Merge: nixos/postgresql: extension based hardening relaxation (#355010)

Author: Ma27

nixos/modules/services/databases/postgresql.nix

@@ -2,13 +2,15 @@
 
 let
   inherit (lib)
+    any
     attrValues
     concatMapStrings
     concatStringsSep
     const
     elem
     escapeShellArgs
     filterAttrs
+    getName
     isString
     literalExpression
     mapAttrs
@@ -31,19 +33,19 @@ let
 
   cfg = config.services.postgresql;
 
-  postgresql =
-    let
-      # ensure that
-      #   services.postgresql = {
-      #     enableJIT = true;
-      #     package = pkgs.postgresql_<major>;
-      #   };
-      # works.
-      base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT;
-    in
-    if cfg.extraPlugins == []
-      then base
-      else base.withPackages cfg.extraPlugins;
+  # ensure that
+  #   services.postgresql = {
+  #     enableJIT = true;
+  #     package = pkgs.postgresql_<major>;
+  #   };
+  # works.
+  basePackage = if cfg.enableJIT
+    then cfg.package.withJIT
+    else cfg.package.withoutJIT;
+
+  postgresql = if cfg.extensions == []
+    then basePackage
+    else basePackage.withPackages cfg.extensions;
 
   toStr = value:
     if true == value then "yes"
@@ -61,6 +63,8 @@ let
 
   groupAccessAvailable = versionAtLeast postgresql.version "11.0";
 
+  extensionNames = map getName postgresql.installedExtensions;
+  extensionInstalled = extension: elem extension extensionNames;
 in
 
 {
@@ -69,6 +73,7 @@ in
 
     (mkRenamedOptionModule [ "services" "postgresql" "logLinePrefix" ] [ "services" "postgresql" "settings" "log_line_prefix" ])
     (mkRenamedOptionModule [ "services" "postgresql" "port" ] [ "services" "postgresql" "settings" "port" ])
+    (mkRenamedOptionModule [ "services" "postgresql" "extraPlugins" ] [ "services" "postgresql" "extensions" ])
   ];
 
   ###### interface
@@ -372,12 +377,12 @@ in
         '';
       };
 
-      extraPlugins = mkOption {
+      extensions = mkOption {
         type = with types; coercedTo (listOf path) (path: _ignorePg: path) (functionTo (listOf path));
         default = _: [];
         example = literalExpression "ps: with ps; [ postgis pg_repack ]";
         description = ''
-          List of PostgreSQL plugins.
+          List of PostgreSQL extensions to install.
         '';
       };
 
@@ -639,7 +644,7 @@ in
             PrivateTmp = true;
             ProtectHome = true;
             ProtectSystem = "strict";
-            MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off");
+            MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ]));
             NoNewPrivileges = true;
             LockPersonality = true;
             PrivateDevices = true;
@@ -663,10 +668,12 @@ in
             RestrictRealtime = true;
             RestrictSUIDSGID = true;
             SystemCallArchitectures = "native";
-            SystemCallFilter = [
-              "@system-service"
-              "~@privileged @resources"
-            ];
+            SystemCallFilter =
+              [
+                "@system-service"
+                "~@privileged @resources"
+              ]
+              ++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ];
             UMask = if groupAccessAvailable then "0027" else "0077";
           }
           (mkIf (cfg.dataDir != "/var/lib/postgresql") {

nixos/modules/services/web-apps/immich.nix

@@ -227,7 +227,7 @@ in
           ensureClauses.login = true;
         }
       ];
-      extraPlugins = ps: with ps; [ pgvecto-rs ];
+      extensions = ps: with ps; [ pgvecto-rs ];
       settings = {
         shared_preload_libraries = [ "vectors.so" ];
         search_path = "\"$user\", public, vectors";

nixos/modules/services/web-apps/mobilizon.nix

@@ -383,7 +383,7 @@ in
           ensureDBOwnership = false;
         }
       ];
-      extraPlugins = ps: with ps; [ postgis ];
+      extensions = ps: with ps; [ postgis ];
     };
 
