diff options
| author | Dominique Martinet <asmadeus@codewreck.org> | 2020-05-09 21:03:46 +0200 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2020-05-10 19:25:41 +0200 |
| commit | 4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4 (patch) | |
| tree | c72ce92cdcf1a2c68d81e024c34e90c382ed3fc0 /nixos/modules/security | |
| parent | 5da13930308779e91470a2dc6249005098886011 (diff) | |
| download | nixlib-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar nixlib-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar.gz nixlib-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar.bz2 nixlib-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar.lz nixlib-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar.xz nixlib-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar.zst nixlib-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.zip | |
nixos/confinement: add conflict for ProtectSystem service option
Systemd ProtectSystem is incompatible with the chroot we make for confinement. The options is redundant with what we do anyway so warn if it had been set and advise to disable it. Merges: https://github.com/NixOS/nixpkgs/pull/87420
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/systemd-confinement.nix | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix index cd4eb81dbe19..0a400f1d535b 100644 --- a/nixos/modules/security/systemd-confinement.nix +++ b/nixos/modules/security/systemd-confinement.nix @@ -160,6 +160,11 @@ in { + " the 'users.users' option instead as this combination is" + " currently not supported."; } + { assertion = !cfg.serviceConfig.ProtectSystem or false; + message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible" + + " with service confinement as it fails to remount /usr within" + + " our chroot. Please disable the option."; + } ]) config.systemd.services); config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let |