nixpkgs/nixos/modules/security
aszlig 46f7dd436f
nixos/confinement: Allow to configure /bin/sh
Another thing requested by @edolstra in [1]:

  We should not provide a different /bin/sh in the chroot, that's just
  asking for confusion and random shell script breakage. It should be
  the same shell (i.e. bash) as in a regular environment.

While I personally would even go as far to even have a very restricted
shell that is not even a shell and basically *only* allows "/bin/sh -c"
with only *very* minimal parsing of shell syntax, I do agree that people
expect /bin/sh to be bash (or the one configured by environment.binsh)
on NixOS.

So this should make both others and me happy in that I could just use
confinement.binSh = "${pkgs.dash}/bin/dash" for the services I confine.

[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-472855704

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-14 19:14:05 +01:00
..
wrappers nixos/wrappers: remove outdated upgrade code 2018-10-21 15:12:36 +02:00
acme.nix
acme.xml docs: format 2018-09-29 20:51:11 -04:00
apparmor-suid.nix apparmor-suid: don't force glibc 2018-10-30 19:50:47 -05:00
apparmor.nix
audit.nix
auditd.nix
ca.nix nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
chromium-suid-sandbox.nix
dhparams.nix dhparams module: add self as maintainer 2018-10-31 01:05:35 +09:00
duosec.nix nixos/security: Fix pam configuration file generation. 2019-02-24 22:49:01 +00:00
google_oslogin.nix config.security.googleOsLogin: add module 2018-12-21 17:52:37 +01:00
hidepid.nix
hidepid.xml docs: format 2018-09-29 20:51:11 -04:00
lock-kernel-modules.nix nixos/lock-kernel-modules: add myself to maintainers 2018-10-15 01:33:30 +02:00
misc.nix nixos/security/misc: expose SMT control option 2018-12-27 15:00:49 +01:00
oath.nix
pam.nix nixos/security: Add duo-unix support to pam. 2019-02-24 22:48:56 +00:00
pam_mount.nix
pam_usb.nix
polkit.nix nixos/polkit: use tmpfiles to clean old dirs 2018-09-30 11:08:11 -07:00
prey.nix
rngd.nix nixos/rngd: do not pass --version flag 2018-11-05 10:41:38 +01:00
rtkit.nix
sudo.nix nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
systemd-confinement.nix nixos/confinement: Allow to configure /bin/sh 2019-03-14 19:14:05 +01:00