Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport release-24.11] nixos/postgresql: extension based hardening relaxation #356574

Merged
merged 4 commits into from
Nov 17, 2024
Merged

[Backport release-24.11] nixos/postgresql: extension based hardening relaxation #356574

merged 4 commits into from
Nov 17, 2024

Conversation

github-actions[bot]
Copy link
Contributor

Bot-based backport to release-24.11, triggered by a label in #355010.

  • Before merging, ensure that this backport is acceptable for the release.
    • Even as a non-commiter, if you find that it is not acceptable, leave a comment.

mweinelt and others added 4 commits November 16, 2024 21:30
@mweinelt @github-actions
nixos/postgresql: rename extraPlugins to extensions
7d07116 
This is the upstream lingo, and it makes everything slightly less
confusing.

(cherry picked from commit 223a6c6)
@mweinelt @github-actions
nixos/postgresql: create infrastructure for relaxing systemd hardening
210f9b1 
By matching on the package names of the plugins passed into the package
we can relax the systemd unit hardening as needed.

(cherry picked from commit d370af0)
@mweinelt @github-actions
nixosTests.postgresql: test hardening gets relaxed
8301163 
The plv8 plugin requires access to pkey syscalls. The execution will
crash hard when it is not allowed by the syscall filter.

Co-Authored-By: Jan Tojnar <[email protected]>
(cherry picked from commit e198536)
@Ma27 @github-actions
nixos/tests/postgresql: test plv8 hardening on non-JIT variants only
0bd7e85 
PostgreSQL with JIT support enabled doesn't work with plv8. Hence, we'd
get an evaluation failure for each
`nixosTests.postgresql.postgresql.postgresql_jit_X`.

This should be restructured in the future (less VM tests for custom
extensions, but a single VM test for this case to cover). For now, we
should get this fix out and this is a good-enough approach.

(cherry picked from commit 68d9643)
@github-actions github-actions bot mentioned this pull request Nov 16, 2024
Merged
13 tasks
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Nov 17, 2024
@Ma27 Ma27 merged commit de06be4 into release-24.11 Nov 17, 2024
16 checks passed
@Ma27 Ma27 deleted the backport-355010-to-release-24.11 branch November 17, 2024 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Ma27 @mweinelt