Skip to content

nixos/ipfs: Only set ReadWritePaths when hardened#166340

Merged
Artturin merged 3 commits intoNixOS:masterfrom
max-privatevoid:patch-6
Jun 28, 2022
Merged

nixos/ipfs: Only set ReadWritePaths when hardened#166340
Artturin merged 3 commits intoNixOS:masterfrom
max-privatevoid:patch-6

Conversation

@max-privatevoid
Copy link
Contributor

@max-privatevoid max-privatevoid commented Mar 29, 2022

Description of changes

Setting ReadWritePaths kills mount propagation and unconditionally breaks FUSE.

Workaround:

systemd.services.ipfs.serviceConfig.ReadWritePaths = lib.mkForce [ ];
Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Mar 29, 2022
@max-privatevoid max-privatevoid changed the base branch from nixos-unstable to master March 29, 2022 23:46
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Mar 30, 2022
@marius851000
Copy link
Contributor

marius851000 commented Mar 30, 2022

I can confirm that applying systemd.services.ipfs.serviceConfig.ReadWritePaths = lib.mkForce [ ]; to my configuration fix my broken /ipfs mount. (broken as in it does (correctly) refuse to list subdir of /ipfs, but also of every other path that should have worked).

Luflosi
Luflosi reviewed Apr 12, 2022
View reviewed changes
@Luflosi
Copy link
Contributor

Luflosi commented Apr 12, 2022

I broke this in #165252.
Next time please ping the author of the changes that broke something because then I would have seen this PR much sooner. I only found this PR accidentally.

Also consider adding a test to test if the autoMount option works, so it doesn't break again in the future.

@max-privatevoid @Luflosi
nixos/ipfs: Only set ReadWritePaths when hardened
72d6d73 
Co-authored-by: Luflosi <Luflosi@users.noreply.github.com>
@max-privatevoid max-privatevoid requested a review from Luflosi April 16, 2022 19:28
Luflosi
Luflosi approved these changes Apr 20, 2022
View reviewed changes
Copy link
Contributor

@Luflosi Luflosi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test runs as expected, LGTM.

@Artturin Artturin added the 12.approvals: 1 This PR was reviewed and approved by one person. label May 7, 2022
Luflosi
Luflosi reviewed Jun 10, 2022
View reviewed changes
@max-privatevoid @Luflosi
nixos/tests/ipfs: Simplify FUSE test
664dab9 
Co-authored-by: Luflosi <Luflosi@users.noreply.github.com>
@nixos-discourse
Copy link

nixos-discourse commented Jun 14, 2022

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/923

fufexan
fufexan approved these changes Jun 17, 2022
View reviewed changes
Copy link
Contributor

@fufexan fufexan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Artturin can you merge this?

@bobby285271 bobby285271 added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Jun 26, 2022
McSinyx
McSinyx approved these changes Jun 27, 2022
View reviewed changes
Copy link
Member

@McSinyx McSinyx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also confirm that this fixes the mount points.

@nixos-discourse
Copy link

nixos-discourse commented Jun 27, 2022

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/532

@Artturin Artturin merged commit 3cff3f7 into NixOS:master Jun 28, 2022
@github-actions github-actions bot mentioned this pull request Jun 28, 2022
Merged
1 task
@github-actions
Copy link
Contributor

github-actions bot commented Jun 28, 2022

Successfully created backport PR #179463 for release-22.05.

@github-actions
Copy link
Contributor

github-actions bot commented Jun 28, 2022

The process '/usr/bin/git' failed with exit code 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

3 more reviewers

@McSinyx McSinyx McSinyx approved these changes

@Luflosi Luflosi Luflosi approved these changes

@fufexan fufexan fufexan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 2 This PR was reviewed and approved by two persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@max-privatevoid @marius851000 @Luflosi @nixos-discourse @McSinyx @fufexan @bobby285271 @Artturin