nixos/systemd-chroot: Rename chroot to confinement

Quoting @edolstra from [1]:

  I don't really like the name "chroot", something like "confine[ment]"
  or "restrict" seems better. Conceptually we're not providing a
  completely different filesystem tree but a restricted view of the same
  tree.

I already used "confinement" as a sub-option and I do agree that
"chroot" sounds a bit too specific (especially because not *only* chroot
is involved).

So this changes the module name and its option to use "confinement"
instead of "chroot" and also renames the "chroot.confinement" to
"confinement.mode".

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>

4 files changed, 21 insertions, 21 deletions

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 768bc40d179..ab49bd549a8 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -170,7 +170,7 @@
   ./security/rtkit.nix
   ./security/wrappers/default.nix
   ./security/sudo.nix
-  ./security/systemd-chroot.nix
+  ./security/systemd-confinement.nix
   ./services/admin/oxidized.nix
   ./services/admin/salt/master.nix
   ./services/admin/salt/minion.nix
diff --git a/nixos/modules/security/systemd-chroot.nix b/nixos/modules/security/systemd-confinement.nix
index befe2d3418c..dc53bbc4dbb 100644
--- a/nixos/modules/security/systemd-chroot.nix
+++ b/nixos/modules/security/systemd-confinement.nix
@@ -8,7 +8,7 @@ let
 in {
   options.systemd.services = lib.mkOption {
     type = types.attrsOf (types.submodule ({ name, config, ... }: {
-      options.chroot.enable = lib.mkOption {
+      options.confinement.enable = lib.mkOption {
         type = types.bool;
         default = false;
         description = ''
@@ -20,7 +20,7 @@ in {
         '';
       };
 
-      options.chroot.packages = lib.mkOption {
+      options.confinement.packages = lib.mkOption {
         type = types.listOf (types.either types.str types.package);
         default = [];
         description = let
@@ -44,7 +44,7 @@ in {
         '';
       };
 
-      options.chroot.withBinSh = lib.mkOption {
+      options.confinement.withBinSh = lib.mkOption {
         type = types.bool;
         default = true;
         description = ''
@@ -59,7 +59,7 @@ in {
         '';
       };
 
-      options.chroot.confinement = lib.mkOption {
+      options.confinement.mode = lib.mkOption {
         type = types.enum [ "full-apivfs" "chroot-only" ];
         default = "full-apivfs";
         description = ''
@@ -81,16 +81,16 @@ in {
         '';
       };
 
-      config = lib.mkIf config.chroot.enable {
+      config = lib.mkIf config.confinement.enable {
         serviceConfig = let
           rootName = "${mkPathSafeName name}-chroot";
         in {
           RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
           TemporaryFileSystem = "/";
           MountFlags = lib.mkDefault "private";
-        } // lib.optionalAttrs config.chroot.withBinSh {
+        } // lib.optionalAttrs config.confinement.withBinSh {
           BindReadOnlyPaths = [ "${pkgs.dash}/bin/dash:/bin/sh" ];
-        } // lib.optionalAttrs (config.chroot.confinement == "full-apivfs") {
+        } // lib.optionalAttrs (config.confinement.mode == "full-apivfs") {
           MountAPIVFS = true;
           PrivateDevices = true;
           PrivateTmp = true;
@@ -99,7 +99,7 @@ in {
           ProtectKernelModules = true;
           ProtectKernelTunables = true;
         };
-        chroot.packages = let
+        confinement.packages = let
           startOnly = config.serviceConfig.RootDirectoryStartOnly or false;
           execOpts = if startOnly then [ "ExecStart" ] else [
             "ExecReload" "ExecStart" "ExecStartPost" "ExecStartPre" "ExecStop"
@@ -108,7 +108,7 @@ in {
           execPkgs = lib.concatMap (opt: let
             isSet = config.serviceConfig ? ${opt};
           in lib.optional isSet config.serviceConfig.${opt}) execOpts;
-        in execPkgs ++ lib.optional config.chroot.withBinSh pkgs.dash;
+        in execPkgs ++ lib.optional config.confinement.withBinSh pkgs.dash;
       };
     }));
   };
@@ -116,8 +116,8 @@ in {
   config.assertions = lib.concatLists (lib.mapAttrsToList (name: cfg: let
     whatOpt = optName: "The 'serviceConfig' option '${optName}' for"
                     + " service '${name}' is enabled in conjunction with"
-                    + " 'chroot.enable'";
-  in lib.optionals cfg.chroot.enable [
+                    + " 'confinement.enable'";
+  in lib.optionals cfg.confinement.enable [
     { assertion = !cfg.serviceConfig.RootDirectoryStartOnly or false;
       message = "${whatOpt "RootDirectoryStartOnly"}, but right now systemd"
               + " doesn't support restricting bind-mounts to 'ExecStart'."
@@ -133,7 +133,7 @@ in {
 
