nixos/mysql: enable sandbox mode

This commit is contained in:
Izorkin 2020-05-14 20:29:59 +03:00
parent 0ba7e1ae98
commit df7e52814d
2 changed files with 46 additions and 5 deletions

View file

@ -89,6 +89,22 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
When MariaDB data directory is just upgraded (not initialized), the users are not created or modified.
</para>
</listitem>
<listitem>
<para>
MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options
may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when
calling <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. In this scenario a variant of the following may be required:
- allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal>
<programlisting>
systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only";
</programlisting>
- allow MySQL to write to custom folder <literal>/var/data</literal> when using <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write
access to <literal>/var/data</literal>
<programlisting>
systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
</programlisting>
</para>
</listitem>
</itemizedlist>
</section>

View file

@ -367,11 +367,7 @@ in
'';
serviceConfig = {
User = cfg.user;
Group = "mysql";
Type = if hasNotify then "notify" else "simple";
RuntimeDirectory = "mysqld";
RuntimeDirectoryMode = "0755";
Restart = "on-abort";
RestartSec = "5s";
# The last two environment variables are used for starting Galera clusters
@ -452,7 +448,7 @@ in
cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N
''}
rm /tmp/mysql_init
rm ${cfg.dataDir}/mysql_init
fi
${optionalString (cfg.ensureDatabases != []) ''
@ -476,6 +472,35 @@ in
# ensureDatbases & ensureUsers depends on this script being run as root
# when the user has secured their mysql install
"+${setupScript}";
# User and group
User = cfg.user;
Group = "mysql";
# Runtime directory and mode
RuntimeDirectory = "mysqld";
RuntimeDirectoryMode = "0755";
# Access write directories
ReadWritePaths = [ cfg.dataDir ];
# Capabilities
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
};
};