Merge: nixos/postgresql: extension based hardening relaxation (#355010)

nixos/modules/services/databases/postgresql.nix

@@ -2,6 +2,7 @@
 
 let
   inherit (lib)
+    any
     attrValues
     concatMapStrings
     concatStringsSep
@@ -9,6 +10,7 @@ let
     elem
     escapeShellArgs
     filterAttrs
+    getName
     isString
     literalExpression
     mapAttrs
@@ -31,19 +33,19 @@ let
 
   cfg = config.services.postgresql;
 
-  postgresql =
-    let
   # ensure that
   #   services.postgresql = {
   #     enableJIT = true;
   #     package = pkgs.postgresql_<major>;
   #   };
   # works.
-      base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT;
+  basePackage = if cfg.enableJIT
-    in
+    then cfg.package.withJIT
-    if cfg.extraPlugins == []
+    else cfg.package.withoutJIT;
-      then base
+
-      else base.withPackages cfg.extraPlugins;
+  postgresql = if cfg.extensions == []
+    then basePackage
+    else basePackage.withPackages cfg.extensions;
 
   toStr = value:
     if true == value then "yes"
@@ -61,6 +63,8 @@ let
 
   groupAccessAvailable = versionAtLeast postgresql.version "11.0";
 
+  extensionNames = map getName postgresql.installedExtensions;
+  extensionInstalled = extension: elem extension extensionNames;
 in
 
 {
@@ -69,6 +73,7 @@ in
 
     (mkRenamedOptionModule [ "services" "postgresql" "logLinePrefix" ] [ "services" "postgresql" "settings" "log_line_prefix" ])
     (mkRenamedOptionModule [ "services" "postgresql" "port" ] [ "services" "postgresql" "settings" "port" ])
+    (mkRenamedOptionModule [ "services" "postgresql" "extraPlugins" ] [ "services" "postgresql" "extensions" ])
   ];
 
   ###### interface
@@ -372,12 +377,12 @@ in
         '';
       };
 
-      extraPlugins = mkOption {
+      extensions = mkOption {
         type = with types; coercedTo (listOf path) (path: _ignorePg: path) (functionTo (listOf path));
         default = _: [];
         example = literalExpression "ps: with ps; [ postgis pg_repack ]";
         description = ''
-          List of PostgreSQL plugins.
+          List of PostgreSQL extensions to install.
         '';
       };
 
@@ -639,7 +644,7 @@ in
             PrivateTmp = true;
             ProtectHome = true;
             ProtectSystem = "strict";
-            MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off");
+            MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ]));
             NoNewPrivileges = true;
             LockPersonality = true;
             PrivateDevices = true;
@@ -663,10 +668,12 @@ in
             RestrictRealtime = true;
             RestrictSUIDSGID = true;
             SystemCallArchitectures = "native";
-            SystemCallFilter = [
+            SystemCallFilter =
+              [
                 "@system-service"
                 "~@privileged @resources"
-            ];
+              ]
+              ++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ];
             UMask = if groupAccessAvailable then "0027" else "0077";
           }
           (mkIf (cfg.dataDir != "/var/lib/postgresql") {

nixos/modules/services/web-apps/immich.nix

@@ -227,7 +227,7 @@ in
           ensureClauses.login = true;
         }
       ];
-      extraPlugins = ps: with ps; [ pgvecto-rs ];
+      extensions = ps: with ps; [ pgvecto-rs ];
       settings = {
         shared_preload_libraries = [ "vectors.so" ];
         search_path = "\"$user\", public, vectors";

nixos/modules/services/web-apps/mobilizon.nix

@@ -383,7 +383,7 @@ in
           ensureDBOwnership = false;
         }
       ];
-      extraPlugins = ps: with ps; [ postgis ];
+      extensions = ps: with ps; [ postgis ];
     };
 
     # Nginx config taken from support/nginx/mobilizon-release.conf

nixos/tests/postgresql/anonymizer.nix

@@ -20,7 +20,7 @@ let
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
-            extraPlugins = ps: [ ps.anonymizer ];
+            extensions = ps: [ ps.anonymizer ];
             settings.shared_preload_libraries = [ "anon" ];
           };
         };

nixos/tests/postgresql/pgjwt.nix

@@ -24,7 +24,7 @@ let
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
-            extraPlugins =
+            extensions =
               ps: with ps; [
                 pgjwt
                 pgtap

nixos/tests/postgresql/pgvecto-rs.nix

@@ -38,7 +38,7 @@ let
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
-            extraPlugins =
+            extensions =
               ps: with ps; [
                 pgvecto-rs
               ];

nixos/tests/postgresql/postgresql.nix

@@ -14,7 +14,10 @@ let
       postgresql-clauses = makeEnsureTestFor package;
     };
 
