summary refs log tree commit diff
path: root/nixos/modules/security/systemd-confinement.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/security/systemd-confinement.nix')
-rw-r--r--nixos/modules/security/systemd-confinement.nix6
1 files changed, 3 insertions, 3 deletions
diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix
index 0a400f1d535..0a09a755e93 100644
--- a/nixos/modules/security/systemd-confinement.nix
+++ b/nixos/modules/security/systemd-confinement.nix
@@ -105,7 +105,7 @@ in {
         wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs");
       in lib.mkIf config.confinement.enable {
         serviceConfig = {
-          RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
+          RootDirectory = "/var/empty";
           TemporaryFileSystem = "/";
           PrivateMounts = lib.mkDefault true;
 
@@ -135,7 +135,7 @@ in {
           ];
           execPkgs = lib.concatMap (opt: let
             isSet = config.serviceConfig ? ${opt};
-          in lib.optional isSet config.serviceConfig.${opt}) execOpts;
+          in lib.flatten (lib.optional isSet config.serviceConfig.${opt})) execOpts;
           unitAttrs = toplevelConfig.systemd.units."${name}.service";
           allPkgs = lib.singleton (builtins.toJSON unitAttrs);
           unitPkgs = if fullUnit then allPkgs else execPkgs;
@@ -160,7 +160,7 @@ in {
               + " the 'users.users' option instead as this combination is"
               + " currently not supported.";
     }
-    { assertion = !cfg.serviceConfig.ProtectSystem or false;
+    { assertion = cfg.serviceConfig ? ProtectSystem -> cfg.serviceConfig.ProtectSystem == false;
       message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible"
               + " with service confinement as it fails to remount /usr within"
               + " our chroot. Please disable the option.";