diff options
| author | Dominique Martinet <asmadeus@codewreck.org> | 2020-09-28 13:27:47 +0200 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2020-10-14 11:56:18 +0200 |
| commit | f8d78b9f67bdd3b6b12dbe1b6a2377ec0eef8050 (patch) | |
| tree | 51ad9f5a267bac55f6ae2c83e59f50dc75f46257 /nixos/modules/security/systemd-confinement.nix | |
| parent | ffde8a8e1ed76caa1d213c3209dee7f75b57a20d (diff) | |
| download | nixpkgs-f8d78b9f67bdd3b6b12dbe1b6a2377ec0eef8050.tar nixpkgs-f8d78b9f67bdd3b6b12dbe1b6a2377ec0eef8050.tar.gz nixpkgs-f8d78b9f67bdd3b6b12dbe1b6a2377ec0eef8050.tar.bz2 nixpkgs-f8d78b9f67bdd3b6b12dbe1b6a2377ec0eef8050.tar.lz nixpkgs-f8d78b9f67bdd3b6b12dbe1b6a2377ec0eef8050.tar.xz nixpkgs-f8d78b9f67bdd3b6b12dbe1b6a2377ec0eef8050.tar.zst nixpkgs-f8d78b9f67bdd3b6b12dbe1b6a2377ec0eef8050.zip | |
confinement: fix assert for serviceConfig.ProtectSystem
serviceConfig.ProtectSystem is usually a string so if set, the assert itself would error out leaving no useable trace: # nixos-rebuild switch --show-trace building Nix... building the system configuration... error: while evaluating the attribute 'config.system.build.toplevel' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:293:5: while evaluating 'foldr' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:52:20, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:128:12: while evaluating 'fold'' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:55:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:59:8: while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:121:50, called from undefined position: while evaluating the attribute 'assertion' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/security/systemd-confinement.nix:163:7: value is a string while a Boolean was expected Fix the check to give a sensible assert message instead; the attribute should either be not set or false bool to pass. Closes: #99000
Diffstat (limited to 'nixos/modules/security/systemd-confinement.nix')
| -rw-r--r-- | nixos/modules/security/systemd-confinement.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix index 2927d424a8a..afb81a2b56b 100644 --- a/nixos/modules/security/systemd-confinement.nix +++ b/nixos/modules/security/systemd-confinement.nix @@ -160,7 +160,7 @@ in { + " the 'users.users' option instead as this combination is" + " currently not supported."; } - { assertion = !cfg.serviceConfig.ProtectSystem or false; + { assertion = cfg.serviceConfig ? ProtectSystem -> cfg.serviceConfig.ProtectSystem == false; message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible" + " with service confinement as it fails to remount /usr within" + " our chroot. Please disable the option."; |