Hello there, fellow NixOS devs,
Some context. You may or may not already know about systemd-confinement, a NixOS module adding systemd.services.${service}.confinement.* options to restrict the Nix store paths available at runtime to ${service}, using pkgs.closureInfo.
My pro. So far I’ve used security.apparmor to achieve such confinement, because it’s easier and more powerful to write/debug AppArmor profiles, but both AppArmor and systemd-confinement rely on different mechanisms (resp. /sys/kernel/security/apparmor/ and BindReadOnlyPaths=), hence enabling both secures the service with a belt-and-suspenders confinement.
My con. This said, with those confinements it’s easy to break services without even knowing it, especially with systemd-confinement which does not provide common profiles to be included.
As an example of subtle breakage: one usually BindPaths=["/etc"] in a chrooted service, but then files like /etc/hosts -> /etc/static/hosts -> /nix/store/37yhsg6b2rfk8vs1j9gz0av3c2616by1-hosts being a symlink into the Nix store may not be detected as a path to be mounted on the RootDirectory= by systemd-confinement.
That’s why security.apparmor provides includable rules like <abstractions/nameservice> handling those paths case by case.
Also, systemd-confinement is currently incompatible with RootDirectoryStartOnly= and ProtectSystem= (or DynamicUser= which implies the latter), but it may be possible to work-around them.
My use case. While working on public-inbox, @Gaelan suggested to enable systemd-confinement for it, however @aanderse pointed out to us that no other NixOS modules are currently enabling it, and that it would thus make a precedent people should understand and agree to or not.
My goal. Hence this new thread to discuss which policy to follow in NixOS:
-
A. Enabling
systemd-confinementby default on a service by service analysis. -
B. Ensuring, on a service by service analysis, that
systemd-confinementworks when enabled by the user (eg. by setting options insystemd.services.${service}.confinement.*), but without actually enabling it by default. - C. Neither A, nor B are ok.
Previous discussions happened on the original PR bringing systemd-confinement into NixOS: nixos: Add 'confinement' options to systemd.services by aszlig · Pull Request #57519 · NixOS/nixpkgs · GitHub
Thanks in advance for your time/questions/comments/criticisms.
Ping @aszlig as original author of systemd-confinement.