From 5c898bec57e89cd4ceaf8d18140773fdba2447c8 Mon Sep 17 00:00:00 2001 From: Ivan Trubach Date: Mon, 20 Nov 2023 06:58:36 +0300 Subject: nixos/redis: loosen systemd address family restrictions Do not assume that port and unixSocket are the only options that affect address families used by Redis. There are other options, e.g. tls-port, and also clustered setup that are not covered by the declarative configuration. Instead of trying to selectively restrict unused address families based on the configuration, limit address families to IP and Unix sockets and let users lib.mkForce a stricter sandboxing is needed. See also https://docs.redis.com/latest/rs/networking/port-configurations/ --- nixos/modules/services/databases/redis.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'nixos/modules/services/databases') diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 1464f4487e39..e2363ec3bc0e 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -393,9 +393,7 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; ProtectControlGroups = true; - RestrictAddressFamilies = - optionals (conf.port != 0) ["AF_INET" "AF_INET6"] ++ - optional (conf.unixSocket != null) "AF_UNIX"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; -- cgit v1.2.3