Skip to content

Commit

Permalink
nixos/postgresql: relax hardening for plv8 plugin
Browse files Browse the repository at this point in the history
  • Loading branch information
mweinelt committed Nov 10, 2024
1 parent f5f87e7 commit 5aa3d62
Showing 1 changed file with 22 additions and 17 deletions.
39 changes: 22 additions & 17 deletions nixos/modules/services/databases/postgresql.nix
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

let
inherit (lib)
any
attrValues
concatMapStrings
concatStringsSep
Expand Down Expand Up @@ -30,19 +31,19 @@ let

cfg = config.services.postgresql;

postgresql =
let
# ensure that
# services.postgresql = {
# enableJIT = true;
# package = pkgs.postgresql_<major>;
# };
# works.
base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT;
in
if cfg.extraPlugins == []
then base
else base.withPackages cfg.extraPlugins;
# ensure that
# services.postgresql = {
# enableJIT = true;
# package = pkgs.postgresql_<major>;
# };
# works.
basePackage = if cfg.enableJIT
then cfg.package.withJIT
else cfg.package.withoutJIT;

postgresql = if cfg.extraPlugins == []
then basePackage
else basePackage.withPackages cfg.extraPlugins;

toStr = value:
if true == value then "yes"
Expand All @@ -60,6 +61,8 @@ let

groupAccessAvailable = versionAtLeast postgresql.version "11.0";

pluginNames = map (plugin: plugin.pname) (cfg.extraPlugins basePackage.pkgs);
wantsPlugin = plugin: elem plugin pluginNames;
in

{
Expand Down Expand Up @@ -654,10 +657,12 @@ in
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
SystemCallFilter =
[
"@system-service"
"~@privileged @resources"
]
++ lib.optionals (any wantsPlugin [ "plv8" ]) [ "@pkey" ];
UMask = if groupAccessAvailable then "0027" else "0077";
}
(mkIf (cfg.dataDir != "/var/lib/postgresql") {
Expand Down

0 comments on commit 5aa3d62

Please sign in to comment.