diff options
Diffstat (limited to 'nixpkgs/nixos/modules/security/systemd-confinement.nix')
-rw-r--r-- | nixpkgs/nixos/modules/security/systemd-confinement.nix | 35 |
1 files changed, 18 insertions, 17 deletions
diff --git a/nixpkgs/nixos/modules/security/systemd-confinement.nix b/nixpkgs/nixos/modules/security/systemd-confinement.nix index f5ed3d281a5f..cdf6c22ef1b6 100644 --- a/nixpkgs/nixos/modules/security/systemd-confinement.nix +++ b/nixpkgs/nixos/modules/security/systemd-confinement.nix @@ -38,8 +38,8 @@ in { type = types.listOf (types.either types.str types.package); default = []; description = let - mkScOption = optName: "<option>serviceConfig.${optName}</option>"; - in '' + mkScOption = optName: "{option}`serviceConfig.${optName}`"; + in lib.mdDoc '' Additional packages or strings with context to add to the closure of the chroot. By default, this includes all the packages from the ${lib.concatMapStringsSep ", " mkScOption [ @@ -47,12 +47,14 @@ in { "ExecStopPost" ]} and ${mkScOption "ExecStart"} options. If you want to have all the dependencies of this systemd unit, you can use - <option>confinement.fullUnit</option>. + {option}`confinement.fullUnit`. - <note><para>The store paths listed in <option>path</option> are - <emphasis role="strong">not</emphasis> included in the closure as + ::: {.note} + The store paths listed in {option}`path` are + **not** included in the closure as well as paths from other options except those listed - above.</para></note> + above. + ::: ''; }; @@ -74,25 +76,24 @@ in { options.confinement.mode = lib.mkOption { type = types.enum [ "full-apivfs" "chroot-only" ]; default = "full-apivfs"; - description = '' - The value <literal>full-apivfs</literal> (the default) sets up - private <filename class="directory">/dev</filename>, <filename - class="directory">/proc</filename>, <filename - class="directory">/sys</filename> and <filename - class="directory">/tmp</filename> file systems in a separate user + description = lib.mdDoc '' + The value `full-apivfs` (the default) sets up + private {file}`/dev`, {file}`/proc`, + {file}`/sys` and {file}`/tmp` file systems in a separate user name space. - If this is set to <literal>chroot-only</literal>, only the file + If this is set to `chroot-only`, only the file system name space is set up along with the call to - <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>. + {manpage}`chroot(2)`. - <note><para>This doesn't cover network namespaces and is solely for - file system level isolation.</para></note> + ::: {.note} + This doesn't cover network namespaces and is solely for + file system level isolation. + ::: ''; }; config = let - rootName = "${mkPathSafeName name}-chroot"; inherit (config.confinement) binSh fullUnit; wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs"); in lib.mkIf config.confinement.enable { |