diff options
author | Dominique Martinet <asmadeus@codewreck.org> | 2020-05-09 21:03:46 +0200 |
---|---|---|
committer | aszlig <aszlig@nix.build> | 2020-05-10 19:25:41 +0200 |
commit | 4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4 (patch) | |
tree | c72ce92cdcf1a2c68d81e024c34e90c382ed3fc0 /nixos | |
parent | 5da13930308779e91470a2dc6249005098886011 (diff) | |
download | nixpkgs-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar nixpkgs-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar.gz nixpkgs-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar.bz2 nixpkgs-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar.lz nixpkgs-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar.xz nixpkgs-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.tar.zst nixpkgs-4c81174f4cd0f9368c47d0878d8efa3ca3fb10a4.zip |
nixos/confinement: add conflict for ProtectSystem service option
Systemd ProtectSystem is incompatible with the chroot we make for confinement. The options is redundant with what we do anyway so warn if it had been set and advise to disable it. Merges: https://github.com/NixOS/nixpkgs/pull/87420
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/systemd-confinement.nix | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix index cd4eb81dbe1..0a400f1d535 100644 --- a/nixos/modules/security/systemd-confinement.nix +++ b/nixos/modules/security/systemd-confinement.nix @@ -160,6 +160,11 @@ in { + " the 'users.users' option instead as this combination is" + " currently not supported."; } + { assertion = !cfg.serviceConfig.ProtectSystem or false; + message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible" + + " with service confinement as it fails to remount /usr within" + + " our chroot. Please disable the option."; + } ]) config.systemd.services); config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let |