diff --git c/distrobuilder/lxc.generator w/distrobuilder/lxc.generator index 5f854d3..927f2df 100644 --- c/distrobuilder/lxc.generator +++ w/distrobuilder/lxc.generator @@ -16,16 +16,6 @@ is_lxc_privileged_container() { grep -qw 4294967295$ /proc/self/uid_map } -# is_in_path succeeds if the given file exists in on of the paths -is_in_path() { - # Don't use $PATH as that may not include all relevant paths - for path in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin; do - [ -e "${path}/${1}" ] && return 0 - done - - return 1 -} - ## Fix functions # fix_ro_paths avoids udevd issues with /sys and /proc being writable fix_ro_paths() { @@ -47,41 +37,6 @@ fix_ro_run() { EOF } -# fix_nm_link_state forces the network interface to a DOWN state ahead of NetworkManager starting up -fix_nm_link_state() { - [ -e "/sys/class/net/${1}" ] || return 0 - - ip= - if [ -f "/sbin/ip" ]; then - ip="/sbin/ip" - elif [ -f "/bin/ip" ]; then - ip="/bin/ip" - else - return 0 - fi - - cat <<-EOF > /run/systemd/system/network-device-down.service - # This file was created by distrobuilder - [Unit] - Description=Turn off network device - Before=NetworkManager.service - Before=systemd-networkd.service - - [Service] - # do not turn off if there is a default route to 169.254.0.1, i.e. the device is a routed nic - ExecCondition=/bin/sh -c '! /usr/bin/grep -qs 00000000.0100FEA9 /proc/net/route' - ExecStart=-${ip} link set ${1} down - Type=oneshot - RemainAfterExit=true - - [Install] - WantedBy=default.target - EOF - - mkdir -p /run/systemd/system/default.target.wants - ln -sf /run/systemd/system/network-device-down.service /run/systemd/system/default.target.wants/network-device-down.service -} - # fix_systemd_override_unit generates a unit specific override fix_systemd_override_unit() { dropin_dir="/run/systemd/${1}.d" @@ -122,16 +77,7 @@ fix_systemd_mask() { # fix_systemd_udev_trigger overrides the systemd-udev-trigger.service to match the latest version # of the file which uses "ExecStart=-" instead of "ExecStart=". fix_systemd_udev_trigger() { - udev= - if [ -f /usr/bin/udevadm ]; then - udev=/usr/bin/udevadm - elif [ -f /sbin/udevadm ]; then - udev=/sbin/udevadm - elif [ -f /bin/udevadm ]; then - udev=/bin/udevadm - else - return 0 - fi + udev=/run/current-system/sw/bin/udevadm mkdir -p /run/systemd/system/systemd-udev-trigger.service.d cat <<-EOF > /run/systemd/system/systemd-udev-trigger.service.d/zzz-lxc-override.conf @@ -143,52 +89,40 @@ fix_systemd_udev_trigger() { EOF } -# fix_systemd_sysctl overrides the systemd-sysctl.service to use "ExecStart=-" instead of "ExecStart=". -fix_systemd_sysctl() { - sysctl=/usr/lib/systemd/systemd-sysctl - [ ! -e "${sysctl}" ] && sysctl=/lib/systemd/systemd-sysctl - - mkdir -p /run/systemd/system/systemd-sysctl.service.d - cat <<-EOF > /run/systemd/system/systemd-sysctl.service.d/zzz-lxc-override.conf - # This file was created by distrobuilder - [Service] - ExecStart= - ExecStart=-${sysctl} - EOF -} - ## Main logic # Exit immediately if not an Incus/LXC container is_lxc_container || exit 0 # Determine systemd version -SYSTEMD="" -for path in /usr/lib/systemd/systemd /lib/systemd/systemd; do - [ -x "${path}" ] || continue +SYSTEMD="$(/run/current-system/sw/lib/systemd/systemd --version | head -n1 | cut -d' ' -f2 | cut -d'~' -f1)" - SYSTEMD="$("${path}" --version | head -n1 | cut -d' ' -f2 | cut -d'~' -f1)" - break -done -# Apply systemd overrides -if [ "${SYSTEMD}" -ge 244 ]; then - fix_systemd_override_unit system/service -else - # Setup per-unit overrides - find /lib/systemd /etc/systemd /run/systemd /usr/lib/systemd -name "*.service" -type f | sed 's#/\(lib\|etc\|run\|usr/lib\)/systemd/##g'| while read -r service_file; do - fix_systemd_override_unit "${service_file}" - done -fi -# Workarounds for unprivileged containers. -if ! is_lxc_privileged_container; then - fix_ro_paths systemd-networkd.service - fix_ro_paths systemd-resolved.service + +# Overriding some systemd features is only needed if security.nesting=false +# in which case, /dev/.lxc will be missing +# Adding this conditional back for NixOS as we do not have the reported +# problems, and the overrides could reduce potential service hardening +if [ ! -d /dev/.lxc ]; then + # Apply systemd overrides + if [ "${SYSTEMD}" -ge 244 ]; then + fix_systemd_override_unit system/service + else + # Setup per-unit overrides + find /lib/systemd /etc/systemd /run/systemd /usr/lib/systemd -name "*.service" -type f | sed 's#/\(lib\|etc\|run\|usr/lib\)/systemd/##g'| while read -r service_file; do + fix_systemd_override_unit "${service_file}" + done + fi + + # Workarounds for unprivileged containers. + if ! is_lxc_privileged_container; then + fix_ro_paths systemd-networkd.service + fix_ro_paths systemd-resolved.service + fi fi # Ignore failures on some units. fix_systemd_udev_trigger -fix_systemd_sysctl # Fix issues with /run not being writable. fix_ro_run systemd-nsresourced.service @@ -221,11 +155,6 @@ if [ -d /etc/udev ]; then EOF fi -# Workarounds for NetworkManager in containers -if is_in_path NetworkManager; then - fix_nm_link_state eth0 -fi - # Allow masking units created by the lxc system-generator. for d in /etc/systemd/system /usr/lib/systemd/system /lib/systemd/system; do if ! [ -d "${d}" ]; then