     # Nginx config taken from support/nginx/mobilizon-release.conf

nixos/tests/postgresql/anonymizer.nix

@@ -20,7 +20,7 @@ let
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
-            extraPlugins = ps: [ ps.anonymizer ];
+            extensions = ps: [ ps.anonymizer ];
             settings.shared_preload_libraries = [ "anon" ];
           };
         };

nixos/tests/postgresql/pgjwt.nix

@@ -24,7 +24,7 @@ let
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
-            extraPlugins =
+            extensions =
               ps: with ps; [
                 pgjwt
                 pgtap

nixos/tests/postgresql/pgvecto-rs.nix

@@ -38,7 +38,7 @@ let
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
-            extraPlugins =
+            extensions =
               ps: with ps; [
                 pgvecto-rs
               ];

nixos/tests/postgresql/postgresql.nix

@@ -14,35 +14,59 @@ let
       postgresql-clauses = makeEnsureTestFor package;
     };
 
-  test-sql = pkgs.writeText "postgresql-test" ''
-    CREATE EXTENSION pgcrypto; -- just to check if lib loading works
-    CREATE TABLE sth (
-      id int
+  test-sql =
+    enablePLv8Test:
+    pkgs.writeText "postgresql-test" (
+      ''
+        CREATE EXTENSION pgcrypto; -- just to check if lib loading works
+        CREATE TABLE sth (
+          id int
+        );
+        INSERT INTO sth (id) VALUES (1);
+        INSERT INTO sth (id) VALUES (1);
+        INSERT INTO sth (id) VALUES (1);
+        INSERT INTO sth (id) VALUES (1);
+        INSERT INTO sth (id) VALUES (1);
+        CREATE TABLE xmltest ( doc xml );
+        INSERT INTO xmltest (doc) VALUES ('<test>ok</test>'); -- check if libxml2 enabled
+      ''
+      + lib.optionalString enablePLv8Test ''
+        -- check if hardening gets relaxed
+        CREATE EXTENSION plv8;
+        -- try to trigger the V8 JIT, which requires MemoryDenyWriteExecute
+        DO $$
+          let xs = [];
+          for (let i = 0, n = 400000; i < n; i++) {
+              xs.push(Math.round(Math.random() * n))
+          }
+          console.log(xs.reduce((acc, x) => acc + x, 0));
+        $$ LANGUAGE plv8;
+      ''
     );
-    INSERT INTO sth (id) VALUES (1);
-    INSERT INTO sth (id) VALUES (1);
-    INSERT INTO sth (id) VALUES (1);
-    INSERT INTO sth (id) VALUES (1);
-    INSERT INTO sth (id) VALUES (1);
-    CREATE TABLE xmltest ( doc xml );
-    INSERT INTO xmltest (doc) VALUES ('<test>ok</test>'); -- check if libxml2 enabled
-  '';
 
   makeTestForWithBackupAll =
     package: backupAll:
+    let
+      enablePLv8Check = !package.pkgs.plv8.meta.broken;
+    in
     makeTest {
       name = "postgresql${lib.optionalString backupAll "-backup-all"}-${package.name}";
       meta = with lib.maintainers; {
         maintainers = [ zagy ];
       };
 
       nodes.machine =
-        { ... }:
+        { config, ... }:
         {
           services.postgresql = {
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
+            # plv8 doesn't support postgresql with JIT, so we only run the test
+            # for the non-jit variant.
+            # TODO(@Ma27) split this off into its own VM test and move a few other
+            # extension tests to use postgresqlTestExtension.
+            extensions = lib.mkIf enablePLv8Check (ps: with ps; [ plv8 ]);
           };
 
           services.postgresqlBackup = {
@@ -69,7 +93,7 @@ let
 
           with subtest("Postgresql is available just after unit start"):
               machine.succeed(
-                  "cat ${test-sql} | sudo -u postgres psql"
+                  "cat ${test-sql enablePLv8Check} | sudo -u postgres psql"
               )
 
           with subtest("Postgresql survives restart (bug #1735)"):

nixos/tests/postgresql/timescaledb.nix

@@ -54,7 +54,7 @@ let
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
-            extraPlugins =
+            extensions =
               ps: with ps; [
                 timescaledb
                 timescaledb_toolkit

nixos/tests/postgresql/tsja.nix

@@ -21,7 +21,7 @@ let
             inherit package;
             enable = true;
             enableJIT = lib.hasInfix "-jit-" package.name;
-            extraPlugins =
+            extensions =
               ps: with ps; [
                 tsja
               ];

nixos/tests/postgresql/wal2json.nix

@@ -17,7 +17,7 @@ let
           inherit package;
           enable = true;
           enableJIT = lib.hasInfix "-jit-" package.name;
-          extraPlugins = with package.pkgs; [ wal2json ];
+          extensions = with package.pkgs; [ wal2json ];
           settings = {
             wal_level = "logical";
             max_replication_slots = "10";