nixos/postgresql: create infrastructure for relaxing systemd hardening

By matching on the package names of the plugins passed into the package
we can relax the systemd unit hardening as needed.
This commit is contained in:
Martin Weinelt 2024-11-10 17:08:59 +01:00 committed by Maximilian Bosch
parent 223a6c6ed0
commit d370af0785
No known key found for this signature in database
2 changed files with 45 additions and 30 deletions

View File

@ -2,6 +2,7 @@
let
inherit (lib)
any
attrValues
concatMapStrings
concatStringsSep
@ -9,6 +10,7 @@ let
elem
escapeShellArgs
filterAttrs
getName
isString
literalExpression
mapAttrs
@ -30,19 +32,19 @@ let
cfg = config.services.postgresql;
postgresql =
let
# ensure that
# services.postgresql = {
# enableJIT = true;
# package = pkgs.postgresql_<major>;
# };
# works.
base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT;
in
if cfg.extensions == []
then base
else base.withPackages cfg.extensions;
# ensure that
# services.postgresql = {
# enableJIT = true;
# package = pkgs.postgresql_<major>;
# };
# works.
basePackage = if cfg.enableJIT
then cfg.package.withJIT
else cfg.package.withoutJIT;
postgresql = if cfg.extensions == []
then basePackage
else basePackage.withPackages cfg.extensions;
toStr = value:
if true == value then "yes"
@ -59,6 +61,9 @@ let
'';
groupAccessAvailable = versionAtLeast postgresql.version "11.0";
extensionNames = map getName postgresql.installedExtensions;
extensionInstalled = extension: elem extension extensionNames;
in
{
@ -630,7 +635,7 @@ in
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off");
MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ]));
NoNewPrivileges = true;
LockPersonality = true;
PrivateDevices = true;
@ -654,10 +659,12 @@ in
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
SystemCallFilter =
[
"@system-service"
"~@privileged @resources"
]
++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ];
UMask = if groupAccessAvailable then "0027" else "0077";
}
(mkIf (cfg.dataDir != "/var/lib/postgresql") {

View File

@ -323,25 +323,33 @@ let
};
});
postgresqlWithPackages = { postgresql, buildEnv }: f: buildEnv {
postgresqlWithPackages = { postgresql, buildEnv }: f: let
installedExtensions = f postgresql.pkgs;
in buildEnv {
name = "${postgresql.pname}-and-plugins-${postgresql.version}";
paths = f postgresql.pkgs ++ [
paths = installedExtensions ++ [
postgresql
postgresql.man # in case user installs this into environment
];
pathsToLink = ["/"];
passthru.version = postgresql.version;
passthru.psqlSchema = postgresql.psqlSchema;
passthru.withJIT = postgresqlWithPackages {
inherit buildEnv;
postgresql = postgresql.withJIT;
} f;
passthru.withoutJIT = postgresqlWithPackages {
inherit buildEnv;
postgresql = postgresql.withoutJIT;
} f;
passthru = {
inherit installedExtensions;
inherit (postgresql)
psqlSchema
version
;
withJIT = postgresqlWithPackages {
inherit buildEnv;
postgresql = postgresql.withJIT;
} f;
withoutJIT = postgresqlWithPackages {
inherit buildEnv;
postgresql = postgresql.withoutJIT;
} f;
};
};
in