Merge: nixos/postgresql: extension based hardening relaxation (#355010)

2025-06-15 14:09:17 +03:00 · 2024-11-16 22:29:36 +01:00 · 2024-11-16 22:29:36 +01:00 · 97a911e8fb
commit 97a911e8fb
parent 319acd0bed 68d9643388
11 changed files with 93 additions and 54 deletions
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -2,6 +2,7 @@

 let
  inherit (lib)
+    any
    attrValues
    concatMapStrings
    concatStringsSep
@ -9,6 +10,7 @@ let
    elem
    escapeShellArgs
    filterAttrs
+    getName
    isString
    literalExpression
    mapAttrs
@ -31,19 +33,19 @@ let

  cfg = config.services.postgresql;

-  postgresql =
-    let
-      # ensure that
-      #   services.postgresql = {
-      #     enableJIT = true;
-      #     package = pkgs.postgresql_<major>;
-      #   };
-      # works.
-      base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT;
-    in
-    if cfg.extraPlugins == []
-      then base
-      else base.withPackages cfg.extraPlugins;
+  # ensure that
+  #   services.postgresql = {
+  #     enableJIT = true;
+  #     package = pkgs.postgresql_<major>;
+  #   };
+  # works.
+  basePackage = if cfg.enableJIT
+    then cfg.package.withJIT
+    else cfg.package.withoutJIT;
+
+  postgresql = if cfg.extensions == []
+    then basePackage
+    else basePackage.withPackages cfg.extensions;

  toStr = value:
    if true == value then "yes"
@ -61,6 +63,8 @@ let

  groupAccessAvailable = versionAtLeast postgresql.version "11.0";

+  extensionNames = map getName postgresql.installedExtensions;
+  extensionInstalled = extension: elem extension extensionNames;
 in

 {
@ -69,6 +73,7 @@ in

    (mkRenamedOptionModule [ "services" "postgresql" "logLinePrefix" ] [ "services" "postgresql" "settings" "log_line_prefix" ])
    (mkRenamedOptionModule [ "services" "postgresql" "port" ] [ "services" "postgresql" "settings" "port" ])
+    (mkRenamedOptionModule [ "services" "postgresql" "extraPlugins" ] [ "services" "postgresql" "extensions" ])
  ];

  ###### interface
@ -372,12 +377,12 @@ in
        '';
      };

-      extraPlugins = mkOption {
+      extensions = mkOption {
        type = with types; coercedTo (listOf path) (path: _ignorePg: path) (functionTo (listOf path));
        default = _: [];
        example = literalExpression "ps: with ps; [ postgis pg_repack ]";
        description = ''
-          List of PostgreSQL plugins.
+          List of PostgreSQL extensions to install.
        '';
      };

@ -639,7 +644,7 @@ in
            PrivateTmp = true;
            ProtectHome = true;
            ProtectSystem = "strict";
-            MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off");
+            MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ]));
            NoNewPrivileges = true;
            LockPersonality = true;
            PrivateDevices = true;
@ -663,10 +668,12 @@ in
            RestrictRealtime = true;
            RestrictSUIDSGID = true;
            SystemCallArchitectures = "native";
-            SystemCallFilter = [
-              "@system-service"
-              "~@privileged @resources"
-            ];
+            SystemCallFilter =
+              [
+                "@system-service"
+                "~@privileged @resources"
+              ]
+              ++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ];
            UMask = if groupAccessAvailable then "0027" else "0077";
          }
          (mkIf (cfg.dataDir != "/var/lib/postgresql") {