nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-24 05:00:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/github-runners: use mkMerge for serviceConfig

Browse Source 
The `serviceOverrides` module option is commonly used to loosen the
systemd unit's hardening. This commit merges the `serviceConfig` with
`mkMerge` instead of using the update operator `//` which discards all
existing values on conflict. To avoid a breaking change which requires
defining each option with a higher priority (e.g., through `mkForce`),
this commit prefixes hardening values with `mkDefault`.

Notable exceptions are list hardening options which use `mkBefore`
instead of `mkDefault`. This allows for easy extension of the existing
settings. Resetting redefinitions are still possible through `mkForce`.
This commit is contained in:
Vincent Haupert 2023-01-08 01:42:01 +01:00
parent aca6ac3269
commit 66dbf9b199
2 changed files with 35 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/modules/services/continuous-integration/github-runner/options.nix
View File

@ -127,10 +127,11 @@ with lib;
serviceOverrides = mkOption { serviceOverrides = mkOption {
type = types.attrs; type = types.attrs;
description = lib.mdDoc '' description = lib.mdDoc ''
Overrides for the systemd service. Can be used to adjust the sandboxing options. Modify the systemd service. Can be used to, e.g., adjust the sandboxing options.
''; '';
example = { example = {
ProtectHome = false; ProtectHome = false;
RestrictAddressFamilies = [ "AF_PACKET" ];
}; };
default = {}; default = {};
}; };

66
nixos/modules/services/continuous-integration/github-runner/service.nix
View File

@ -45,7 +45,7 @@ in
config.nix.package config.nix.package
] ++ cfg.extraPackages; ] ++ cfg.extraPackages;
serviceConfig = { serviceConfig = mkMerge [{
ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service"; ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
# Does the following, sequentially: # Does the following, sequentially:
@ -202,30 +202,30 @@ in
# Hardening (may overlap with DynamicUser=) # Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing: # The following options are only for optimizing:
# systemd-analyze security github-runner # systemd-analyze security github-runner
AmbientCapabilities = ""; AmbientCapabilities = mkBefore [ "" ];
CapabilityBoundingSet = ""; CapabilityBoundingSet = mkBefore [ "" ];
# ProtectClock= adds DeviceAllow=char-rtc r # ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = ""; DeviceAllow = mkBefore [ "" ];
NoNewPrivileges = true; NoNewPrivileges = mkDefault true;
PrivateDevices = true; PrivateDevices = mkDefault true;
PrivateMounts = true; PrivateMounts = mkDefault true;
PrivateTmp = true; PrivateTmp = mkDefault true;
PrivateUsers = true; PrivateUsers = mkDefault true;
ProtectClock = true; ProtectClock = mkDefault true;
ProtectControlGroups = true; ProtectControlGroups = mkDefault true;
ProtectHome = true; ProtectHome = mkDefault true;
ProtectHostname = true; ProtectHostname = mkDefault true;
ProtectKernelLogs = true; ProtectKernelLogs = mkDefault true;
ProtectKernelModules = true; ProtectKernelModules = mkDefault true;
ProtectKernelTunables = true; ProtectKernelTunables = mkDefault true;
ProtectSystem = "strict"; ProtectSystem = mkDefault "strict";
RemoveIPC = true; RemoveIPC = mkDefault true;
RestrictNamespaces = true; RestrictNamespaces = mkDefault true;
RestrictRealtime = true; RestrictRealtime = mkDefault true;
RestrictSUIDSGID = true; RestrictSUIDSGID = mkDefault true;
UMask = "0066"; UMask = mkDefault "0066";
ProtectProc = "invisible"; ProtectProc = mkDefault "invisible";
SystemCallFilter = [ SystemCallFilter = mkBefore [
"~@clock" "~@clock"
"~@cpu-emulation" "~@cpu-emulation"
"~@module" "~@module"
@ -237,30 +237,30 @@ in
"~setdomainname" "~setdomainname"
"~sethostname" "~sethostname"
]; ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ]; BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];
# Needs network access # Needs network access
PrivateNetwork = false; PrivateNetwork = mkDefault false;
# Cannot be true due to Node # Cannot be true due to Node
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = mkDefault false;
# The more restrictive "pid" option makes `nix` commands in CI emit # The more restrictive "pid" option makes `nix` commands in CI emit
# "GC Warning: Couldn't read /proc/stat" # "GC Warning: Couldn't read /proc/stat"
# You may want to set this to "pid" if not using `nix` commands # You may want to set this to "pid" if not using `nix` commands
ProcSubset = "all"; ProcSubset = mkDefault "all";
# Coverage programs for compiled code such as `cargo-tarpaulin` disable # Coverage programs for compiled code such as `cargo-tarpaulin` disable
# ASLR (address space layout randomization) which requires the # ASLR (address space layout randomization) which requires the
# `personality` syscall # `personality` syscall
# You may want to set this to `true` if not using coverage tooling on # You may want to set this to `true` if not using coverage tooling on
# compiled code # compiled code
LockPersonality = false; LockPersonality = mkDefault false;
# Note that this has some interactions with the User setting; so you may # Note that this has some interactions with the User setting; so you may
# want to consult the systemd docs if using both. # want to consult the systemd docs if using both.
DynamicUser = true; DynamicUser = mkDefault true;
} // ( }
lib.optionalAttrs (cfg.user != null) { User = cfg.user; } (mkIf (cfg.user != null) { User = cfg.user; })
) // cfg.serviceOverrides; cfg.serviceOverrides];
} }