From d64bb689ce3174625e67e8180b8f23c394c23153 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 10 Nov 2024 17:08:59 +0100 Subject: [PATCH] nixos/postgresql: relax hardening for plv8 plugin --- nixos/modules/services/databases/postgresql.nix | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 876969ef9bb57..a675839c58d3c 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -2,6 +2,7 @@ let inherit (lib) + any attrValues concatMapStrings concatStringsSep @@ -60,6 +61,8 @@ let groupAccessAvailable = versionAtLeast postgresql.version "11.0"; + pluginNames = map (plugin: plugin.pname) cfg.plugins; + wantsPlugin = plugin: elem plugin plugin pluginNames; in { @@ -654,10 +657,12 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged @resources" - ]; + SystemCallFilter = + [ + "@system-service" + "~@privileged @resources" + ] + ++ lib.optionals (any wantsPlugin [ "plv8" ]) [ "@pkey" ]; UMask = if groupAccessAvailable then "0027" else "0077"; } (mkIf (cfg.dataDir != "/var/lib/postgresql") {