nixos/tmpfiles: properly escape argument option

The systemd.tmpfiles.settings.<name>.<path>.<type>.argument option may contain arbitrary strings. This could allow intentional or unintentional introduction of new configuration lines. The argument field cannot be quoted, C‐style \xNN escape sequences are however permitted. By escaping whitespace and newline characters, the issue can be mitigated.
2025-06-11 20:25:32 +03:00 · 2025-03-19 18:00:44 +01:00 · 2025-03-19 18:00:44 +01:00 · 045fbc389f
commit 045fbc389f
parent b179a7a07f
1 changed files with 28 additions and 2 deletions
--- a/nixos/modules/system/boot/systemd/tmpfiles.nix
+++ b/nixos/modules/system/boot/systemd/tmpfiles.nix
@ -18,6 +18,14 @@ let
      inherit elemType placeholder;
    };

+  escapeArgument = lib.strings.escapeC [
+    "\t"
+    "\n"
+    "\r"
+    " "
+    "\\"
+  ];
+
  settingsOption = {
    description = ''
      Declare systemd-tmpfiles rules to create, delete, and clean up volatile
@ -126,7 +134,7 @@ let

  # generates a single entry for a tmpfiles.d rule
  settingsEntryToRule = path: entry: ''
-    '${entry.type}' '${path}' '${entry.mode}' '${entry.user}' '${entry.group}' '${entry.age}' ${entry.argument}
+    '${entry.type}' '${path}' '${entry.mode}' '${entry.user}' '${entry.group}' '${entry.age}' ${escapeArgument entry.argument}
  '';

  # generates a list of tmpfiles.d rules from the attrs (paths) under tmpfiles.settings.<name>
@ -199,7 +207,25 @@ in
          "boot.initrd.systemd.storePaths will lead to errors in the future."
          "Found these problematic files: ${lib.concatStringsSep ", " paths}"
        ]
-      );
+      )
+      ++ (lib.flatten (
+        lib.mapAttrsToList (
+          name: paths:
+          lib.mapAttrsToList (
+            path: entries:
+            lib.mapAttrsToList (
+              type': entry:
+              lib.optional (lib.match ''.*\\([nrt]|x[0-9A-Fa-f]{2}).*'' entry.argument != null) (
+                lib.concatStringsSep " " [
+                  "The argument option of ${name}.${type'}.${path} appears to"
+                  "contain escape sequences, which will be escaped again."
+                  "Unescape them if this is not intended: \"${entry.argument}\""
+                ]
+              )
+            ) entries
+          ) paths
+        ) cfg.settings
+      ));

    systemd.additionalUpstreamSystemUnits = [
      "systemd-tmpfiles-clean.service"