Skip to content

Commit

Permalink
nixos/postgresql: relax hardening for plv8 plugin
Browse files Browse the repository at this point in the history
  • Loading branch information
mweinelt committed Nov 10, 2024
1 parent f5f87e7 commit 5b1bddb
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions nixos/modules/services/databases/postgresql.nix
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

let
inherit (lib)
any
attrValues
concatMapStrings
concatStringsSep
Expand Down Expand Up @@ -60,6 +61,8 @@ let

groupAccessAvailable = versionAtLeast postgresql.version "11.0";

pluginNames = map (plugin: plugin.pname) postgresql.extraPlugins;
wantsPlugin = plugin: elem plugin plugin pluginNames;
in

{
Expand Down Expand Up @@ -654,10 +657,12 @@ in
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
SystemCallFilter =
[
"@system-service"
"~@privileged @resources"
]
++ lib.optionals (any wantsPlugin [ "plv8" ]) [ "@pkey" ];
UMask = if groupAccessAvailable then "0027" else "0077";
}
(mkIf (cfg.dataDir != "/var/lib/postgresql") {
Expand Down

0 comments on commit 5b1bddb

Please sign in to comment.