Commit 5c898bec authored by Ivan Trubach's avatar Ivan Trubach
Browse files

nixos/redis: loosen systemd address family restrictions 

Do not assume that port and unixSocket are the only options that affect
address families used by Redis. There are other options, e.g. tls-port,
and also clustered setup that are not covered by the declarative
configuration. Instead of trying to selectively restrict unused address
families based on the configuration, limit address families to IP and
Unix sockets and let users lib.mkForce a stricter sandboxing is needed.

See also
https://docs.redis.com/latest/rs/networking/port-configurations/
parent d4d822f5

nixos/modules/services/databases/redis.nix

+1 −3
Original line number Diff line number Diff line
@@ -393,9 +393,7 @@ in { 
        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectControlGroups = true;

        RestrictAddressFamilies =

          optionals (conf.port != 0) ["AF_INET" "AF_INET6"] ++

          optional (conf.unixSocket != null) "AF_UNIX";

        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];

        RestrictNamespaces = true;

        LockPersonality = true;

        MemoryDenyWriteExecute = true;