nixos/postgresql: create infrastructure for relaxing systemd hardening

By matching on the package names of the plugins passed into the package we can relax the systemd unit hardening as needed. (cherry picked from commit d370af0785)
2025-07-17 07:30:21 +03:00 · 2024-11-10 17:08:59 +01:00 · 2024-11-10 17:08:59 +01:00 · 210f9b1546
commit 210f9b1546
parent 7d07116532
2 changed files with 45 additions and 30 deletions
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -2,6 +2,7 @@

 let
  inherit (lib)
+    any
    attrValues
    concatMapStrings
    concatStringsSep
@ -9,6 +10,7 @@ let
    elem
    escapeShellArgs
    filterAttrs
+    getName
    isString
    literalExpression
    mapAttrs
@ -31,19 +33,19 @@ let

  cfg = config.services.postgresql;

-  postgresql =
-    let
-      # ensure that
-      #   services.postgresql = {
-      #     enableJIT = true;
-      #     package = pkgs.postgresql_<major>;
-      #   };
-      # works.
-      base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT;
-    in
-    if cfg.extensions == []
-      then base
-      else base.withPackages cfg.extensions;
+  # ensure that
+  #   services.postgresql = {
+  #     enableJIT = true;
+  #     package = pkgs.postgresql_<major>;
+  #   };
+  # works.
+  basePackage = if cfg.enableJIT
+    then cfg.package.withJIT
+    else cfg.package.withoutJIT;
+
+  postgresql = if cfg.extensions == []
+    then basePackage
+    else basePackage.withPackages cfg.extensions;

  toStr = value:
    if true == value then "yes"
@ -60,6 +62,9 @@ let
  '';

  groupAccessAvailable = versionAtLeast postgresql.version "11.0";
+
+  extensionNames = map getName postgresql.installedExtensions;
+  extensionInstalled = extension: elem extension extensionNames;
 in

 {
@ -639,7 +644,7 @@ in
            PrivateTmp = true;
            ProtectHome = true;
            ProtectSystem = "strict";
-            MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off");
+            MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ]));
            NoNewPrivileges = true;
            LockPersonality = true;
            PrivateDevices = true;
@ -663,10 +668,12 @@ in
            RestrictRealtime = true;
            RestrictSUIDSGID = true;
            SystemCallArchitectures = "native";
-            SystemCallFilter = [
-              "@system-service"
-              "~@privileged @resources"
-            ];
+            SystemCallFilter =
+              [
+                "@system-service"
+                "~@privileged @resources"
+              ]
+              ++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ];
            UMask = if groupAccessAvailable then "0027" else "0077";
          }
          (mkIf (cfg.dataDir != "/var/lib/postgresql") {