commit 0a9cecc35a651a020f66a4cc2a8333e33558650d · pyrox.dev/nixpkgs

nixos/modules/security/systemd-confinement.nix

···

       105
       105
        
               wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs");

     

       106
       106
        
             in lib.mkIf config.confinement.enable {

     

       107
       107
        
               serviceConfig = {

     

       108
       108
       +
                 ReadOnlyPaths = [ "+/" ];

     

       108
       109
        
                 RuntimeDirectory = [ "confinement/${mkPathSafeName name}" ];

     

       109
       110
        
                 RootDirectory = lib.mkDefault "/run/confinement/${mkPathSafeName name}";

     

       110
       111
        
                 InaccessiblePaths = [

+7 -8

nixos/tests/systemd-confinement/default.nix

···

       87
       87
        
                 assert os.getgid() == 0

     

       88
       88
        
       

     

       89
       89
        
                 assert_permissions({

     

       90
       90
       -
                   'bin': Accessibility.WRITABLE,

     

       91
       91
       -
                   'nix': Accessibility.WRITABLE,

     

       92
       92
       -
                   'run': Accessibility.WRITABLE,

     

       90
       90
       +
                   'bin': Accessibility.READABLE,

     

       91
       91
       +
                   'nix': Accessibility.READABLE,

     

       92
       92
       +
                   'run': Accessibility.READABLE,

     

       93
       93
        
                   ${lib.optionalString privateTmp "'tmp': Accessibility.STICKY,"}

     

       94
       94
       -
                   ${lib.optionalString privateTmp "'var': Accessibility.WRITABLE,"}

     

       94
       94
       +
                   ${lib.optionalString privateTmp "'var': Accessibility.READABLE,"}

     

       95
       95
        
                   ${lib.optionalString privateTmp "'var/tmp': Accessibility.STICKY,"}

     

       96
       96
        
                 })

     

       97
       97
        
               '' else ''

     
···

       120
       120
        
                 assert os.getgid() == 0

     

       121
       121
        
       

     

       122
       122
        
                 assert_permissions({

     

       123
       123
       -
                   'bin': Accessibility.WRITABLE,

     

       124
       124
       -
                   'nix': Accessibility.WRITABLE,

     

       123
       123
       +
                   'bin': Accessibility.READABLE,

     

       124
       124
       +
                   'nix': Accessibility.READABLE,

     

       125
       125
        
                   ${lib.optionalString privateTmp "'tmp': Accessibility.STICKY,"}

     

       126
       126
        
                   'run': Accessibility.WRITABLE,

     

       127
       127
        
       

     
···

       129
       129
        
                   'sys': Accessibility.SPECIAL,

     

       130
       130
        
                   'dev': Accessibility.WRITABLE,

     

       131
       131
        
       

     

       132
       132
       -
                   ${lib.optionalString privateTmp "'var': Accessibility.WRITABLE,"}

     

       132
       132
       +
                   ${lib.optionalString privateTmp "'var': Accessibility.READABLE,"}

     

       133
       133
        
                   ${lib.optionalString privateTmp "'var/tmp': Accessibility.STICKY,"}

     

       134
       134
        
                 })

     

       135
       135
        
               '' else ''

     
···

       144
       144
        
       

     

       145
       145
        
                   'proc': Accessibility.SPECIAL,

     

       146
       146
        
                   'sys': Accessibility.SPECIAL,

     

       147
       147
       -
       

     

       148
       147
        
                   'dev': Accessibility.SPECIAL,

     

       149
       148
        
                   'dev/shm': Accessibility.STICKY,

     

       150
       149
        
                   'dev/mqueue': Accessibility.STICKY,