Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/gitea: Sandbox the systemd service #63840

Merged
merged 1 commit into from Dec 1, 2019
Merged

nixos/gitea: Sandbox the systemd service #63840

merged 1 commit into from Dec 1, 2019

Conversation

dasJ
Copy link
Member

@dasJ dasJ commented Jun 27, 2019
edited

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

gazally
gazally reviewed Jul 6, 2019
View reviewed changes
Copy link
Contributor

@gazally gazally left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered adding these? They are from the recommendations in #20816.

RestrictAddressFamilies=AF_NETLINK AF_UNIX
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources

Edit: gitea is probably going to need AF_INET AF_INET6 in RestrictAddressFamilies.

@dasJ
Copy link
Member Author

dasJ commented Jul 16, 2019

@gazally Thanks for the recommendation. I added both options, my gitea is currently running with them and there don't seem to be any issues. It needs AF_INET and AF_INET6, but not AF_NETLINK.
I also added SystemCallArchitectures to prevent services from working around the SystemCallFilter

@FRidh FRidh merged commit e42036e into NixOS:master Dec 1, 2019
@srhb
Copy link
Contributor

srhb commented Dec 2, 2019

This broke the service and the test due to (at least) preStart failing.

@srhb srhb mentioned this pull request Dec 2, 2019
Closed
@FRidh
Copy link
Member

FRidh commented Dec 2, 2019

It would be good if the service had maintainers so they could be pinged on changes.

@srhb
Copy link
Contributor

srhb commented Dec 2, 2019

I can probably take up maintainership here, no problem.

@jollheef
Copy link
Member

jollheef commented Dec 4, 2019

Tested execution of all binary files (usually in ./result/bin/)

How you actually tested your changes? It broke the service.

@ghost
Copy link

ghost commented Dec 4, 2019

Any known workarounds for the breakage other than reverting the whole commit?

@jollheef
Copy link
Member

jollheef commented Dec 4, 2019

Any known workarounds for the breakage other than reverting the whole commit?

#74849 (comment)

@srhb
Copy link
Contributor

srhb commented Dec 4, 2019

#74852

This does not revert everything but works on my setup. More testers would be appreciated, because it's hard to tell if it's still too restrictive for some setups.

@dasJ dasJ deleted the sandbox-gitea branch February 5, 2020 00:11
@dasJ dasJ restored the sandbox-gitea branch February 5, 2020 00:11
@dasJ dasJ deleted the sandbox-gitea branch February 5, 2020 00:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gazally gazally gazally left review comments

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@dasJ @srhb @FRidh @jollheef @gazally