-  test-sql = pkgs.writeText "postgresql-test" ''
+  test-sql =
+    enablePLv8Test:
+    pkgs.writeText "postgresql-test" (
+      ''
         CREATE EXTENSION pgcrypto; -- just to check if lib loading works
         CREATE TABLE sth (
           id int
@@ -26,10 +29,26 @@ let
         INSERT INTO sth (id) VALUES (1);
         CREATE TABLE xmltest ( doc xml );
         INSERT INTO xmltest (doc) VALUES ('<test>ok</test>'); -- check if libxml2 enabled
-  '';
+      ''
+      + lib.optionalString enablePLv8Test ''
+        -- check if hardening gets relaxed
+        CREATE EXTENSION plv8;
+        -- try to trigger the V8 JIT, which requires MemoryDenyWriteExecute
+        DO $$
+          let xs = [];
+          for (let i = 0, n = 400000; i < n; i++) {
+              xs.push(Math.round(Math.random() * n))
+          }
+          console.log(xs.reduce((acc, x) => acc + x, 0));
+        $$ LANGUAGE plv8;
+      ''
+    );
 
   makeTestForWithBackupAll =
     package: backupAll:
+    let
+      enablePLv8Check = !package.pkgs.plv8.meta.broken;
+    in
     makeTest {
       name = "postgresql${lib.optionalString backupAll "-backup-all"}-${package.name}";
       meta = with lib.maintainers; {
@@ -37,12 +56,17 @@ let
       };
 
       nodes.machine =
-        { ... }:
+        { config, ... }:
         {
           services.postgresql = {
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
+            # plv8 doesn't support postgresql with JIT, so we only run the test
+            # for the non-jit variant.
+            # TODO(@Ma27) split this off into its own VM test and move a few other
+            # extension tests to use postgresqlTestExtension.
+            extensions = lib.mkIf enablePLv8Check (ps: with ps; [ plv8 ]);
           };
 
           services.postgresqlBackup = {
@@ -69,7 +93,7 @@ let
 
           with subtest("Postgresql is available just after unit start"):
               machine.succeed(
-                  "cat ${test-sql} | sudo -u postgres psql"
+                  "cat ${test-sql enablePLv8Check} | sudo -u postgres psql"
               )
 
           with subtest("Postgresql survives restart (bug #1735)"):

nixos/tests/postgresql/timescaledb.nix

@@ -54,7 +54,7 @@ let
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
-            extraPlugins =
+            extensions =
               ps: with ps; [
                 timescaledb
                 timescaledb_toolkit

nixos/tests/postgresql/tsja.nix

@@ -21,7 +21,7 @@ let
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
-            extraPlugins =
+            extensions =
               ps: with ps; [
                 tsja
               ];

nixos/tests/postgresql/wal2json.nix

@@ -17,7 +17,7 @@ let
           inherit package;
           enable = true;
           enableJIT = lib.hasInfix "-jit-" package.name;
-          extraPlugins = with package.pkgs; [ wal2json ];
+          extensions = with package.pkgs; [ wal2json ];
           settings = {
             wal_level = "logical";
             max_replication_slots = "10";

pkgs/servers/sql/postgresql/generic.nix

@@ -315,26 +315,34 @@ let
     };
   });
 
-  postgresqlWithPackages = { postgresql, buildEnv }: f: buildEnv {
+  postgresqlWithPackages = { postgresql, buildEnv }: f: let
+    installedExtensions = f postgresql.pkgs;
+  in buildEnv {
     name = "${postgresql.pname}-and-plugins-${postgresql.version}";
-    paths = f postgresql.pkgs ++ [
+    paths = installedExtensions ++ [
         postgresql
         postgresql.man   # in case user installs this into environment
     ];
 
     pathsToLink = ["/"];
 
-    passthru.version = postgresql.version;
+    passthru = {
-    passthru.psqlSchema = postgresql.psqlSchema;
+      inherit installedExtensions;
-    passthru.withJIT = postgresqlWithPackages {
+      inherit (postgresql)
+        psqlSchema
+        version
+      ;
+
+      withJIT = postgresqlWithPackages {
         inherit buildEnv;
         postgresql = postgresql.withJIT;
       } f;
-    passthru.withoutJIT = postgresqlWithPackages {
+      withoutJIT = postgresqlWithPackages {
         inherit buildEnv;
         postgresql = postgresql.withoutJIT;
       } f;
     };
+  };
 
 in
 # passed by <major>.nix