diff options
Diffstat (limited to 'nixos/modules/security/systemd-confinement.nix')
-rw-r--r-- | nixos/modules/security/systemd-confinement.nix | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix index 0a400f1d535..0a09a755e93 100644 --- a/nixos/modules/security/systemd-confinement.nix +++ b/nixos/modules/security/systemd-confinement.nix @@ -105,7 +105,7 @@ in { wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs"); in lib.mkIf config.confinement.enable { serviceConfig = { - RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\""; + RootDirectory = "/var/empty"; TemporaryFileSystem = "/"; PrivateMounts = lib.mkDefault true; @@ -135,7 +135,7 @@ in { ]; execPkgs = lib.concatMap (opt: let isSet = config.serviceConfig ? ${opt}; - in lib.optional isSet config.serviceConfig.${opt}) execOpts; + in lib.flatten (lib.optional isSet config.serviceConfig.${opt})) execOpts; unitAttrs = toplevelConfig.systemd.units."${name}.service"; allPkgs = lib.singleton (builtins.toJSON unitAttrs); unitPkgs = if fullUnit then allPkgs else execPkgs; @@ -160,7 +160,7 @@ in { + " the 'users.users' option instead as this combination is" + " currently not supported."; } - { assertion = !cfg.serviceConfig.ProtectSystem or false; + { assertion = cfg.serviceConfig ? ProtectSystem -> cfg.serviceConfig.ProtectSystem == false; message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible" + " with service confinement as it fails to remount /usr within" + " our chroot. Please disable the option."; |