Hello there, fellow NixOS devs,
Some context. You may or may not already know about systemd-confinement
, a NixOS module adding systemd.services.${service}.confinement.*
options to restrict the Nix store paths available at runtime to ${service}
, using pkgs.closureInfo
.
My pro. So far I’ve used security.apparmor to achieve such confinement, because it’s easier and more powerful to write/debug AppArmor profiles, but both AppArmor
and systemd-confinement
rely on different mechanisms (resp. /sys/kernel/security/apparmor/
and BindReadOnlyPaths=
), hence enabling both secures the service with a belt-and-suspenders confinement.
My con. This said, with those confinements it’s easy to break services without even knowing it, especially with systemd-confinement
which does not provide common profiles to be included.
As an example of subtle breakage: one usually BindPaths=["/etc"]
in a chrooted service, but then files like /etc/hosts -> /etc/static/hosts -> /nix/store/37yhsg6b2rfk8vs1j9gz0av3c2616by1-hosts
being a symlink into the Nix store may not be detected as a path to be mounted on the RootDirectory=
by systemd-confinement
.
That’s why security.apparmor
provides includable rules like <abstractions/nameservice> handling those paths case by case.
Also, systemd-confinement
is currently incompatible with RootDirectoryStartOnly=
and ProtectSystem=
(or DynamicUser=
which implies the latter), but it may be possible to work-around them.
My use case. While working on public-inbox, @Gaelan suggested to enable systemd-confinement
for it, however @aanderse pointed out to us that no other NixOS modules are currently enabling it, and that it would thus make a precedent people should understand and agree to or not.
My goal. Hence this new thread to discuss which policy to follow in NixOS:
-
A. Enabling
systemd-confinement
by default on a service by service analysis. -
B. Ensuring, on a service by service analysis, that
systemd-confinement
works when enabled by the user (eg. by setting options insystemd.services.${service}.confinement.*
), but without actually enabling it by default. - C. Neither A, nor B are ok.
Previous discussions happened on the original PR bringing systemd-confinement
into NixOS: nixos: Add 'confinement' options to systemd.services by aszlig · Pull Request #57519 · NixOS/nixpkgs · GitHub
Thanks in advance for your time/questions/comments/criticisms.
Ping @aszlig as original author of systemd-confinement
.