From bbddb968ca1b158e25baa046742ef5111936e969 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 10 Nov 2024 17:08:59 +0100 Subject: [PATCH] nixos/postgresql: create infrastructure for relaxing systemd hardening By matching on the package names of the plugins passed into the package we can relax the systemd unit hardening as needed. --- .../modules/services/databases/postgresql.nix | 42 +++++++++++-------- pkgs/servers/sql/postgresql/generic.nix | 32 ++++++++------ 2 files changed, 44 insertions(+), 30 deletions(-) diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 2242619578447..0af84ead39cd9 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -2,6 +2,7 @@ let inherit (lib) + any attrValues concatMapStrings concatStringsSep @@ -30,19 +31,19 @@ let cfg = config.services.postgresql; - postgresql = - let - # ensure that - # services.postgresql = { - # enableJIT = true; - # package = pkgs.postgresql_; - # }; - # works. - base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT; - in - if cfg.extensions == [] - then base - else base.withPackages cfg.extensions; + # ensure that + # services.postgresql = { + # enableJIT = true; + # package = pkgs.postgresql_; + # }; + # works. + basePackage = if cfg.enableJIT + then cfg.package.withJIT + else cfg.package.withoutJIT; + + postgresql = if cfg.extensions == [] + then basePackage + else basePackage.withPackages cfg.extensions; toStr = value: if true == value then "yes" @@ -59,6 +60,9 @@ let ''; groupAccessAvailable = versionAtLeast postgresql.version "11.0"; + + extensionNames = map (extension: extension.pname) postgresql.installedExtensions; + extensionInstalled = extension: elem extension extensionNames; in { @@ -630,7 +634,7 @@ in PrivateTmp = true; ProtectHome = true; ProtectSystem = "strict"; - MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off"); + MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ])); NoNewPrivileges = true; LockPersonality = true; PrivateDevices = true; @@ -654,10 +658,12 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged @resources" - ]; + SystemCallFilter = + [ + "@system-service" + "~@privileged @resources" + ] + ++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ]; UMask = if groupAccessAvailable then "0027" else "0077"; } (mkIf (cfg.dataDir != "/var/lib/postgresql") { diff --git a/pkgs/servers/sql/postgresql/generic.nix b/pkgs/servers/sql/postgresql/generic.nix index 7d59f6349d57a..57bfc2163394f 100644 --- a/pkgs/servers/sql/postgresql/generic.nix +++ b/pkgs/servers/sql/postgresql/generic.nix @@ -344,25 +344,33 @@ let }; }); - postgresqlWithPackages = { postgresql, buildEnv }: f: buildEnv { + postgresqlWithPackages = { postgresql, buildEnv }: f: let + installedExtensions = f postgresql.pkgs; + in buildEnv { name = "${postgresql.pname}-and-plugins-${postgresql.version}"; - paths = f postgresql.pkgs ++ [ + paths = installedExtensions ++ [ postgresql postgresql.man # in case user installs this into environment ]; pathsToLink = ["/"]; - passthru.version = postgresql.version; - passthru.psqlSchema = postgresql.psqlSchema; - passthru.withJIT = postgresqlWithPackages { - inherit buildEnv; - postgresql = postgresql.withJIT; - } f; - passthru.withoutJIT = postgresqlWithPackages { - inherit buildEnv; - postgresql = postgresql.withoutJIT; - } f; + passthru = { + inherit installedExtensions; + inherit (postgresql) + psqlSchema + version + ; + + withJIT = postgresqlWithPackages { + inherit buildEnv; + postgresql = postgresql.withJIT; + } f; + withoutJIT = postgresqlWithPackages { + inherit buildEnv; + postgresql = postgresql.withoutJIT; + } f; + }; }; in