From f8d78b9f67bdd3b6b12dbe1b6a2377ec0eef8050 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Mon, 28 Sep 2020 13:27:47 +0200 Subject: [PATCH] confinement: fix assert for serviceConfig.ProtectSystem serviceConfig.ProtectSystem is usually a string so if set, the assert itself would error out leaving no useable trace: # nixos-rebuild switch --show-trace building Nix... building the system configuration... error: while evaluating the attribute 'config.system.build.toplevel' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:293:5: while evaluating 'foldr' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:52:20, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:128:12: while evaluating 'fold'' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:55:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:59:8: while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:121:50, called from undefined position: while evaluating the attribute 'assertion' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/security/systemd-confinement.nix:163:7: value is a string while a Boolean was expected Fix the check to give a sensible assert message instead; the attribute should either be not set or false bool to pass. Closes: #99000 --- nixos/modules/security/systemd-confinement.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix index 2927d424a8a..afb81a2b56b 100644 --- a/nixos/modules/security/systemd-confinement.nix +++ b/nixos/modules/security/systemd-confinement.nix @@ -160,7 +160,7 @@ in { + " the 'users.users' option instead as this combination is" + " currently not supported."; } - { assertion = !cfg.serviceConfig.ProtectSystem or false; + { assertion = cfg.serviceConfig ? ProtectSystem -> cfg.serviceConfig.ProtectSystem == false; message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible" + " with service confinement as it fails to remount /usr within" + " our chroot. Please disable the option.";