@ -8,7 +8,7 @@ let
in {
options . systemd . services = lib . mkOption {
type = types . attrsOf ( types . submodule ( { name , config , . . . }: {
options . chroo t . enable = lib . mkOption {
options . confinemen t . enable = lib . mkOption {
type = types . bool ;
default = false ;
description = ''
@ -20,7 +20,7 @@ in {
'' ;
} ;
options . chroo t . packages = lib . mkOption {
options . confinemen t . packages = lib . mkOption {
type = types . listOf ( types . either types . str types . package ) ;
default = [ ] ;
description = let
@ -44,7 +44,7 @@ in {
'' ;
} ;
options . chroo t . withBinSh = lib . mkOption {
options . confinemen t . withBinSh = lib . mkOption {
type = types . bool ;
default = true ;
description = ''
@ -59,7 +59,7 @@ in {
'' ;
} ;
options . chroot . confinement = lib . mkOption {
options . confinement . mode = lib . mkOption {
type = types . enum [ " f u l l - a p i v f s " " c h r o o t - o n l y " ] ;
default = " f u l l - a p i v f s " ;
description = ''
@ -81,16 +81,16 @@ in {
'' ;
} ;
config = lib . mkIf config . chroo t . enable {
config = lib . mkIf config . confinemen t . enable {
serviceConfig = let
rootName = " ${ mkPathSafeName name } - c h r o o t " ;
in {
RootDirectory = pkgs . runCommand rootName { } " m k d i r \" $ o u t \" " ;
TemporaryFileSystem = " / " ;
MountFlags = lib . mkDefault " p r i v a t e " ;
} // lib . optionalAttrs config . chroo t . withBinSh {
} // lib . optionalAttrs config . confinemen t . withBinSh {
BindReadOnlyPaths = [ " ${ pkgs . dash } / b i n / d a s h : / b i n / s h " ] ;
} // lib . optionalAttrs ( config . chroot . confinement == " f u l l - a p i v f s " ) {
} // lib . optionalAttrs ( config . confinement . mode == " f u l l - a p i v f s " ) {
MountAPIVFS = true ;
PrivateDevices = true ;
PrivateTmp = true ;
@ -99,7 +99,7 @@ in {
ProtectKernelModules = true ;
ProtectKernelTunables = true ;
} ;
chroo t . packages = let
confinemen t . packages = let
startOnly = config . serviceConfig . RootDirectoryStartOnly or false ;
execOpts = if startOnly then [ " E x e c S t a r t " ] else [
" E x e c R e l o a d " " E x e c S t a r t " " E x e c S t a r t P o s t " " E x e c S t a r t P r e " " E x e c S t o p "
@ -108,7 +108,7 @@ in {
execPkgs = lib . concatMap ( opt : let
isSet = config . serviceConfig ? ${ opt } ;
in lib . optional isSet config . serviceConfig . ${ opt } ) execOpts ;
in execPkgs ++ lib . optional config . chroo t . withBinSh pkgs . dash ;
in execPkgs ++ lib . optional config . confinemen t . withBinSh pkgs . dash ;
} ;
} ) ) ;
} ;
@ -116,8 +116,8 @@ in {
config . assertions = lib . concatLists ( lib . mapAttrsToList ( name : cfg : let
whatOpt = optName : " T h e ' s e r v i c e C o n f i g ' o p t i o n ' ${ optName } ' f o r "
+ " s e r v i c e ' ${ name } ' i s e n a b l e d i n c o n j u n c t i o n w i t h "
+ " ' c h r o o t . e n a b l e ' " ;
in lib . optionals cfg . chroo t . enable [
+ " ' c o n f i n e m e n t . e n a b l e ' " ;
in lib . optionals cfg . confinemen t . enable [
{ assertion = ! cfg . serviceConfig . RootDirectoryStartOnly or false ;
message = " ${ whatOpt " R o o t D i r e c t o r y S t a r t O n l y " } , b u t r i g h t n o w s y s t e m d "
+ " d o e s n ' t s u p p o r t r e s t r i c t i n g b i n d - m o u n t s t o ' E x e c S t a r t ' . "
@ -133,7 +133,7 @@ in {
config . systemd . packages = lib . concatLists ( lib . mapAttrsToList ( name : cfg : let
rootPaths = let
contents = lib . concatStringsSep " \n " cfg . chroo t . packages ;
contents = lib . concatStringsSep " \n " cfg . confinemen t . packages ;
in pkgs . writeText " ${ mkPathSafeName name } - s t r i n g - c o n t e x t s . t x t " contents ;
chrootPaths = pkgs . runCommand " ${ mkPathSafeName name } - c h r o o t - p a t h s " {
@ -156,5 +156,5 @@ in {
fi
done < " $ c l o s u r e I n f o / s t o r e - p a t h s " > > " $ s e r v i c e F i l e "
'' ;
in lib . optional cfg . chroo t . enable chrootPaths ) config . systemd . services ) ;
in lib . optional cfg . confinemen t . enable chrootPaths ) config . systemd . services ) ;
}