swendel/nixpkgs
1
0
Fork 0
mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-09-20 20:39:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

nixos/grafana: fix systemd unit

Browse source 
Remove MemoryDenyWriteExecute hardening as it breaks image rendering
plugin. Add CAP_NET_BIND_SERVICE to bind to low ports when needed.
Remove PrivateUsers and ProcSubset as upstream choose to remove it.

Upstream changes: <https://github.com/grafana/grafana/pull/40219>,
<https://github.com/grafana/grafana/pull/40178>,
<https://github.com/grafana/grafana/pull/40339> and
<https://github.com/grafana/grafana/pull/40815>.
This commit is contained in:
Alexandre Iooss 2021-10-10 17:14:42 +02:00
parent 27d39f7f0d
commit 8d559672be
No known key found for this signature in database
GPG key ID: 6C79278F3FCDCC02
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
nixos/modules/services/monitoring/grafana.nix
View file

@ -677,15 +677,13 @@ in {
RuntimeDirectory = "grafana"; RuntimeDirectory = "grafana";
RuntimeDirectoryMode = "0755"; RuntimeDirectoryMode = "0755";
# Hardening # Hardening
CapabilityBoundingSet = [ "" ]; AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
DeviceAllow = [ "" ]; DeviceAllow = [ "" ];
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHome = true; ProtectHome = true;
@ -701,6 +699,8 @@ in {
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
# Upstream grafana is not setting SystemCallFilter for compatibility
# reasons, see https://github.com/grafana/grafana/pull/40176
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
UMask = "0027"; UMask = "0027";
}; };