Loading nixos/modules/config/fonts/fontconfig.nix +4 −0 Original line number Diff line number Diff line Loading @@ -219,6 +219,10 @@ let replaceDefaultConfig "11-lcdfilter-default.conf" "11-lcdfilter-${cfg.subpixel.lcdfilter}.conf" )} ${lib.optionalString cfg.allowBitmaps '' rm -f $dst/70-no-bitmaps-except-emoji.conf ''} # 00-nixos-cache.conf ln -s ${cacheConf} $dst/00-nixos-cache.conf Loading nixos/modules/profiles/bashless.nix +0 −4 Original line number Diff line number Diff line Loading @@ -32,12 +32,8 @@ boot.kexec.enable = lib.mkDefault false; # Relies on bash scripts powerManagement.enable = lib.mkDefault false; # Has some bash inside systemd.shutdownRamfs.enable = lib.mkDefault false; # Relies on the gzip command which depends on bash services.logrotate.enable = lib.mkDefault false; # Service relies on bash scripts services.timesyncd.enable = lib.mkDefault false; # Check that the system does not contain a Nix store path that contains the # string "bash". Loading nixos/modules/system/boot/systemd/shutdown.nix +33 −2 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ in enable = lib.mkEnableOption "pivoting back to an initramfs for shutdown" // { default = true; }; contents = lib.mkOption { description = "Set of files that have to be linked into the shutdown ramfs"; example = lib.literalExpression '' Loading @@ -34,6 +35,22 @@ in type = utils.systemdUtils.types.initrdStorePath; default = [ ]; }; shell.enable = lib.mkEnableOption "" // { default = config.environment.shell.enable; internal = true; description = '' Whether to enable a shell in the shutdown ramfs. In contrast to `environment.shell.enable`, this option actually strictly disables all shells in the shutdown ramfs because they're not copied into it anymore. Paths that use a shell (e.g. via the `script` option), will break if this option is set. Only set this option if you're sure that you can recover from potential issues. ''; }; }; config = lib.mkIf cfg.enable { Loading @@ -43,9 +60,11 @@ in "/etc/os-release".source = config.environment.etc.os-release.source; }; systemd.shutdownRamfs.storePaths = [ pkgs.runtimeShell "${pkgs.coreutils}/bin" ] ++ lib.optionals cfg.shell.enable [ pkgs.runtimeShell ] ++ map (c: builtins.removeAttrs c [ "text" ]) (builtins.attrValues cfg.contents); systemd.mounts = [ Loading @@ -71,9 +90,21 @@ in serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.makeInitrdNGTool}/bin/make-initrd-ng ${ramfsContents} /run/initramfs"; # Sandboxing ProtectSystem = "strict"; ReadWritePaths = "/run/initramfs"; ExecStart = "${pkgs.makeInitrdNGTool}/bin/make-initrd-ng ${ramfsContents} /run/initramfs"; ProtectHome = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; PrivateNetwork = true; LockPersonality = true; MemoryDenyWriteExecute = true; }; }; }; Loading nixos/tests/activation/bashless.nix +8 −0 Original line number Diff line number Diff line Loading @@ -19,6 +19,7 @@ # work. environment.binsh = lib.mkForce null; boot.initrd.systemd.shell.enable = false; systemd.shutdownRamfs.shell.enable = false; # This ensures that we only have the store paths of our closure in the # in the guest. This is necessary so we can grep in the store. Loading @@ -31,6 +32,7 @@ environment.systemPackages = [ pkgs.coreutils pkgs.gnugrep pkgs.findutils ]; # Unset the regex because the tests instrumentation needs bash. Loading @@ -43,6 +45,12 @@ with subtest("/bin/sh doesn't exist"): machine.fail("stat /bin/sh") with subtest("shutdown ramfs is bashless"): machine.systemctl("start generate-shutdown-ramfs.service") shutdown_ramfs_bash_paths = machine.succeed("find /run/initramfs -type d,f -name '*bash*'") print(shutdown_ramfs_bash_paths) t.assertNotIn("bash", shutdown_ramfs_bash_paths) bash_store_paths = machine.succeed("ls /nix/store | grep bash || true") print(bash_store_paths) ''; Loading nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -575,6 +575,7 @@ in fluent-bit = runTest ./fluent-bit.nix; fluentd = runTest ./fluentd.nix; fluidd = runTest ./fluidd.nix; fontconfig-bitmap-fonts = runTest ./fontconfig-bitmap-fonts.nix; fontconfig-default-fonts = runTest ./fontconfig-default-fonts.nix; forgejo = import ./forgejo.nix { inherit runTest; Loading Loading
