From 1a24fe963901ad6d477cadb7fca5a88af1fec919 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Wed, 26 May 2021 16:59:50 +0200 Subject: [PATCH] Warn when DynamicUser is used without SYS_ADMIN --- src/nix/modules/service/all-modules.nix | 1 + src/nix/modules/service/check-sys_admin.nix | 30 +++++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 src/nix/modules/service/check-sys_admin.nix diff --git a/src/nix/modules/service/all-modules.nix b/src/nix/modules/service/all-modules.nix index 085f1aa..0b56623 100644 --- a/src/nix/modules/service/all-modules.nix +++ b/src/nix/modules/service/all-modules.nix @@ -9,4 +9,5 @@ ./nixos.nix ./nixos-init.nix ../lib/assert.nix + ./check-sys_admin.nix ] diff --git a/src/nix/modules/service/check-sys_admin.nix b/src/nix/modules/service/check-sys_admin.nix new file mode 100644 index 0000000..0ea2ee0 --- /dev/null +++ b/src/nix/modules/service/check-sys_admin.nix @@ -0,0 +1,30 @@ +{ config, lib, name, ... }: +let + inherit (lib) + concatStringsSep + optional + ; + + dynamicUserServices = lib.attrNames ( + lib.filterAttrs + (k: v: + v.enable && + v.serviceConfig.DynamicUser or false) + config.nixos.evaluatedConfig.systemd.services + ); + + +in +{ + config = { + warnings = + optional (config.nixos.useSystemd && !(config.service.capabilities.SYS_ADMIN or false) && dynamicUserServices != []) ( + ''In service ${name}, the following units require `SYS_ADMIN` capability + because of DynamicUser. + ${concatStringsSep "\n" (map (srv: " - services.${name}.nixos.configuration.systemd.services.${srv}") dynamicUserServices)} + You can avoid DynamicUser or use + services.${name}.service.capabilities.SYS_ADMIN = true; + '' + ); + }; +} \ No newline at end of file