public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #118961 from Izorkin/update-redis-sandbox

Browse Source 
nixos/redis: enable sandbox mode
This commit is contained in:
Jörg Thalheim 2021-04-20 21:12:10 +01:00 committed by GitHub
commit a8e7d96eb2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 39 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
nixos/modules/services/databases/redis.nix
View File

@ -5,6 +5,8 @@ with lib;
let let
cfg = config.services.redis; cfg = config.services.redis;
ulimitNofile = cfg.maxclients + 32;
mkValueString = value: mkValueString = value:
if value == true then "yes" if value == true then "yes"
else if value == false then "no" else if value == false then "no"
@ -14,8 +16,8 @@ let
listsAsDuplicateKeys = true; listsAsDuplicateKeys = true;
mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " "; mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " ";
} cfg.settings); } cfg.settings);
in
{ in {
imports = [ imports = [
(mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.")
(mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.")
@ -121,6 +123,12 @@ in
description = "Set the number of databases."; description = "Set the number of databases.";
}; };
maxclients = mkOption {
type = types.int;
default = 10000;
description = "Set the max number of connected clients at the same time.";
};
save = mkOption { save = mkOption {
type = with types; listOf (listOf int); type = with types; listOf (listOf int);
default = [ [900 1] [300 10] [60 10000] ]; default = [ [900 1] [300 10] [60 10000] ];
@ -253,6 +261,7 @@ in
logfile = cfg.logfile; logfile = cfg.logfile;
syslog-enabled = cfg.syslog; syslog-enabled = cfg.syslog;
databases = cfg.databases; databases = cfg.databases;
maxclients = cfg.maxclients;
save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save; save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save;
dbfilename = "dump.rdb"; dbfilename = "dump.rdb";
dir = "/var/lib/redis"; dir = "/var/lib/redis";
@ -295,6 +304,34 @@ in
StateDirectoryMode = "0700"; StateDirectoryMode = "0700";
# Access write directories # Access write directories
UMask = "0077"; UMask = "0077";
# Capabilities
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Process Properties
LimitNOFILE = "${toString ulimitNofile}";
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap";
}; };
}; };
}; };