   config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let
     rootPaths = let
-      contents = lib.concatStringsSep "\n" cfg.chroot.packages;
+      contents = lib.concatStringsSep "\n" cfg.confinement.packages;
     in pkgs.writeText "${mkPathSafeName name}-string-contexts.txt" contents;
 
     chrootPaths = pkgs.runCommand "${mkPathSafeName name}-chroot-paths" {
@@ -156,5 +156,5 @@ in {
         fi
       done < "$closureInfo/store-paths" >> "$serviceFile"
     '';
-  in lib.optional cfg.chroot.enable chrootPaths) config.systemd.services);
+  in lib.optional cfg.confinement.enable chrootPaths) config.systemd.services);
 }
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index fe67e245350..70103c4e6da 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -216,7 +216,7 @@ in
   switchTest = handleTest ./switch-test.nix {};
   syncthing-relay = handleTest ./syncthing-relay.nix {};
   systemd = handleTest ./systemd.nix {};
-  systemd-chroot = handleTest ./systemd-chroot.nix {};
+  systemd-confinement = handleTest ./systemd-confinement.nix {};
   taskserver = handleTest ./taskserver.nix {};
   telegraf = handleTest ./telegraf.nix {};
   tomcat = handleTest ./tomcat.nix {};
diff --git a/nixos/tests/systemd-chroot.nix b/nixos/tests/systemd-confinement.nix
index 523e1ad9f4d..448d34ec30b 100644
--- a/nixos/tests/systemd-chroot.nix
+++ b/nixos/tests/systemd-confinement.nix
@@ -1,5 +1,5 @@
 import ./make-test.nix {
-  name = "systemd-chroot";
+  name = "systemd-confinement";
 
   machine = { pkgs, lib, ... }: let
     testServer = pkgs.writeScript "testserver.sh" ''
@@ -26,13 +26,13 @@ import ./make-test.nix {
       };
 
       systemd.services."test${toString num}@" = {
-        description = "Chrooted Test Service ${toString num}";
-        chroot = (config.chroot or {}) // { enable = true; };
+        description = "Confined Test Service ${toString num}";
+        confinement = (config.confinement or {}) // { enable = true; };
         serviceConfig = (config.serviceConfig or {}) // {
           ExecStart = testServer;
           StandardInput = "socket";
         };
-      } // removeAttrs config [ "chroot" "serviceConfig" ];
+      } // removeAttrs config [ "confinement" "serviceConfig" ];
 
       __testSteps = lib.mkOrder num ''
         subtest '${lib.escape ["\\" "'"] description}', sub {
@@ -45,7 +45,7 @@ import ./make-test.nix {
   in {
     imports = lib.imap1 mkTestStep [
       { description = "chroot-only confinement";
-        config.chroot.confinement = "chroot-only";
+        config.confinement.mode = "chroot-only";
         testScript = ''
           $machine->succeed(
             'test "$(chroot-exec ls -1 / | paste -sd,)" = bin,nix',
@@ -88,7 +88,7 @@ import ./make-test.nix {
         } "ln -s \"$target\" \"$out\"";
       in {
         description = "check if symlinks are properly bind-mounted";
-        config.chroot.packages = lib.singleton symlink;
+        config.confinement.packages = lib.singleton symlink;
         testScript = ''
           $machine->fail('chroot-exec test -e /etc');
           $machine->succeed('chroot-exec cat ${symlink} >&2');