about summary refs log tree commit diff
path: root/nixos/modules
diff options
context:
space:
mode:
authorIzorkin <izorkin@elven.pw>2020-05-14 20:29:59 +0300
committerIzorkin <izorkin@elven.pw>2020-06-10 12:38:40 +0300
commitdf7e52814d8d578a948e8e7b15404e982971e5d1 (patch)
treed69ba20769f32937dd6ff8590c4929f0fffd82e3 /nixos/modules
parent0ba7e1ae981b7290d8934701eb67b56effd46146 (diff)
downloadnixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar
nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar.gz
nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar.bz2
nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar.lz
nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar.xz
nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.tar.zst
nixlib-df7e52814d8d578a948e8e7b15404e982971e5d1.zip
nixos/mysql: enable sandbox mode
Diffstat (limited to 'nixos/modules')
-rw-r--r--nixos/modules/services/databases/mysql.nix35


1 files changed, 30 insertions, 5 deletions
diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix
index 51885881cf73..0052094697b2 100644
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@@ -367,11 +367,7 @@ in
         '';
 
         serviceConfig = {
-          User = cfg.user;
-          Group = "mysql";
           Type = if hasNotify then "notify" else "simple";
-          RuntimeDirectory = "mysqld";
-          RuntimeDirectoryMode = "0755";
           Restart = "on-abort";
           RestartSec = "5s";
           # The last two environment variables are used for starting Galera clusters
@@ -452,7 +448,7 @@ in
                         cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N
                       ''}
 
-                    rm /tmp/mysql_init
+                    rm ${cfg.dataDir}/mysql_init
                 fi
 
                 ${optionalString (cfg.ensureDatabases != []) ''
@@ -476,6 +472,35 @@ in
               # ensureDatbases & ensureUsers depends on this script being run as root
               # when the user has secured their mysql install
               "+${setupScript}";
+          # User and group
+          User = cfg.user;
+          Group = "mysql";
+          # Runtime directory and mode
+          RuntimeDirectory = "mysqld";
+          RuntimeDirectoryMode = "0755";
+          # Access write directories
+          ReadWritePaths = [ cfg.dataDir ];
+          # Capabilities
+          CapabilityBoundingSet = "";
+          # Security
+          NoNewPrivileges = true;
+          # Sandboxing
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
+          ProtectHostname = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectControlGroups = true;
+          RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          PrivateMounts = true;
+          # System Call Filtering
+          SystemCallArchitectures = "native";
         };
       };
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-02 21:07:57 +0000