Skip to content

nixos: add functions and documentation for escaping systemd Exec* directives#154113

Merged
pennae merged 1 commit intoNixOS:masterfrom
pennae:systemd-escaping
Mar 13, 2022
Merged

nixos: add functions and documentation for escaping systemd Exec* directives#154113
pennae merged 1 commit intoNixOS:masterfrom
pennae:systemd-escaping

Conversation

@pennae
Copy link
Copy Markdown
Contributor

@pennae pennae commented Jan 9, 2022

Motivation for this change

we've seen a couple new modules recently that came with subtly wrong ExecStart directives. while they'd work most of the time they could fail in surprising ways if users were to add a % or $ in a module argument.

to make it easier to avoid such problems this adds a few escaping functions specifically for systemd Exec directives and some documentation on how to use them.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation labels Jan 9, 2022
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Jan 9, 2022
@roberth roberth mentioned this pull request Jan 9, 2022
Open
roberth
roberth reviewed Jan 9, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@roberth roberth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is very good to have.

I think we should have a safe, submodule representation. Here's a design if you're interested #154123

This was referenced Jan 10, 2022
Closed
Merged
Merged
jtojnar
jtojnar reviewed Mar 11, 2022
View reviewed changes
nixos/tests/systemd-escaping.nix Outdated
Copy link
Copy Markdown
Member

@jtojnar jtojnar Mar 11, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we maybe have .splitlines() here, to ensure it does not match e.g. semicolon in the middle of a line?

Copy link
Copy Markdown
Contributor Author

@pennae pennae Mar 11, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that sounds sensible. there's a slight catch that toString for floats produces six fractional digits where one might expect less, but that's easy enough to work around.

@pennae
nixos: add functions and documentation for escaping systemd Exec* dir…
40a3529 
…ectives

it's really easy to accidentally write the wrong systemd Exec* directive, ones
that works most of the time but fails when users include systemd metacharacters
in arguments that are interpolated into an Exec* directive. add a few functions
analogous to escapeShellArg{,s} and some documentation on how and when to use them.
@pennae pennae merged commit aa7b129 into NixOS:master Mar 13, 2022
@pennae pennae deleted the systemd-escaping branch March 24, 2022 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roberth roberth roberth left review comments

@jtojnar jtojnar jtojnar left review comments

@LunNova LunNova LunNova approved these changes

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pennae @roberth @jtojnar @LunNova