nixos/mysql: enable sandbox mode
This commit is contained in:
parent
0ba7e1ae98
commit
df7e52814d
2 changed files with 46 additions and 5 deletions
|
@ -89,6 +89,22 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
|
|||
When MariaDB data directory is just upgraded (not initialized), the users are not created or modified.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options
|
||||
may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when
|
||||
calling <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. In this scenario a variant of the following may be required:
|
||||
- allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal>
|
||||
<programlisting>
|
||||
systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only";
|
||||
</programlisting>
|
||||
- allow MySQL to write to custom folder <literal>/var/data</literal> when using <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write
|
||||
access to <literal>/var/data</literal>
|
||||
<programlisting>
|
||||
systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
|
||||
</programlisting>
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
|
|
@ -367,11 +367,7 @@ in
|
|||
'';
|
||||
|
||||
serviceConfig = {
|
||||
User = cfg.user;
|
||||
Group = "mysql";
|
||||
Type = if hasNotify then "notify" else "simple";
|
||||
RuntimeDirectory = "mysqld";
|
||||
RuntimeDirectoryMode = "0755";
|
||||
Restart = "on-abort";
|
||||
RestartSec = "5s";
|
||||
# The last two environment variables are used for starting Galera clusters
|
||||
|
@ -452,7 +448,7 @@ in
|
|||
cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N
|
||||
''}
|
||||
|
||||
rm /tmp/mysql_init
|
||||
rm ${cfg.dataDir}/mysql_init
|
||||
fi
|
||||
|
||||
${optionalString (cfg.ensureDatabases != []) ''
|
||||
|
@ -476,6 +472,35 @@ in
|
|||
# ensureDatbases & ensureUsers depends on this script being run as root
|
||||
# when the user has secured their mysql install
|
||||
"+${setupScript}";
|
||||
# User and group
|
||||
User = cfg.user;
|
||||
Group = "mysql";
|
||||
# Runtime directory and mode
|
||||
RuntimeDirectory = "mysqld";
|
||||
RuntimeDirectoryMode = "0755";
|
||||
# Access write directories
|
||||
ReadWritePaths = [ cfg.dataDir ];
|
||||
# Capabilities
|
||||
CapabilityBoundingSet = "";
|
||||
# Security
|
||||
NoNewPrivileges = true;
|
||||
# Sandboxing
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectControlGroups = true;
|
||||
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
PrivateMounts = true;
|
||||
# System Call Filtering
|
||||
SystemCallArchitectures = "native";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue