Skip to content

nixos/cryptpad: fix service with nodejs 22.11 (for real)#372342

Merged
fricklerhandwerk merged 1 commit intoNixOS:masterfrom
martinetd:cryptpad
Mar 25, 2025
Merged

nixos/cryptpad: fix service with nodejs 22.11 (for real)#372342
fricklerhandwerk merged 1 commit intoNixOS:masterfrom
martinetd:cryptpad

Conversation

@martinetd
Copy link
Copy Markdown
Member

@martinetd martinetd commented Jan 9, 2025

The previous fix had only been tested locally through a runtime edit of the service, and the order in which @chown had been re-added was different so commit cf498c1 ("nixos/cryptpad: fix service with nodejs 22.11") did not actually fix the issue.

This properly orders @chown after @PRIVILEGED so the rule is respected, and also properly denies with EPERM instead of allowing the chown family of syscalls: this will properly prevent seccomp from killing nodejs while still disallowing fchown()

Fixes #370717

Things done

I properly ran the nixosTests.cryptpad this time, but let's wait for ofborg to run it as well just to make sure...

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@martinetd
nixos/cryptpad: fix service with nodejs 22.11 (for real)
15f9613 
The previous fix had only been tested locally through a runtime edit of
the service, and the order in which @chown had been re-added was
different so commit cf498c1 ("nixos/cryptpad: fix service with
nodejs 22.11") did not actually fix the issue.

This properly orders @chown after @PRIVILEGED so the rule is respected,
and also properly denies with EPERM instead of allowing the chown family
of syscalls: this will properly prevent seccomp from killing nodejs
while still disallowing fchown()

Fixes NixOS#370717
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Jan 9, 2025
@martinetd martinetd mentioned this pull request Jan 9, 2025
Closed
@github-actions github-actions bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Jan 9, 2025
@martinetd
Copy link
Copy Markdown
Member Author

martinetd commented Jan 14, 2025

ofborg barfed on x86-64 linux:

The following builds were skipped because they don't evaluate on x86_64-linux: nixos/cryptpad, nixos/cryptpad.passthru.tests

Not sure this will be of much help, but retrying...
@ofborg build nixosTests.cryptpad

@martinetd
Copy link
Copy Markdown
Member Author

martinetd commented Jan 14, 2025

nixosTests.cryptpad on x86_64-linux — Success

sounds better! Thanks for waiting, this is good for me.

Erethon
Erethon approved these changes Feb 13, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@Erethon Erethon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change makes sense and LGTM. The test now passes when I run it.

@Erethon Erethon added the 12.approvals: 1 This PR was reviewed and approved by one person. label Feb 13, 2025
@shelvacu shelvacu mentioned this pull request Feb 28, 2025
Merged
2 tasks
eljamm
eljamm approved these changes Mar 25, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@eljamm eljamm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can confirm that this fixes the NixOS test, thanks!

@eljamm eljamm added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Mar 25, 2025
@fricklerhandwerk fricklerhandwerk merged commit fb5e34f into NixOS:master Mar 25, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@Erethon Erethon Erethon approved these changes

@eljamm eljamm eljamm approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 2 This PR was reviewed and approved by two persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Build failure: nixosTests.cryptpad

4 participants

@martinetd @Erethon @eljamm @fricklerhandwerk