nixos/tmpfiles: properly escape argument option (NixOS#391318)

flokli · web-flow · commit d0b0e168c9e7 · 2025-04-02T15:52:08.000+01:00
diff --git a/nixos/modules/system/boot/systemd/tmpfiles.nix b/nixos/modules/system/boot/systemd/tmpfiles.nix
@@ -18,6 +18,14 @@ let
       inherit elemType placeholder;
     };
 
+  escapeArgument = lib.strings.escapeC [
+    "\t"
+    "\n"
+    "\r"
+    " "
+    "\\"
+  ];
+
   settingsOption = {
     description = ''
       Declare systemd-tmpfiles rules to create, delete, and clean up volatile
@@ -126,7 +134,7 @@ let
 
   # generates a single entry for a tmpfiles.d rule
   settingsEntryToRule = path: entry: ''
-    '${entry.type}' '${path}' '${entry.mode}' '${entry.user}' '${entry.group}' '${entry.age}' ${entry.argument}
+    '${entry.type}' '${path}' '${entry.mode}' '${entry.user}' '${entry.group}' '${entry.age}' ${escapeArgument entry.argument}
   '';
 
   # generates a list of tmpfiles.d rules from the attrs (paths) under tmpfiles.settings.<name>
@@ -199,7 +207,25 @@ in
           "boot.initrd.systemd.storePaths will lead to errors in the future."
           "Found these problematic files: ${lib.concatStringsSep ", " paths}"
         ]
-      );
+      )
+      ++ (lib.flatten (
+        lib.mapAttrsToList (
+          name: paths:
+          lib.mapAttrsToList (
+            path: entries:
+            lib.mapAttrsToList (
+              type': entry:
+              lib.optional (lib.match ''.*\\([nrt]|x[0-9A-Fa-f]{2}).*'' entry.argument != null) (
+                lib.concatStringsSep " " [
+                  "The argument option of ${name}.${type'}.${path} appears to"
+                  "contain escape sequences, which will be escaped again."
+                  "Unescape them if this is not intended: \"${entry.argument}\""
+                ]
+              )
+            ) entries
+          ) paths
+        ) cfg.settings
+      ));
 
     systemd.additionalUpstreamSystemUnits = [
       "systemd-tmpfiles-clean.service"
