From 0b15522550cc9759a73e1c05113769a6ef5d1770 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 16 Nov 2024 17:09:27 +0100 Subject: [PATCH] nixos/tests/postgresql: test plv8 hardening on non-JIT variants only PostgreSQL with JIT support enabled doesn't work with plv8. Hence, we'd get an evaluation failure for each `nixosTests.postgresql.postgresql.postgresql_jit_X`. This should be restructured in the future (less VM tests for custom extensions, but a single VM test for this case to cover). For now, we should get this fix out and this is a good-enough approach. --- nixos/tests/postgresql/postgresql.nix | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/nixos/tests/postgresql/postgresql.nix b/nixos/tests/postgresql/postgresql.nix index bc782b7158f9f..7222f182614e2 100644 --- a/nixos/tests/postgresql/postgresql.nix +++ b/nixos/tests/postgresql/postgresql.nix @@ -14,7 +14,7 @@ let postgresql-clauses = makeEnsureTestFor package; }; - test-sql = pkgs.writeText "postgresql-test" '' + test-sql = enableJIT: pkgs.writeText "postgresql-test" ('' CREATE EXTENSION pgcrypto; -- just to check if lib loading works CREATE TABLE sth ( id int @@ -26,6 +26,7 @@ let INSERT INTO sth (id) VALUES (1); CREATE TABLE xmltest ( doc xml ); INSERT INTO xmltest (doc) VALUES ('ok'); -- check if libxml2 enabled + '' + lib.optionalString enableJIT '' -- check if hardening gets relaxed CREATE EXTENSION plv8; -- try to trigger the V8 JIT, which requires MemoryDenyWriteExecute @@ -36,10 +37,13 @@ let } console.log(xs.reduce((acc, x) => acc + x, 0)); $$ LANGUAGE plv8; - ''; + ''); makeTestForWithBackupAll = package: backupAll: + let + enableJIT = lib.hasInfix "-jit-" package.name; + in makeTest { name = "postgresql${lib.optionalString backupAll "-backup-all"}-${package.name}"; meta = with lib.maintainers; { @@ -47,13 +51,16 @@ let }; nodes.machine = - { ... }: + { config, ... }: { services.postgresql = { - inherit package; + inherit package enableJIT; enable = true; - enableJIT = lib.hasInfix "-jit-" package.name; - extensions = ps: with ps; [ plv8 ]; + # plv8 doesn't support postgresql with JIT, so we only run the test + # for the non-jit variant. + # TODO(@Ma27) split this off into its own VM test and move a few other + # extension tests to use postgresqlTestExtension. + extensions = lib.mkIf (!enableJIT) (ps: with ps; [ plv8 ]); }; services.postgresqlBackup = { @@ -80,7 +87,7 @@ let with subtest("Postgresql is available just after unit start"): machine.succeed( - "cat ${test-sql} | sudo -u postgres psql" + "cat ${test-sql enableJIT} | sudo -u postgres psql" ) with subtest("Postgresql survives restart (bug #1735)"):