From 5aa3d62fd98fd3483deb4cdbe1af8debcb4c3f6a Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Sun, 10 Nov 2024 17:08:59 +0100
Subject: [PATCH] nixos/postgresql: relax hardening for plv8 plugin

---
 .../modules/services/databases/postgresql.nix | 39 +++++++++++--------
 1 file changed, 22 insertions(+), 17 deletions(-)

diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index 876969ef9bb57..050421f576f91 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -2,6 +2,7 @@
 
 let
   inherit (lib)
+    any
     attrValues
     concatMapStrings
     concatStringsSep
@@ -30,19 +31,19 @@ let
 
   cfg = config.services.postgresql;
 
-  postgresql =
-    let
-      # ensure that
-      #   services.postgresql = {
-      #     enableJIT = true;
-      #     package = pkgs.postgresql_<major>;
-      #   };
-      # works.
-      base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT;
-    in
-    if cfg.extraPlugins == []
-      then base
-      else base.withPackages cfg.extraPlugins;
+  # ensure that
+  #   services.postgresql = {
+  #     enableJIT = true;
+  #     package = pkgs.postgresql_<major>;
+  #   };
+  # works.
+  basePackage = if cfg.enableJIT
+    then cfg.package.withJIT
+    else cfg.package.withoutJIT;
+
+  postgresql = if cfg.extraPlugins == []
+    then basePackage
+    else basePackage.withPackages cfg.extraPlugins;
 
   toStr = value:
     if true == value then "yes"
@@ -60,6 +61,8 @@ let
 
   groupAccessAvailable = versionAtLeast postgresql.version "11.0";
 
+  pluginNames = map (plugin: plugin.pname) (cfg.extraPlugins basePackage.pkgs);
+  wantsPlugin = plugin: elem plugin pluginNames;
 in
 
 {
@@ -654,10 +657,12 @@ in
             RestrictRealtime = true;
             RestrictSUIDSGID = true;
             SystemCallArchitectures = "native";
-            SystemCallFilter = [
-              "@system-service"
-              "~@privileged @resources"
-            ];
+            SystemCallFilter =
+              [
+                "@system-service"
+                "~@privileged @resources"
+              ]
+              ++ lib.optionals (any wantsPlugin [ "plv8" ]) [ "@pkey" ];
             UMask = if groupAccessAvailable then "0027" else "0077";
           }
           (mkIf (cfg.dataDir != "/var/lib/postgresql") {