +88,7 @@ import ./make-test.nix { } "ln -s \"$target\" \"$out\""; in { description = "check if symlinks are properly bind-mounted"; - config.chroot.packages = lib.singleton symlink; + config.confinement.packages = lib.singleton symlink; testScript = '' $machine->fail('chroot-exec test -e /etc'); $machine->succeed('chroot-exec cat ${symlink} >&2');