nixos/usbguard: rework #93702
nixos/usbguard: rework #93702
Conversation
ofborg
bot
added
6.topic: nixos
ofborg
bot
added
10.rebuild-darwin: 0
|
Instead of doing this in the preStart script, can we use the If that folder deviates from the default, we don't really know how to set up the file system structure towards this anyways (mount points in between, etc.) - so providing a simple state directory initialization via StateDirectory for the default case, and leaving more complex things up to the user seems preferrable. Also, cc @aanderse as the author of that original PR. |
|
Ah, and |
|
I am in favour of using StateDirectory and logging to journal. In that case the some of the options for custom directory paths should be dropped. I will create a patch. |
|
Thanks! |
|
I could not figure out how to get the audit logs some other way than to write them to file. The normal usbguard logs are already written to the journal. If the audit logs should still land in the linux audit system, I would need help with that, as I did not yet figure out how to get it working (especially on NixOS something with audit/auditd seems boken or unintuitive). As for dropping the options: Is hardcoding the defaults and removing the options a proper way to deprecate them? Where do I put deprecation notices? |
|
I'd even be find with dropping the options, as now proposed in this PR tbh. |
|
@flokli I would also support hard coding the paths so we could drop the options, if everyone else agrees 👍 |
ofborg
bot
added
10.rebuild-linux: 1-10
10.rebuild-linux: 1
and removed
10.rebuild-linux: 0
|
If I set Also some of the options were dropped and text reworked. |
| daemonConfFile = pkgs.writeText "usbguard-daemon-conf" daemonConf; | ||
|
|
||
| in | ||
| { | ||
|
|
||
| ###### interface |
There was a problem hiding this comment.
| ###### interface | |
| imports = [ | |
| (mkRemovedOptionModule [ "services" "usbguard" "ruleFile" ] "<explanation here>") | |
| (mkRemovedOptionModule [ "services" "usbgaurd" "IPCAccessControlFiles" ] "<explanation here>") | |
| (mkRemovedOptionModule [ "services" "usbgaurd" "auditFilePath" ] "<explanation here>") | |
| ]; | |
| ###### interface |
There was a problem hiding this comment.
Hmm... further to this we will need an entry in the release notes as this is a breaking change.
| contents of this option will be written into the nix-store it will be | ||
| read-only. | ||
| The USBGuard daemon will load this to load the policy rule set. | ||
| Persistent modification it via IPC interface won't work, since |
| <literal>ruleFile</literal> option. | ||
| ''; | ||
| }; | ||
|
|
||
| rules = mkOption { | ||
| type = types.nullOr types.lines; | ||
| default = null; | ||
| example = '' | ||
| allow with-interface equals { 08:*:* } | ||
| ''; | ||
| description = '' |
There was a problem hiding this comment.
I find this description to be a little bit confusing, and I know what you are trying to do. Maybe we can reword this to simplify the intention of nixos managed rules which are immutable vs user managed "dynamic" rules via IPC.
|
ping @tnias |
|
@aanderse Like this? |
ofborg
bot
added
8.has: changelog
8.has: documentation
|
Nice. I squashed the commits. |
|
This needs another rebase unfortunately. |
|
@flokli I squashed them into one. Anything else? |
|
Did you rebase it onto latest master? GitHub says there's conflicts. |
Use StateDirectory to create necessary directories and hardcode some paths. Also drop file based audit logs, they can be found in the journal. And add module option deprecation messages.
|
Okay, this time I actually rebased against the upstream master 😆 |
ofborg
bot
removed
the
2.status: merge conflict
|
Thanks! |
Override the read only restriction for the preStart script, otherwise
directories in /var/{lib,log} can not be created.
Motivation for this change
Fresh usbguard setup with default settings fails to start.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)