Loading nixos/doc/manual/release-notes/rl-2411.section.md +2 −0 Original line number Diff line number Diff line Loading @@ -199,6 +199,8 @@ - The `MSMTP_QUEUE` and `MSMTP_LOG` environment variables accepted by `msmtpq` have now been renamed to `MSMTPQ_Q` and `MSMTPQ_LOG` respectively. - The logrotate service has received hardening and now requires enabling `allowNetworking`, if logrotate needs to access the network. - The fcgiwrap module now allows multiple instances running as distinct users. The option `services.fgciwrap` now takes an attribute set of the configuration of each individual instance. Loading nixos/modules/services/logging/logrotate.nix +48 −3 Original line number Diff line number Diff line Loading @@ -97,6 +97,8 @@ in defaultText = lib.literalExpression "cfg.settings != {}"; }; allowNetworking = lib.mkEnableOption "network access for logrotate"; settings = lib.mkOption { default = { }; description = '' Loading Loading @@ -240,12 +242,55 @@ in config = lib.mkIf cfg.enable { systemd.services.logrotate = { description = "Logrotate Service"; documentation = [ "man:logrotate(8)" "man:logrotate(5)" ]; startAt = "hourly"; serviceConfig = { Restart = "no"; User = "root"; ExecStart = "${pkgs.logrotate}/sbin/logrotate ${utils.escapeSystemdExecArgs cfg.extraArgs} ${mailOption} ${cfg.configFile}"; Type = "oneshot"; ExecStart = "${lib.getExe pkgs.logrotate} ${utils.escapeSystemdExecArgs cfg.extraArgs} ${mailOption} ${cfg.configFile}"; # performance Nice = 19; IOSchedulingClass = "best-effort"; IOSchedulingPriority = 7; # hardening CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_SETGID" ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "full"; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @resources" "@chown" ]; UMask = "0027"; } // lib.optionalAttrs (!cfg.allowNetworking) { PrivateNetwork = true; RestrictAddressFamilies = "none"; }; }; systemd.services.logrotate-checkconf = { Loading nixos/tests/logrotate.nix +2 −0 Original line number Diff line number Diff line Loading @@ -127,5 +127,7 @@ import ./make-test-python.nix ({ pkgs, ... }: rec { if info["ActiveState"] != "failed": raise Exception('logrotate-checkconf.service was not failed') machine.log(machine.execute("systemd-analyze security logrotate.service | grep -v ✓")[1]) ''; }) Loading
nixos/doc/manual/release-notes/rl-2411.section.md +2 −0 Original line number Diff line number Diff line Loading @@ -199,6 +199,8 @@ - The `MSMTP_QUEUE` and `MSMTP_LOG` environment variables accepted by `msmtpq` have now been renamed to `MSMTPQ_Q` and `MSMTPQ_LOG` respectively. - The logrotate service has received hardening and now requires enabling `allowNetworking`, if logrotate needs to access the network. - The fcgiwrap module now allows multiple instances running as distinct users. The option `services.fgciwrap` now takes an attribute set of the configuration of each individual instance. Loading
nixos/modules/services/logging/logrotate.nix +48 −3 Original line number Diff line number Diff line Loading @@ -97,6 +97,8 @@ in defaultText = lib.literalExpression "cfg.settings != {}"; }; allowNetworking = lib.mkEnableOption "network access for logrotate"; settings = lib.mkOption { default = { }; description = '' Loading Loading @@ -240,12 +242,55 @@ in config = lib.mkIf cfg.enable { systemd.services.logrotate = { description = "Logrotate Service"; documentation = [ "man:logrotate(8)" "man:logrotate(5)" ]; startAt = "hourly"; serviceConfig = { Restart = "no"; User = "root"; ExecStart = "${pkgs.logrotate}/sbin/logrotate ${utils.escapeSystemdExecArgs cfg.extraArgs} ${mailOption} ${cfg.configFile}"; Type = "oneshot"; ExecStart = "${lib.getExe pkgs.logrotate} ${utils.escapeSystemdExecArgs cfg.extraArgs} ${mailOption} ${cfg.configFile}"; # performance Nice = 19; IOSchedulingClass = "best-effort"; IOSchedulingPriority = 7; # hardening CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_SETGID" ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "full"; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @resources" "@chown" ]; UMask = "0027"; } // lib.optionalAttrs (!cfg.allowNetworking) { PrivateNetwork = true; RestrictAddressFamilies = "none"; }; }; systemd.services.logrotate-checkconf = { Loading
nixos/tests/logrotate.nix +2 −0 Original line number Diff line number Diff line Loading @@ -127,5 +127,7 @@ import ./make-test-python.nix ({ pkgs, ... }: rec { if info["ActiveState"] != "failed": raise Exception('logrotate-checkconf.service was not failed') machine.log(machine.execute("systemd-analyze security logrotate.service | grep -v ✓")[1]) ''; })
