From 4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4 Mon Sep 17 00:00:00 2001
From: Dominique Martinet <asmadeus@codewreck.org>
Date: Sat, 9 May 2020 21:03:46 +0200
Subject: [PATCH] nixos/confinement: add conflict for ProtectSystem service
 option

Systemd ProtectSystem is incompatible with the chroot we make
for confinement. The options is redundant with what we do anyway
so warn if it had been set and advise to disable it.

Merges: https://github.com/NixOS/nixpkgs/pull/87420
---
 nixos/modules/security/systemd-confinement.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix
index cd4eb81dbe1..0a400f1d535 100644
--- a/nixos/modules/security/systemd-confinement.nix
+++ b/nixos/modules/security/systemd-confinement.nix
@@ -160,6 +160,11 @@ in {
               + " the 'users.users' option instead as this combination is"
               + " currently not supported.";
     }
+    { assertion = !cfg.serviceConfig.ProtectSystem or false;
+      message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible"
+              + " with service confinement as it fails to remount /usr within"
+              + " our chroot. Please disable the option.";
+    }
   ]) config.systemd.services);
 
   config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let