NixOS policy regarding systemd-confinement

Hello there, fellow NixOS devs,

Some context. You may or may not already know about systemd-confinement, a NixOS module adding${service}.confinement.* options to restrict the Nix store paths available at runtime to ${service}, using pkgs.closureInfo.

My pro. So far I’ve used security.apparmor to achieve such confinement, because it’s easier and more powerful to write/debug AppArmor profiles, but both AppArmor and systemd-confinement rely on different mechanisms (resp. /sys/kernel/security/apparmor/ and BindReadOnlyPaths=), hence enabling both secures the service with a belt-and-suspenders confinement.

My con. This said, with those confinements it’s easy to break services without even knowing it, especially with systemd-confinement which does not provide common profiles to be included.
As an example of subtle breakage: one usually BindPaths=["/etc"] in a chrooted service, but then files like /etc/hosts -> /etc/static/hosts -> /nix/store/37yhsg6b2rfk8vs1j9gz0av3c2616by1-hosts being a symlink into the Nix store may not be detected as a path to be mounted on the RootDirectory= by systemd-confinement.
That’s why security.apparmor provides includable rules like <abstractions/nameservice> handling those paths case by case.
Also, systemd-confinement is currently incompatible with RootDirectoryStartOnly= and ProtectSystem= (or DynamicUser= which implies the latter), but it may be possible to work-around them.

My use case. While working on public-inbox, @Gaelan suggested to enable systemd-confinement for it, however @aanderse pointed out to us that no other NixOS modules are currently enabling it, and that it would thus make a precedent people should understand and agree to or not.

My goal. Hence this new thread to discuss which policy to follow in NixOS:

  • A. Enabling systemd-confinement by default on a service by service analysis.
  • B. Ensuring, on a service by service analysis, that systemd-confinement works when enabled by the user (eg. by setting options in${service}.confinement.*), but without actually enabling it by default.
  • C. Neither A, nor B are ok.

Previous discussions happened on the original PR bringing systemd-confinement into NixOS: nixos: Add 'confinement' options to by aszlig · Pull Request #57519 · NixOS/nixpkgs · GitHub

Thanks in advance for your time/questions/comments/criticisms.
Ping @aszlig as original author of systemd-confinement.