nixos/modules/config/fonts/fontconfig.nix +4 −0 Original line number Diff line number Diff line Loading @@ -219,6 +219,10 @@ let replaceDefaultConfig "11-lcdfilter-default.conf" "11-lcdfilter-${cfg.subpixel.lcdfilter}.conf" )} ${lib.optionalString cfg.allowBitmaps '' rm -f $dst/70-no-bitmaps-except-emoji.conf ''} # 00-nixos-cache.conf ln -s ${cacheConf} $dst/00-nixos-cache.conf Loading
nixos/modules/profiles/bashless.nix +0 −4 Original line number Diff line number Diff line Loading @@ -32,12 +32,8 @@ boot.kexec.enable = lib.mkDefault false; # Relies on bash scripts powerManagement.enable = lib.mkDefault false; # Has some bash inside systemd.shutdownRamfs.enable = lib.mkDefault false; # Relies on the gzip command which depends on bash services.logrotate.enable = lib.mkDefault false; # Service relies on bash scripts services.timesyncd.enable = lib.mkDefault false; # Check that the system does not contain a Nix store path that contains the # string "bash". Loading
nixos/modules/system/boot/systemd/shutdown.nix +33 −2 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ in enable = lib.mkEnableOption "pivoting back to an initramfs for shutdown" // { default = true; }; contents = lib.mkOption { description = "Set of files that have to be linked into the shutdown ramfs"; example = lib.literalExpression '' Loading @@ -34,6 +35,22 @@ in type = utils.systemdUtils.types.initrdStorePath; default = [ ]; }; shell.enable = lib.mkEnableOption "" // { default = config.environment.shell.enable; internal = true; description = '' Whether to enable a shell in the shutdown ramfs. In contrast to `environment.shell.enable`, this option actually strictly disables all shells in the shutdown ramfs because they're not copied into it anymore. Paths that use a shell (e.g. via the `script` option), will break if this option is set. Only set this option if you're sure that you can recover from potential issues. ''; }; }; config = lib.mkIf cfg.enable { Loading @@ -43,9 +60,11 @@ in "/etc/os-release".source = config.environment.etc.os-release.source; }; systemd.shutdownRamfs.storePaths = [ pkgs.runtimeShell "${pkgs.coreutils}/bin" ] ++ lib.optionals cfg.shell.enable [ pkgs.runtimeShell ] ++ map (c: builtins.removeAttrs c [ "text" ]) (builtins.attrValues cfg.contents); systemd.mounts = [ Loading @@ -71,9 +90,21 @@ in serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.makeInitrdNGTool}/bin/make-initrd-ng ${ramfsContents} /run/initramfs"; # Sandboxing ProtectSystem = "strict"; ReadWritePaths = "/run/initramfs"; ExecStart = "${pkgs.makeInitrdNGTool}/bin/make-initrd-ng ${ramfsContents} /run/initramfs"; ProtectHome = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; PrivateNetwork = true; LockPersonality = true; MemoryDenyWriteExecute = true; }; }; }; Loading
nixos/tests/activation/bashless.nix +8 −0 Original line number Diff line number Diff line Loading @@ -19,6 +19,7 @@ # work. environment.binsh = lib.mkForce null; boot.initrd.systemd.shell.enable = false; systemd.shutdownRamfs.shell.enable = false; # This ensures that we only have the store paths of our closure in the # in the guest. This is necessary so we can grep in the store. Loading @@ -31,6 +32,7 @@ environment.systemPackages = [ pkgs.coreutils pkgs.gnugrep pkgs.findutils ]; # Unset the regex because the tests instrumentation needs bash. Loading @@ -43,6 +45,12 @@ with subtest("/bin/sh doesn't exist"): machine.fail("stat /bin/sh") with subtest("shutdown ramfs is bashless"): machine.systemctl("start generate-shutdown-ramfs.service") shutdown_ramfs_bash_paths = machine.succeed("find /run/initramfs -type d,f -name '*bash*'") print(shutdown_ramfs_bash_paths) t.assertNotIn("bash", shutdown_ramfs_bash_paths) bash_store_paths = machine.succeed("ls /nix/store | grep bash || true") print(bash_store_paths) ''; Loading
nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -575,6 +575,7 @@ in fluent-bit = runTest ./fluent-bit.nix; fluentd = runTest ./fluentd.nix; fluidd = runTest ./fluidd.nix; fontconfig-bitmap-fonts = runTest ./fontconfig-bitmap-fonts.nix; fontconfig-default-fonts = runTest ./fontconfig-default-fonts.nix; forgejo = import ./forgejo.nix { inherit runTest; Loading
