nixos/tmpfiles: properly escape argument option

The systemd.tmpfiles.settings.<name>.<path>.<type>.argument option may
contain arbitrary strings. This could allow intentional or unintentional
introduction of new configuration lines.

The argument field cannot be quoted, C‐style \xNN escape sequences are
however permitted. By escaping whitespace and newline characters, the
issue can be mitigated.

Author: illdefined

nixos/modules/system/boot/systemd/tmpfiles.nix

@@ -18,6 +18,14 @@ let
       inherit elemType placeholder;
     };
 
+  escapeArgument = lib.strings.escapeC [
+    "\t"
+    "\n"
+    "\r"
+    " "
+    "\\"
+  ];
+
   settingsOption = {
     description = ''
       Declare systemd-tmpfiles rules to create, delete, and clean up volatile
@@ -126,7 +134,7 @@ let
 
   # generates a single entry for a tmpfiles.d rule
   settingsEntryToRule = path: entry: ''
-    '${entry.type}' '${path}' '${entry.mode}' '${entry.user}' '${entry.group}' '${entry.age}' ${entry.argument}
+    '${entry.type}' '${path}' '${entry.mode}' '${entry.user}' '${entry.group}' '${entry.age}' ${escapeArgument entry.argument}
   '';
 
   # generates a list of tmpfiles.d rules from the attrs (paths) under tmpfiles.settings.<name>
@@ -199,7 +207,25 @@ in
           "boot.initrd.systemd.storePaths will lead to errors in the future."
           "Found these problematic files: ${lib.concatStringsSep ", " paths}"
         ]
-      );
+      )
+      ++ (lib.flatten (
+        lib.mapAttrsToList (
+          name: paths:
+          lib.mapAttrsToList (
+            path: entries:
+            lib.mapAttrsToList (
+              type': entry:
+              lib.optional (lib.match ''.*\\([nrt]|x[0-9A-Fa-f]{2}).*'' entry.argument != null) (
+                lib.concatStringsSep " " [
+                  "The argument option of ${name}.${type'}.${path} appears to"
+                  "contain escape sequences, which will be escaped again."
+                  "Unescape them if this is not intended: \"${entry.argument}\""
+                ]
+              )
+            ) entries
+          ) paths
+        ) cfg.settings
+      ));
 
     systemd.additionalUpstreamSystemUnits = [
       "systemd-tmpfiles-clean.service"