diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix index dc53bbc4dbb..a8367ca5eed 100644 --- a/nixos/modules/security/systemd-confinement.nix +++ b/nixos/modules/security/systemd-confinement.nix @@ -1,6 +1,7 @@ { config, pkgs, lib, ... }: let + toplevelConfig = config; inherit (lib) types; inherit (import ../system/boot/systemd-lib.nix { inherit config pkgs lib; @@ -44,12 +45,15 @@ in { ''; }; - options.confinement.withBinSh = lib.mkOption { - type = types.bool; - default = true; + options.confinement.binSh = lib.mkOption { + type = types.nullOr types.path; + default = toplevelConfig.environment.binsh; + defaultText = "config.environment.binsh"; + example = lib.literalExample "\${pkgs.dash}/bin/dash"; description = '' - Whether to symlink dash as - /bin/sh to the chroot. + The program to make available as /bin/sh inside + the chroot. If this is set to null, no + /bin/sh is provided at all. This is useful for some applications, which for example use the @@ -81,15 +85,14 @@ in { ''; }; - config = lib.mkIf config.confinement.enable { - serviceConfig = let - rootName = "${mkPathSafeName name}-chroot"; - in { + config = let + rootName = "${mkPathSafeName name}-chroot"; + inherit (config.confinement) binSh; + in lib.mkIf config.confinement.enable { + serviceConfig = { RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\""; TemporaryFileSystem = "/"; MountFlags = lib.mkDefault "private"; - } // lib.optionalAttrs config.confinement.withBinSh { - BindReadOnlyPaths = [ "${pkgs.dash}/bin/dash:/bin/sh" ]; } // lib.optionalAttrs (config.confinement.mode == "full-apivfs") { MountAPIVFS = true; PrivateDevices = true; @@ -108,7 +111,7 @@ in { execPkgs = lib.concatMap (opt: let isSet = config.serviceConfig ? ${opt}; in lib.optional isSet config.serviceConfig.${opt}) execOpts; - in execPkgs ++ lib.optional config.confinement.withBinSh pkgs.dash; + in execPkgs ++ lib.optional (binSh != null) binSh; }; })); }; @@ -146,6 +149,14 @@ in { echo '[Service]' > "$serviceFile" + # /bin/sh is special here, because the option value could contain a + # symlink and we need to properly resolve it. + ${lib.optionalString (cfg.confinement.binSh != null) '' + binsh=${lib.escapeShellArg cfg.confinement.binSh} + realprog="$(readlink -e "$binsh")" + echo "BindReadOnlyPaths=$realprog:/bin/sh" >> "$serviceFile" + ''} + while read storePath; do if [ -L "$storePath" ]; then # Currently, systemd can't cope with symlinks in Bind(ReadOnly)Paths, diff --git a/nixos/tests/systemd-confinement.nix b/nixos/tests/systemd-confinement.nix index 448d34ec30b..63cb074d7ca 100644 --- a/nixos/tests/systemd-confinement.nix +++ b/nixos/tests/systemd-confinement.nix @@ -106,6 +106,32 @@ import ./make-test.nix { $machine->succeed('test ! -e /tmp/canary'); ''; } + { description = "check if /bin/sh works"; + testScript = '' + $machine->succeed( + 'chroot-exec test -e /bin/sh', + 'test "$(chroot-exec \'/bin/sh -c "echo bar"\')" = bar', + ); + ''; + } + { description = "check if suppressing /bin/sh works"; + config.confinement.binSh = null; + testScript = '' + $machine->succeed( + 'chroot-exec test ! -e /bin/sh', + 'test "$(chroot-exec \'/bin/sh -c "echo foo"\')" != foo', + ); + ''; + } + { description = "check if we can set /bin/sh to something different"; + config.confinement.binSh = "${pkgs.hello}/bin/hello"; + testScript = '' + $machine->succeed( + 'chroot-exec test -e /bin/sh', + 'test "$(chroot-exec /bin/sh -g foo)" = foo', + ); + ''; + } ]; options.__testSteps = lib.mkOption {