movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-11 04:05:40 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/mysql: enable sandbox mode

Browse source
This commit is contained in:
Izorkin 2020-05-14 20:29:59 +03:00
parent 0ba7e1ae98
commit df7e52814d
2 changed files with 46 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

35
nixos/modules/services/databases/mysql.nix
View file

@ -367,11 +367,7 @@ in
'';
serviceConfig = {
User = cfg.user;
Group = "mysql";
Type = if hasNotify then "notify" else "simple";
RuntimeDirectory = "mysqld";
RuntimeDirectoryMode = "0755";
Restart = "on-abort";
RestartSec = "5s";
# The last two environment variables are used for starting Galera clusters
@ -452,7 +448,7 @@ in
cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N
''}
rm /tmp/mysql_init
rm ${cfg.dataDir}/mysql_init
fi
${optionalString (cfg.ensureDatabases != []) ''
@ -476,6 +472,35 @@ in
# ensureDatbases & ensureUsers depends on this script being run as root
# when the user has secured their mysql install
"+${setupScript}";
# User and group
User = cfg.user;
Group = "mysql";
# Runtime directory and mode
RuntimeDirectory = "mysqld";
RuntimeDirectoryMode = "0755";
# Access write directories
ReadWritePaths = [ cfg.dataDir ];
# Capabilities
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
};
};